Package org.eclipse.jetty.servlets

Class CrossOriginFilter

  • All Implemented Interfaces:
    javax.servlet.Filter
    public class CrossOriginFilter
extends java.lang.Object
implements javax.servlet.Filter
    Implementation of the cross-origin resource sharing.

    A typical example is to use this filter to allow cross-domain cometd communication using the standard long polling transport instead of the JSONP transport (that is less efficient and less reactive to failures).

    This filter allows the following configuration parameters:

    allowedOrigins
    a comma separated list of origins that are allowed to access the resources. Default value is *, meaning all origins. Note that using wild cards can result in security problems for requests identifying hosts that do not exist.

    If an allowed origin contains one or more * characters (for example http://*.domain.com), then "*" characters are converted to ".*", "." characters are escaped to "\." and the resulting allowed origin interpreted as a regular expression.

    Allowed origins can therefore be more complex expressions such as https?://*.domain.[a-z]{3} that matches http or https, multiple subdomains and any 3 letter top-level domain (.com, .net, .org, etc.).

    allowedTimingOrigins
    a comma separated list of origins that are allowed to time the resource. Default value is the empty string, meaning no origins.

    The check whether the timing header is set, will be performed only if the user gets general access to the resource using the allowedOrigins.

    allowedMethods
    a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST,HEAD
    allowedHeaders
    a comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single "*", this means that any headers will be accepted.
    preflightMaxAge
    the number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes
    allowCredentials
    a boolean indicating if the resource allows requests with credentials. Default value is true
    exposedHeaders
    a comma separated list of HTTP headers that are allowed to be exposed on the client. Default value is the empty list
    chainPreflight
    if true preflight requests are chained to their target resource for normal handling (as an OPTION request). Otherwise the filter will response to the preflight. Default is true.
    A typical configuration could be: 
     <web-app ...>
     ...
     <filter>
         <filter-name>cross-origin</filter-name>
         <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
     </filter>
     <filter-mapping>
         <filter-name>cross-origin</filter-name>
         <url-pattern>/cometd/*</url-pattern>
     </filter-mapping>
     ...
 </web-app>

    • Field Detail

      • LOG

        private static final Logger LOG

      • ACCESS_CONTROL_REQUEST_METHOD_HEADER

        public static final java.lang.String ACCESS_CONTROL_REQUEST_METHOD_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_REQUEST_HEADERS_HEADER

        public static final java.lang.String ACCESS_CONTROL_REQUEST_HEADERS_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_ALLOW_ORIGIN_HEADER

        public static final java.lang.String ACCESS_CONTROL_ALLOW_ORIGIN_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_ALLOW_METHODS_HEADER

        public static final java.lang.String ACCESS_CONTROL_ALLOW_METHODS_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_ALLOW_HEADERS_HEADER

        public static final java.lang.String ACCESS_CONTROL_ALLOW_HEADERS_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_MAX_AGE_HEADER

        public static final java.lang.String ACCESS_CONTROL_MAX_AGE_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER

        public static final java.lang.String ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER
        See Also:
        Constant Field Values

      • ACCESS_CONTROL_EXPOSE_HEADERS_HEADER

        public static final java.lang.String ACCESS_CONTROL_EXPOSE_HEADERS_HEADER
        See Also:
        Constant Field Values

      • TIMING_ALLOW_ORIGIN_HEADER

        public static final java.lang.String TIMING_ALLOW_ORIGIN_HEADER
        See Also:
        Constant Field Values

      • ALLOWED_ORIGINS_PARAM

        public static final java.lang.String ALLOWED_ORIGINS_PARAM
        See Also:
        Constant Field Values

      • ALLOWED_TIMING_ORIGINS_PARAM

        public static final java.lang.String ALLOWED_TIMING_ORIGINS_PARAM
        See Also:
        Constant Field Values

      • ALLOWED_METHODS_PARAM

        public static final java.lang.String ALLOWED_METHODS_PARAM
        See Also:
        Constant Field Values

      • ALLOWED_HEADERS_PARAM

        public static final java.lang.String ALLOWED_HEADERS_PARAM
        See Also:
        Constant Field Values

      • PREFLIGHT_MAX_AGE_PARAM

        public static final java.lang.String PREFLIGHT_MAX_AGE_PARAM
        See Also:
        Constant Field Values

      • ALLOW_CREDENTIALS_PARAM

        public static final java.lang.String ALLOW_CREDENTIALS_PARAM
        See Also:
        Constant Field Values

      • EXPOSED_HEADERS_PARAM

        public static final java.lang.String EXPOSED_HEADERS_PARAM
        See Also:
        Constant Field Values

      • OLD_CHAIN_PREFLIGHT_PARAM

        public static final java.lang.String OLD_CHAIN_PREFLIGHT_PARAM
        See Also:
        Constant Field Values

