Package org.restlet.engine.application

Class CorsFilter

  • All Implemented Interfaces:
    Uniform
    public class CorsFilter
extends Filter
    Filter that helps support CORS requests. This filter lets the target resources specify the allowed methods. Example: 
     Router router = new Router(getContext());
 
 CorsFilter corsFilter = new CorsFilter(getContext(), router);
 corsFilter.setAllowedOrigins(new HashSet(Arrays.asList("http://server.com")));
 corsFilter.setAllowedCredentials(true);

    • Field Detail

      • allowAllRequestedHeaders

        public boolean allowAllRequestedHeaders
        If true, copies the value of 'Access-Control-Request-Headers' request header into the 'Access-Control-Allow-Headers' response header. If false, use allowedHeaders. Default is true.

      • allowedCredentials

        private boolean allowedCredentials
        If true, add 'Access-Control-Allow-Credentials' header. Default is false.

      • allowedHeaders

        private java.util.Set<java.lang.String> allowedHeaders
        The value of 'Access-Control-Allow-Headers' response header. Used only if allowAllRequestedHeaders is false.

      • allowedOrigins

        private java.util.Set<java.lang.String> allowedOrigins
        The value of 'Access-Control-Allow-Origin' header. Default is '*'.

      • corsResponseHelper

        private CorsResponseHelper corsResponseHelper
        Helper for generating CORS response.

      • defaultAllowedMethods

        private java.util.Set<Method> defaultAllowedMethods
        The set of methods allowed by default, used when skippingResourceForCorsOptions is turned on. By default: GET, PUT, POST, DELETE, PATCH.

      • exposedHeaders

        private java.util.Set<java.lang.String> exposedHeaders
        The value of 'Access-Control-Expose-Headers' response header.

      • maxAge

        private int maxAge
        The value of 'Access-Control-Max-Age' response header. Default is that the header is not set.

      • skippingResourceForCorsOptions

        private boolean skippingResourceForCorsOptions
        If true, the filter does not call the server resource for OPTIONS method of CORS request and set Access-Control-Allow-Methods header with defaultAllowedMethods. Default is false.

    • Constructor Detail

      • CorsFilter

        public CorsFilter()
        Constructor.

      • CorsFilter

        public CorsFilter​(Context context)
        Constructor.
        Parameters:
        context - The context.

      • CorsFilter

        public CorsFilter​(Context context,
                  Restlet next)
        Constructor.
        Parameters:
        context - The context.
        next - The next Restlet.

    • Method Detail

      • afterHandle

        protected void afterHandle​(Request request,
                           Response response)
        Add CORS headers to response
        Overrides:
        afterHandle in class Filter
        Parameters:
        request - The request to handle.
        response - The response

      • getAllowedHeaders

        public java.util.Set<java.lang.String> getAllowedHeaders()
        Returns the modifiable set of headers allowed by the actual request on the current resource.
        Note that when used with HTTP connectors, this property maps to the "Access-Control-Allow-Headers" header.
        Returns:
        The set of headers allowed by the actual request on the current resource.

      • getAllowedOrigins

        public java.util.Set<java.lang.String> getAllowedOrigins()
        Returns the URI an origin server allows for the requested resource. Use "*" as a wildcard character.
        Note that when used with HTTP connectors, this property maps to the "Access-Control-Allow-Origin" header.
        Returns:
        The origin allowed by the requested resource.

      • getExposedHeaders

        public java.util.Set<java.lang.String> getExposedHeaders()
        Returns a modifiable whitelist of headers an origin server allows for the requested resource.
        Note that when used with HTTP connectors, this property maps to the "Access-Control-Expose-Headers" header.
        Returns:
        The set of headers an origin server allows for the requested resource.

      • getMaxAge

        public int getMaxAge()
        Indicates how long (in seconds) the results of a preflight request can be cached in a preflight result cache.
        In case of a negative value, the results of a preflight request is not meant to be cached.
        Note that when used with HTTP connectors, this property maps to the "Access-Control-Max-Age" header.
        Returns:
        Indicates how long the results of a preflight request can be cached in a preflight result cache.

      • isAllowAllRequestedHeaders

        public boolean isAllowAllRequestedHeaders()
        If true, indicates that the value of 'Access-Control-Request-Headers' request header will be copied into the 'Access-Control-Allow-Headers' response header. If false, use allowedHeaders.

      • isAllowedCredentials

        public boolean isAllowedCredentials()
        If true, adds 'Access-Control-Allow-Credentials' header.
        Returns:
        True, if the 'Access-Control-Allow-Credentials' header will be added.

      • isSkippingResourceForCorsOptions

        public boolean isSkippingResourceForCorsOptions()
        If true, the filter does not call the server resource for OPTIONS method of CORS request and set Access-Control-Allow-Methods header with defaultAllowedMethods. Default is false.
        Returns:
        True if the filter does not call the server resource for OPTIONS method of CORS request.

      • setAllowedCredentials

        public CorsFilter setAllowedCredentials​(boolean allowedCredentials)
        If true, adds 'Access-Control-Allow-Credentials' header.
        Parameters:
        allowedCredentials - True to add the 'Access-Control-Allow-Credentials' header.
        Returns:
        Itself for chaining methods calls.

      • setAllowedHeaders

        public CorsFilter setAllowedHeaders​(java.util.Set<java.lang.String> allowedHeaders)
        Sets the value of the 'Access-Control-Allow-Headers' response header. Used only if allowAllRequestedHeaders is false.
        Parameters:
        allowedHeaders - The value of 'Access-Control-Allow-Headers' response header.
        Returns:
        Itself for chaining methods calls.

      • setAllowedOrigins

        public CorsFilter setAllowedOrigins​(java.util.Set<java.lang.String> allowedOrigins)
        Sets the value of 'Access-Control-Allow-Origin' header.
        Parameters:
        allowedOrigins - The value of 'Access-Control-Allow-Origin' header.
        Returns:
        Itself for chaining methods calls.

      • setAllowingAllRequestedHeaders

        public CorsFilter setAllowingAllRequestedHeaders​(boolean allowingAllRequestedHeaders)
        If true, copies the value of 'Access-Control-Request-Headers' request header into the 'Access-Control-Allow-Headers' response header. If false, use allowedHeaders.
        Parameters:
        allowingAllRequestedHeaders - True to copy the value of 'Access-Control-Request-Headers' request header into the 'Access-Control-Allow-Headers' response header. If false, use allowedHeaders.
        Returns:
        Itself for chaining methods calls.

      • setExposedHeaders

        public CorsFilter setExposedHeaders​(java.util.Set<java.lang.String> exposedHeaders)
        Sets the value of 'Access-Control-Expose-Headers' response header.
        Parameters:
        exposedHeaders - The value of 'Access-Control-Expose-Headers' response header.
        Returns:
        Itself for chaining methods calls.

      • setMaxAge

        public CorsFilter setMaxAge​(int maxAge)
        Sets the value of 'Access-Control-Max-Age' response header.
        In case of negative value, the header is not set.
        Parameters:
        maxAge - The value of 'Access-Control-Max-Age' response header.

      • setSkippingResourceForCorsOptions

        public CorsFilter setSkippingResourceForCorsOptions​(boolean skipResourceForCorsOptions)
        Sets the value of skipResourceForCorsOptions field.
        Parameters:
        skipResourceForCorsOptions - True if the filter does not call the server resource for OPTIONS method of CORS request.
        Returns:
        Itself for chaining methods calls.