Package org.eclipse.jetty.servlets

Class CrossOriginFilter

java.lang.Object

org.eclipse.jetty.servlets.CrossOriginFilter

All Implemented Interfaces:

javax.servlet.Filter

public class CrossOriginFilter
extends java.lang.Object
implements javax.servlet.Filter

Implementation of the cross-origin resource sharing.

A typical example is to use this filter to allow cross-domain cometd communication using the standard long polling transport instead of the JSONP transport (that is less efficient and less reactive to failures).

This filter allows the following configuration parameters:

allowedOrigins

a comma separated list of origins that are allowed to access the resources. Default value is *, meaning all origins. Note that using wild cards can result in security problems for requests identifying hosts that do not exist.

If an allowed origin contains one or more * characters (for example http://*.domain.com), then "*" characters are converted to ".*", "." characters are escaped to "\." and the resulting allowed origin interpreted as a regular expression.

Allowed origins can therefore be more complex expressions such as https?://*.domain.[a-z]{3} that matches http or https, multiple subdomains and any 3 letter top-level domain (.com, .net, .org, etc.).

allowedTimingOrigins

a comma separated list of origins that are allowed to time the resource. Default value is the empty string, meaning no origins.

The check whether the timing header is set, will be performed only if the user gets general access to the resource using the allowedOrigins.

allowedMethods

a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST,HEAD

allowedHeaders

a comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single "*", this means that any headers will be accepted.

preflightMaxAge

the number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes

allowCredentials

a boolean indicating if the resource allows requests with credentials. Default value is true

exposedHeaders

a comma separated list of HTTP headers that are allowed to be exposed on the client. Default value is the empty list

chainPreflight

if true preflight requests are chained to their target resource for normal handling (as an OPTION request). Otherwise the filter will response to the preflight. Default is true.

A typical configuration could be:

 <web-app ...>
     ...
     <filter>
         <filter-name>cross-origin</filter-name>
         <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
     </filter>
     <filter-mapping>
         <filter-name>cross-origin</filter-name>
         <url-pattern>/cometd/*</url-pattern>
     </filter-mapping>
     ...
 </web-app>
 

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER
static java.lang.String	ACCESS_CONTROL_ALLOW_HEADERS_HEADER
static java.lang.String	ACCESS_CONTROL_ALLOW_METHODS_HEADER
static java.lang.String	ACCESS_CONTROL_ALLOW_ORIGIN_HEADER
static java.lang.String	ACCESS_CONTROL_EXPOSE_HEADERS_HEADER
static java.lang.String	ACCESS_CONTROL_MAX_AGE_HEADER
static java.lang.String	ACCESS_CONTROL_REQUEST_HEADERS_HEADER
static java.lang.String	ACCESS_CONTROL_REQUEST_METHOD_HEADER
static java.lang.String	ALLOW_CREDENTIALS_PARAM
static java.lang.String	ALLOWED_HEADERS_PARAM
static java.lang.String	ALLOWED_METHODS_PARAM
static java.lang.String	ALLOWED_ORIGINS_PARAM
static java.lang.String	ALLOWED_TIMING_ORIGINS_PARAM
static java.lang.String	CHAIN_PREFLIGHT_PARAM
static java.lang.String	EXPOSED_HEADERS_PARAM
static java.lang.String	OLD_CHAIN_PREFLIGHT_PARAM
static java.lang.String	PREFLIGHT_MAX_AGE_PARAM
static java.lang.String	TIMING_ALLOW_ORIGIN_HEADER

Constructor Summary

Constructors

Constructor	Description
CrossOriginFilter()

Method Summary

Modifier and Type	Method	Description
void	destroy()
void	doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
void	init(javax.servlet.FilterConfig config)
protected boolean	isEnabled(javax.servlet.http.HttpServletRequest request)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ACCESS_CONTROL_REQUEST_METHOD_HEADER

public static final java.lang.String ACCESS_CONTROL_REQUEST_METHOD_HEADER

See Also:

Constant Field Values

ACCESS_CONTROL_REQUEST_HEADERS_HEADER

public static final java.lang.String ACCESS_CONTROL_REQUEST_HEADERS_HEADER

See Also:

Constant Field Values

ACCESS_CONTROL_ALLOW_ORIGIN_HEADER

public static final java.lang.String ACCESS_CONTROL_ALLOW_ORIGIN_HEADER

See Also:

Constant Field Values

ACCESS_CONTROL_ALLOW_METHODS_HEADER

public static final java.lang.String ACCESS_CONTROL_ALLOW_METHODS_HEADER

See Also:

Constant Field Values

ACCESS_CONTROL_ALLOW_HEADERS_HEADER

public static final java.lang.String ACCESS_CONTROL_ALLOW_HEADERS_HEADER

See Also:

Constant Field Values

ACCESS_CONTROL_MAX_AGE_HEADER

public static final java.lang.String ACCESS_CONTROL_MAX_AGE_HEADER

See Also:

Constant Field Values

ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER

public static final java.lang.String ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER

See Also:

Constant Field Values

ACCESS_CONTROL_EXPOSE_HEADERS_HEADER

public static final java.lang.String ACCESS_CONTROL_EXPOSE_HEADERS_HEADER

See Also:

Constant Field Values

TIMING_ALLOW_ORIGIN_HEADER

public static final java.lang.String TIMING_ALLOW_ORIGIN_HEADER

See Also:

Constant Field Values

ALLOWED_ORIGINS_PARAM

public static final java.lang.String ALLOWED_ORIGINS_PARAM

See Also:

Constant Field Values

ALLOWED_TIMING_ORIGINS_PARAM

public static final java.lang.String ALLOWED_TIMING_ORIGINS_PARAM

See Also:

Constant Field Values

ALLOWED_METHODS_PARAM

public static final java.lang.String ALLOWED_METHODS_PARAM

See Also:

Constant Field Values

ALLOWED_HEADERS_PARAM

public static final java.lang.String ALLOWED_HEADERS_PARAM

See Also:

Constant Field Values

PREFLIGHT_MAX_AGE_PARAM

public static final java.lang.String PREFLIGHT_MAX_AGE_PARAM

See Also:

Constant Field Values

ALLOW_CREDENTIALS_PARAM

public static final java.lang.String ALLOW_CREDENTIALS_PARAM

See Also:

Constant Field Values

EXPOSED_HEADERS_PARAM

public static final java.lang.String EXPOSED_HEADERS_PARAM

See Also:

Constant Field Values

OLD_CHAIN_PREFLIGHT_PARAM

public static final java.lang.String OLD_CHAIN_PREFLIGHT_PARAM

See Also:

Constant Field Values

CHAIN_PREFLIGHT_PARAM

public static final java.lang.String CHAIN_PREFLIGHT_PARAM

See Also:

Constant Field Values

Constructor Detail

CrossOriginFilter

public CrossOriginFilter()

Method Detail

init

public void init(javax.servlet.FilterConfig config)
          throws javax.servlet.ServletException

Specified by:

init in interface javax.servlet.Filter

Throws:

javax.servlet.ServletException

doFilter

public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException

Specified by:

doFilter in interface javax.servlet.Filter

Throws:

java.io.IOException

javax.servlet.ServletException

isEnabled

protected boolean isEnabled(javax.servlet.http.HttpServletRequest request)

destroy

public void destroy()

Specified by:

destroy in interface javax.servlet.Filter