Class CrossOriginFilter
- All Implemented Interfaces:
javax.servlet.Filter
A typical example is to use this filter to allow cross-domain cometd communication using the standard long polling transport instead of the JSONP transport (that is less efficient and less reactive to failures).
This filter allows the following configuration parameters:
- allowedOrigins
- a comma separated list of origins that are
allowed to access the resources. Default value is *, meaning all
origins. Note that using wild cards can result in security problems
for requests identifying hosts that do not exist.
If an allowed origin contains one or more * characters (for example http://*.domain.com), then "*" characters are converted to ".*", "." characters are escaped to "\." and the resulting allowed origin interpreted as a regular expression.
Allowed origins can therefore be more complex expressions such as https?://*.domain.[a-z]{3} that matches http or https, multiple subdomains and any 3 letter top-level domain (.com, .net, .org, etc.).
- allowedTimingOrigins
- a comma separated list of origins that are
allowed to time the resource. Default value is the empty string, meaning
no origins.
The check whether the timing header is set, will be performed only if the user gets general access to the resource using the allowedOrigins.
- allowedMethods
- a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST,HEAD
- allowedHeaders
- a comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single "*", this means that any headers will be accepted.
- preflightMaxAge
- the number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes
- allowCredentials
- a boolean indicating if the resource allows requests with credentials. Default value is true
- exposedHeaders
- a comma separated list of HTTP headers that are allowed to be exposed on the client. Default value is the empty list
- chainPreflight
- if true preflight requests are chained to their target resource for normal handling (as an OPTION request). Otherwise the filter will response to the preflight. Default is true.
<web-app ...> ... <filter> <filter-name>cross-origin</filter-name> <filter-class>org.eclipse.jetty.ee8.servlets.CrossOriginFilter</filter-class> </filter> <filter-mapping> <filter-name>cross-origin</filter-name> <url-pattern>/cometd/*</url-pattern> </filter-mapping> ... </web-app>
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
static final String
-
Constructor Summary
Constructors -
Method Summary
-
Field Details
-
ACCESS_CONTROL_REQUEST_METHOD_HEADER
- See Also:
-
ACCESS_CONTROL_REQUEST_HEADERS_HEADER
- See Also:
-
ACCESS_CONTROL_ALLOW_ORIGIN_HEADER
- See Also:
-
ACCESS_CONTROL_ALLOW_METHODS_HEADER
- See Also:
-
ACCESS_CONTROL_ALLOW_HEADERS_HEADER
- See Also:
-
ACCESS_CONTROL_MAX_AGE_HEADER
- See Also:
-
ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER
- See Also:
-
ACCESS_CONTROL_EXPOSE_HEADERS_HEADER
- See Also:
-
TIMING_ALLOW_ORIGIN_HEADER
- See Also:
-
ALLOWED_ORIGINS_PARAM
- See Also:
-
ALLOWED_TIMING_ORIGINS_PARAM
- See Also:
-
ALLOWED_METHODS_PARAM
- See Also:
-
ALLOWED_HEADERS_PARAM
- See Also:
-
PREFLIGHT_MAX_AGE_PARAM
- See Also:
-
ALLOW_CREDENTIALS_PARAM
- See Also:
-
EXPOSED_HEADERS_PARAM
- See Also:
-
OLD_CHAIN_PREFLIGHT_PARAM
- See Also:
-
CHAIN_PREFLIGHT_PARAM
- See Also:
-
-
Constructor Details
-
CrossOriginFilter
public CrossOriginFilter()
-
-
Method Details
-
init
public void init(javax.servlet.FilterConfig config) throws javax.servlet.ServletException - Specified by:
init
in interfacejavax.servlet.Filter
- Throws:
javax.servlet.ServletException
-
doFilter
public void doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) throws IOException, javax.servlet.ServletException - Specified by:
doFilter
in interfacejavax.servlet.Filter
- Throws:
IOException
javax.servlet.ServletException
-
isEnabled
protected boolean isEnabled(javax.servlet.http.HttpServletRequest request) -
destroy
public void destroy()- Specified by:
destroy
in interfacejavax.servlet.Filter
-