Package io.jans.server.filters

Class AbstractCorsFilter

  • All Implemented Interfaces:
    jakarta.servlet.Filter
    public abstract class AbstractCorsFilter
extends Object
implements jakarta.servlet.Filter
    CORS Filter to support both Tomcat and Jetty
    Version:
    March 22, 2018
    Author:
    Yuriy Movchan, Javier Rojas Blum

    • Field Detail

      • RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN

        public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN
        The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header in the response.
        See Also:
        Constant Field Values

      • RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS

        public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS
        The Access-Control-Allow-Credentials header indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.
        See Also:
        Constant Field Values

      • RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS

        public static final String RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS
        The Access-Control-Expose-Headers header indicates which headers are safe to expose to the API of a CORS API specification
        See Also:
        Constant Field Values

      • RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE

        public static final String RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE
        The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached in a preflight result cache.
        See Also:
        Constant Field Values

      • RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS

        public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS
        The Access-Control-Allow-Methods header indicates, as part of the response to a preflight request, which methods can be used during the actual request.
        See Also:
        Constant Field Values

      • RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS

        public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS
        The Access-Control-Allow-Headers header indicates, as part of the response to a preflight request, which header field names can be used during the actual request.
        See Also:
        Constant Field Values

      • REQUEST_HEADER_ORIGIN

        public static final String REQUEST_HEADER_ORIGIN
        The Origin header indicates where the cross-origin request or preflight request originates from.
        See Also:
        Constant Field Values

      • REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD

        public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD
        The Access-Control-Request-Method header indicates which method will be used in the actual request as part of the preflight request.
        See Also:
        Constant Field Values

      • REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS

        public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS
        The Access-Control-Request-Headers header indicates which headers will be used in the actual request as part of the preflight request.
        See Also:
        Constant Field Values

      • HTTP_REQUEST_ATTRIBUTE_PREFIX

        public static final String HTTP_REQUEST_ATTRIBUTE_PREFIX
        The prefix to a CORS request attribute.
        See Also:
        Constant Field Values

      • HTTP_REQUEST_ATTRIBUTE_ORIGIN

        public static final String HTTP_REQUEST_ATTRIBUTE_ORIGIN
        Attribute that contains the origin of the request.
        See Also:
        Constant Field Values

      • HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST

        public static final String HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST
        Boolean value, suggesting if the request is a CORS request or not.
        See Also:
        Constant Field Values

      • HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS

        public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS
        Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.
        See Also:
        Constant Field Values

      • COMPLEX_HTTP_METHODS

        public static final Collection<String> COMPLEX_HTTP_METHODS
        Collection of non-simple HTTP methods. Case sensitive.

      • DEFAULT_ALLOWED_ORIGINS

        public static final String DEFAULT_ALLOWED_ORIGINS
        By default, all origins are allowed to make requests.
        See Also:
        Constant Field Values

      • DEFAULT_ALLOWED_HTTP_METHODS

        public static final String DEFAULT_ALLOWED_HTTP_METHODS
        By default, following methods are supported: GET, POST, HEAD and OPTIONS.
        See Also:
        Constant Field Values

      • DEFAULT_PREFLIGHT_MAXAGE

        public static final String DEFAULT_PREFLIGHT_MAXAGE
        By default, time duration to cache pre-flight response is 30 mins.
        See Also:
        Constant Field Values

      • DEFAULT_SUPPORTS_CREDENTIALS

        public static final String DEFAULT_SUPPORTS_CREDENTIALS
        By default, support credentials is turned on.
        See Also:
        Constant Field Values

      • DEFAULT_ALLOWED_HTTP_HEADERS

        public static final String DEFAULT_ALLOWED_HTTP_HEADERS
        By default, following headers are supported: Origin,Accept,X-Requested-With, Content-Type, Access-Control-Request-Method, and Access-Control-Request-Headers.
        See Also:
        Constant Field Values

      • DEFAULT_EXPOSED_HEADERS

        public static final String DEFAULT_EXPOSED_HEADERS
        By default, none of the headers are exposed in response.
        See Also:
        Constant Field Values

      • DEFAULT_DECORATE_REQUEST

        public static final String DEFAULT_DECORATE_REQUEST
        By default, request is decorated with CORS attributes.
        See Also:
        Constant Field Values

      • PARAM_CORS_ENABLED

        public static final String PARAM_CORS_ENABLED
        Key to retrieve if filter enabled from FilterConfig.
        See Also:
        Constant Field Values

      • PARAM_CORS_ALLOWED_ORIGINS

        public static final String PARAM_CORS_ALLOWED_ORIGINS
        Key to retrieve allowed origins from FilterConfig.
        See Also:
        Constant Field Values

      • PARAM_CORS_SUPPORT_CREDENTIALS

        public static final String PARAM_CORS_SUPPORT_CREDENTIALS
        Key to retrieve support credentials from FilterConfig.
        See Also:
        Constant Field Values

      • PARAM_CORS_EXPOSED_HEADERS

        public static final String PARAM_CORS_EXPOSED_HEADERS
        Key to retrieve exposed headers from FilterConfig.
        See Also:
        Constant Field Values

      • PARAM_CORS_ALLOWED_HEADERS

        public static final String PARAM_CORS_ALLOWED_HEADERS
        Key to retrieve allowed headers from FilterConfig.
        See Also:
        Constant Field Values

      • PARAM_CORS_ALLOWED_METHODS

        public static final String PARAM_CORS_ALLOWED_METHODS
        Key to retrieve allowed methods from FilterConfig.
        See Also:
        Constant Field Values

      • PARAM_CORS_PREFLIGHT_MAXAGE

        public static final String PARAM_CORS_PREFLIGHT_MAXAGE
        Key to retrieve preflight max age from FilterConfig.
        See Also:
        Constant Field Values

      • PARAM_CORS_REQUEST_DECORATE

        public static final String PARAM_CORS_REQUEST_DECORATE
        Key to determine if request should be decorated.
        See Also:
        Constant Field Values

    • Constructor Detail

      • AbstractCorsFilter

        public AbstractCorsFilter()

    • Method Detail

      • doFilter

        public void doFilter​(jakarta.servlet.ServletRequest servletRequest,
                     jakarta.servlet.ServletResponse servletResponse,
                     jakarta.servlet.FilterChain filterChain)
              throws IOException,
                     jakarta.servlet.ServletException
        Specified by:
        doFilter in interface jakarta.servlet.Filter
        Throws:
        IOException
        jakarta.servlet.ServletException

      • init

        public abstract void init​(jakarta.servlet.FilterConfig filterConfig)
                   throws jakarta.servlet.ServletException
        Specified by:
        init in interface jakarta.servlet.Filter
        Throws:
        jakarta.servlet.ServletException

      • handleSimpleCORS

        protected void handleSimpleCORS​(jakarta.servlet.http.HttpServletRequest request,
                                jakarta.servlet.http.HttpServletResponse response,
                                jakarta.servlet.FilterChain filterChain)
                         throws IOException,
                                jakarta.servlet.ServletException
        Handles a CORS request of type AbstractCorsFilter.CORSRequestType.SIMPLE.
        Parameters:
        request - The HttpServletRequest object.
        response - The HttpServletResponse object.
        filterChain - The FilterChain object.
        Throws:
        IOException
        jakarta.servlet.ServletException
        See Also:
        Simple Cross-Origin Request, Actual Request, and Redirects

      • handlePreflightCORS

        protected void handlePreflightCORS​(jakarta.servlet.http.HttpServletRequest request,
                                   jakarta.servlet.http.HttpServletResponse response,
                                   jakarta.servlet.FilterChain filterChain)
                            throws IOException,
                                   jakarta.servlet.ServletException
        Handles CORS pre-flight request.
        Parameters:
        request - The HttpServletRequest object.
        response - The HttpServletResponse object.
        filterChain - The FilterChain object.
        Throws:
        IOException
        jakarta.servlet.ServletException

      • destroy

        public void destroy()
        Specified by:
        destroy in interface jakarta.servlet.Filter

      • decorateCORSProperties

        protected void decorateCORSProperties​(jakarta.servlet.http.HttpServletRequest request,
                                      AbstractCorsFilter.CORSRequestType corsRequestType)
        Decorates the HttpServletRequest, with CORS attributes.
        • cors.isCorsRequest: Flag to determine if request is a CORS request. Set to true if CORS request; false otherwise.
        • cors.request.origin: The Origin URL.
        • cors.request.type: Type of request. Values: simple or preflight or not_cors or invalid_cors
        • cors.request.headers: Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.
        Parameters:
        request - The HttpServletRequest object.
        corsRequestType - The AbstractCorsFilter.CORSRequestType object.

      • join

        protected static String join​(Collection<String> elements,
                             String joinSeparator)
        Joins elements of Set into a string, where each element is separated by the provided separator.
        Parameters:
        elements - The Set containing elements to join together.
        joinSeparator - The character to be used for separating elements.
        Returns:
        The joined String; null if elements Set is null.

      • checkRequestType

        protected AbstractCorsFilter.CORSRequestType checkRequestType​(jakarta.servlet.http.HttpServletRequest request)
        Determines the request type.
        Parameters:
        request -

      • parseAndStore

        protected void parseAndStore​(String allowedOrigins,
                             String allowedHttpMethods,
                             String allowedHttpHeaders,
                             String exposedHeaders,
                             String supportsCredentials,
                             String preflightMaxAge,
                             String decorateRequest)
                      throws jakarta.servlet.ServletException
        Parses each param-value and populates configuration variables. If a param is provided, it overrides the default.
        Parameters:
        allowedOrigins - A String of comma separated origins.
        allowedHttpMethods - A String of comma separated HTTP methods.
        allowedHttpHeaders - A String of comma separated HTTP headers.
        exposedHeaders - A String of comma separated headers that needs to be exposed.
        supportsCredentials - "true" if support credentials needs to be enabled.
        preflightMaxAge - The amount of seconds the user agent is allowed to cache the result of the pre-flight request.
        Throws:
        jakarta.servlet.ServletException

      • isValidOrigin

        protected static boolean isValidOrigin​(String origin)
        Checks if a given origin is valid or not. Criteria:
        • If an encoded character is present in origin, it's not valid.
        • Origin should be a valid URI
        Parameters:
        origin -
        See Also:
        RFC952

      • isAnyOriginAllowed

        public boolean isAnyOriginAllowed​(jakarta.servlet.ServletRequest servletRequest)
        Determines if any origin is allowed to make CORS request.
        Returns:
        true if it's enabled; false otherwise.

      • setContextClientAllowedOrigins

        protected void setContextClientAllowedOrigins​(jakarta.servlet.ServletRequest servletRequest,
                                              Collection<String> clientAllowedOrigins)

      • getContextClientAllowedOrigins

        protected Collection<String> getContextClientAllowedOrigins​(jakarta.servlet.ServletRequest servletRequest)

      • hasContextClientAllowedOrigins

        protected boolean hasContextClientAllowedOrigins​(jakarta.servlet.ServletRequest servletRequest)

      • getExposedHeaders

        public Collection<String> getExposedHeaders()
        Returns a Set of headers that should be exposed by browser.

      • isSupportsCredentials

        public boolean isSupportsCredentials()
        Determines is supports credentials is enabled.

      • getPreflightMaxAge

        public long getPreflightMaxAge()
        Returns the preflight response cache time in seconds.
        Returns:
        Time to cache in seconds.

      • getAllowedOrigins

        public Collection<String> getAllowedOrigins()
        Returns the Set of allowed origins that are allowed to make requests.
        Returns:
        Set

      • setAllowedOrigins

        public void setAllowedOrigins​(Collection<String> allowedOrigins)
        Sets the Set of allowed origins that are allowed to make requests.
        Parameters:
        allowedOrigins - Set

      • getAllowedHttpMethods

        public Collection<String> getAllowedHttpMethods()
        Returns a Set of HTTP methods that are allowed to make requests.
        Returns:
        Set

      • getAllowedHttpHeaders

        public Collection<String> getAllowedHttpHeaders()
        Returns a Set of headers support by resource.
        Returns:
        Set