      • CHAIN_PREFLIGHT_PARAM

        public static final java.lang.String CHAIN_PREFLIGHT_PARAM
        See Also:
        Constant Field Values

      • DEFAULT_ALLOWED_ORIGINS

        private static final java.lang.String DEFAULT_ALLOWED_ORIGINS
        See Also:
        Constant Field Values

      • DEFAULT_ALLOWED_TIMING_ORIGINS

        private static final java.lang.String DEFAULT_ALLOWED_TIMING_ORIGINS
        See Also:
        Constant Field Values

      • SIMPLE_HTTP_METHODS

        private static final java.util.List<java.lang.String> SIMPLE_HTTP_METHODS

      • DEFAULT_ALLOWED_METHODS

        private static final java.util.List<java.lang.String> DEFAULT_ALLOWED_METHODS

      • DEFAULT_ALLOWED_HEADERS

        private static final java.util.List<java.lang.String> DEFAULT_ALLOWED_HEADERS

      • anyOriginAllowed

        private boolean anyOriginAllowed

      • anyTimingOriginAllowed

        private boolean anyTimingOriginAllowed

      • anyHeadersAllowed

        private boolean anyHeadersAllowed

      • allowedOrigins

        private java.util.Set<java.lang.String> allowedOrigins

      • allowedOriginPatterns

        private java.util.List<java.util.regex.Pattern> allowedOriginPatterns

      • allowedTimingOrigins

        private java.util.Set<java.lang.String> allowedTimingOrigins

      • allowedTimingOriginPatterns

        private java.util.List<java.util.regex.Pattern> allowedTimingOriginPatterns

      • allowedMethods

        private java.util.List<java.lang.String> allowedMethods

      • allowedHeaders

        private java.util.List<java.lang.String> allowedHeaders

      • exposedHeaders

        private java.util.List<java.lang.String> exposedHeaders

      • preflightMaxAge

        private int preflightMaxAge

      • allowCredentials

        private boolean allowCredentials

      • chainPreflight

        private boolean chainPreflight

    • Constructor Detail

      • CrossOriginFilter

        public CrossOriginFilter()

    • Method Detail

      • init

        public void init​(javax.servlet.FilterConfig config)
          throws javax.servlet.ServletException
        Specified by:
        init in interface javax.servlet.Filter
        Throws:
        javax.servlet.ServletException

      • generateAllowedOrigins

        private boolean generateAllowedOrigins​(java.util.Set<java.lang.String> allowedOriginStore,
                                       java.util.List<java.util.regex.Pattern> allowedOriginPatternStore,
                                       java.lang.String allowedOriginsConfig,
                                       java.lang.String defaultOrigin)

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Throws:
        java.io.IOException
        javax.servlet.ServletException

      • handle

        private void handle​(javax.servlet.http.HttpServletRequest request,
                    javax.servlet.http.HttpServletResponse response,
                    javax.servlet.FilterChain chain)
             throws java.io.IOException,
                    javax.servlet.ServletException
        Throws:
        java.io.IOException
        javax.servlet.ServletException

      • isEnabled

        protected boolean isEnabled​(javax.servlet.http.HttpServletRequest request)

      • originMatches

        private boolean originMatches​(java.util.Set<java.lang.String> allowedOrigins,
                              java.util.List<java.util.regex.Pattern> allowedOriginPatterns,
                              java.lang.String originList)

      • parseAllowedWildcardOriginToRegex

        private java.lang.String parseAllowedWildcardOriginToRegex​(java.lang.String allowedOrigin)

      • isSimpleRequest

        private boolean isSimpleRequest​(javax.servlet.http.HttpServletRequest request)

      • isPreflightRequest

        private boolean isPreflightRequest​(javax.servlet.http.HttpServletRequest request)

      • handleSimpleResponse

        private void handleSimpleResponse​(javax.servlet.http.HttpServletRequest request,
                                  javax.servlet.http.HttpServletResponse response,
                                  java.lang.String origin)

      • handlePreflightResponse

        private void handlePreflightResponse​(javax.servlet.http.HttpServletRequest request,
                                     javax.servlet.http.HttpServletResponse response,
                                     java.lang.String origin)

      • isMethodAllowed

        private boolean isMethodAllowed​(javax.servlet.http.HttpServletRequest request)

      • getAccessControlRequestHeaders

        private java.util.List<java.lang.String> getAccessControlRequestHeaders​(javax.servlet.http.HttpServletRequest request)

      • areHeadersAllowed

        private boolean areHeadersAllowed​(java.util.List<java.lang.String> requestedHeaders)

      • commify

        private java.lang.String commify​(java.util.List<java.lang.String> strings)

      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter