Package org.eclipse.jetty.servlets

Class CrossOriginFilter

  • All Implemented Interfaces:
    javax.servlet.Filter
    public class CrossOriginFilter
extends java.lang.Object
implements javax.servlet.Filter
    Implementation of the cross-origin resource sharing.

    A typical example is to use this filter to allow cross-domain cometd communication using the standard long polling transport instead of the JSONP transport (that is less efficient and less reactive to failures).

    This filter allows the following configuration parameters:

    allowedOrigins
    a comma separated list of origins that are allowed to access the resources. Default value is *, meaning all origins. Note that using wild cards can result in security problems for requests identifying hosts that do not exist.

    If an allowed origin contains one or more * characters (for example http://*.domain.com), then "*" characters are converted to ".*", "." characters are escaped to "\." and the resulting allowed origin interpreted as a regular expression.

    Allowed origins can therefore be more complex expressions such as https?://*.domain.[a-z]{3} that matches http or https, multiple subdomains and any 3 letter top-level domain (.com, .net, .org, etc.).

    allowedTimingOrigins
    a comma separated list of origins that are allowed to time the resource. Default value is the empty string, meaning no origins.

    The check whether the timing header is set, will be performed only if the user gets general access to the resource using the allowedOrigins.

    allowedMethods
    a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST,HEAD
    allowedHeaders
    a comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single "*", this means that any headers will be accepted.
    preflightMaxAge
    the number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes
    allowCredentials
    a boolean indicating if the resource allows requests with credentials. Default value is true
    exposedHeaders
    a comma separated list of HTTP headers that are allowed to be exposed on the client. Default value is the empty list
    chainPreflight
    if true preflight requests are chained to their target resource for normal handling (as an OPTION request). Otherwise the filter will response to the preflight. Default is true.
    A typical configuration could be: 
     <web-app ...>
     ...
     <filter>
         <filter-name>cross-origin</filter-name>
         <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
     </filter>
     <filter-mapping>
         <filter-name>cross-origin</filter-name>
         <url-pattern>/cometd/*</url-pattern>
     </filter-mapping>
     ...
 </web-app>

    • Field Detail

      • ACCESS_CONTROL_REQUEST_METHOD_HEADER

        public static final java.lang.String ACCESS_CONTROL_REQUEST_METHOD_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_REQUEST_HEADERS_HEADER

        public static final java.lang.String ACCESS_CONTROL_REQUEST_HEADERS_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_ALLOW_ORIGIN_HEADER

        public static final java.lang.String ACCESS_CONTROL_ALLOW_ORIGIN_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_ALLOW_METHODS_HEADER

        public static final java.lang.String ACCESS_CONTROL_ALLOW_METHODS_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_ALLOW_HEADERS_HEADER

        public static final java.lang.String ACCESS_CONTROL_ALLOW_HEADERS_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_MAX_AGE_HEADER

        public static final java.lang.String ACCESS_CONTROL_MAX_AGE_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER

        public static final java.lang.String ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_EXPOSE_HEADERS_HEADER

        public static final java.lang.String ACCESS_CONTROL_EXPOSE_HEADERS_HEADER
        See Also:
        Constant Field Values

      • TIMING_ALLOW_ORIGIN_HEADER

        public static final java.lang.String TIMING_ALLOW_ORIGIN_HEADER
        See Also:
        Constant Field Values

      • ALLOWED_ORIGINS_PARAM

        public static final java.lang.String ALLOWED_ORIGINS_PARAM
        See Also:
        Constant Field Values

      • ALLOWED_TIMING_ORIGINS_PARAM

        public static final java.lang.String ALLOWED_TIMING_ORIGINS_PARAM
        See Also:
        Constant Field Values

      • ALLOWED_METHODS_PARAM

        public static final java.lang.String ALLOWED_METHODS_PARAM
        See Also:
        Constant Field Values

      • ALLOWED_HEADERS_PARAM

        public static final java.lang.String ALLOWED_HEADERS_PARAM
        See Also:
        Constant Field Values

      • PREFLIGHT_MAX_AGE_PARAM

        public static final java.lang.String PREFLIGHT_MAX_AGE_PARAM
        See Also:
        Constant Field Values

      • ALLOW_CREDENTIALS_PARAM

        public static final java.lang.String ALLOW_CREDENTIALS_PARAM
        See Also:
        Constant Field Values

      • EXPOSED_HEADERS_PARAM

        public static final java.lang.String EXPOSED_HEADERS_PARAM
        See Also:
        Constant Field Values

      • OLD_CHAIN_PREFLIGHT_PARAM

        public static final java.lang.String OLD_CHAIN_PREFLIGHT_PARAM
        See Also:
        Constant Field Values

      • CHAIN_PREFLIGHT_PARAM

        public static final java.lang.String CHAIN_PREFLIGHT_PARAM
        See Also:
        Constant Field Values

    • Constructor Detail

      • CrossOriginFilter

        public CrossOriginFilter()

    • Method Detail

      • init

        public void init​(javax.servlet.FilterConfig config)
          throws javax.servlet.ServletException
        Specified by:
        init in interface javax.servlet.Filter
        Throws:
        javax.servlet.ServletException

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Throws:
        java.io.IOException
        javax.servlet.ServletException

      • isEnabled

        protected boolean isEnabled​(javax.servlet.http.HttpServletRequest request)

      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter