Class AbstractCorsFilter

java.lang.Object
io.jans.server.filters.AbstractCorsFilter
All Implemented Interfaces:
jakarta.servlet.Filter

public abstract class AbstractCorsFilter extends Object implements jakarta.servlet.Filter
CORS Filter to support both Tomcat and Jetty
Version:
March 22, 2018
Author:
Yuriy Movchan, Javier Rojas Blum
  • Field Details

    • RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN

      public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN
      The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header in the response.
      See Also:
    • RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS

      public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS
      The Access-Control-Allow-Credentials header indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.
      See Also:
    • RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS

      public static final String RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS
      The Access-Control-Expose-Headers header indicates which headers are safe to expose to the API of a CORS API specification
      See Also:
    • RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE

      public static final String RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE
      The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached in a preflight result cache.
      See Also:
    • RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS

      public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS
      The Access-Control-Allow-Methods header indicates, as part of the response to a preflight request, which methods can be used during the actual request.
      See Also:
    • RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS

      public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS
      The Access-Control-Allow-Headers header indicates, as part of the response to a preflight request, which header field names can be used during the actual request.
      See Also:
    • REQUEST_HEADER_ORIGIN

      public static final String REQUEST_HEADER_ORIGIN
      The Origin header indicates where the cross-origin request or preflight request originates from.
      See Also:
    • REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD

      public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD
      The Access-Control-Request-Method header indicates which method will be used in the actual request as part of the preflight request.
      See Also:
    • REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS

      public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS
      The Access-Control-Request-Headers header indicates which headers will be used in the actual request as part of the preflight request.
      See Also:
    • HTTP_REQUEST_ATTRIBUTE_PREFIX

      public static final String HTTP_REQUEST_ATTRIBUTE_PREFIX
      The prefix to a CORS request attribute.
      See Also:
    • HTTP_REQUEST_ATTRIBUTE_ORIGIN

      public static final String HTTP_REQUEST_ATTRIBUTE_ORIGIN
      Attribute that contains the origin of the request.
      See Also:
    • HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST

      public static final String HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST
      Boolean value, suggesting if the request is a CORS request or not.
      See Also:
    • HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE

      public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE
      Type of CORS request, of type AbstractCorsFilter.CORSRequestType.
      See Also:
    • HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS

      public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS
      Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.
      See Also:
    • HTTP_METHODS

      public static final Collection<String> HTTP_METHODS
      Collection of HTTP methods. Case sensitive.
      See Also:
    • COMPLEX_HTTP_METHODS

      public static final Collection<String> COMPLEX_HTTP_METHODS
      Collection of non-simple HTTP methods. Case sensitive.
    • SIMPLE_HTTP_METHODS

      public static final Collection<String> SIMPLE_HTTP_METHODS
      Collection of Simple HTTP methods. Case sensitive.
      See Also:
    • SIMPLE_HTTP_REQUEST_HEADERS

      public static final Collection<String> SIMPLE_HTTP_REQUEST_HEADERS
      Collection of Simple HTTP request headers. Case in-sensitive.
      See Also:
    • SIMPLE_HTTP_RESPONSE_HEADERS

      public static final Collection<String> SIMPLE_HTTP_RESPONSE_HEADERS
      Collection of Simple HTTP request headers. Case in-sensitive.
      See Also:
    • SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES

      public static final Collection<String> SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
      Collection of Simple HTTP request headers. Case in-sensitive.
      See Also:
    • DEFAULT_ALLOWED_ORIGINS

      public static final String DEFAULT_ALLOWED_ORIGINS
      By default, all origins are allowed to make requests.
      See Also:
    • DEFAULT_ALLOWED_HTTP_METHODS

      public static final String DEFAULT_ALLOWED_HTTP_METHODS
      By default, following methods are supported: GET, POST, HEAD and OPTIONS.
      See Also:
    • DEFAULT_PREFLIGHT_MAXAGE

      public static final String DEFAULT_PREFLIGHT_MAXAGE
      By default, time duration to cache pre-flight response is 30 mins.
      See Also:
    • DEFAULT_SUPPORTS_CREDENTIALS

      public static final String DEFAULT_SUPPORTS_CREDENTIALS
      By default, support credentials is turned on.
      See Also:
    • DEFAULT_ALLOWED_HTTP_HEADERS

      public static final String DEFAULT_ALLOWED_HTTP_HEADERS
      By default, following headers are supported: Origin,Accept,X-Requested-With, Content-Type, Access-Control-Request-Method, and Access-Control-Request-Headers.
      See Also:
    • DEFAULT_EXPOSED_HEADERS

      public static final String DEFAULT_EXPOSED_HEADERS
      By default, none of the headers are exposed in response.
      See Also:
    • DEFAULT_DECORATE_REQUEST

      public static final String DEFAULT_DECORATE_REQUEST
      By default, request is decorated with CORS attributes.
      See Also:
    • PARAM_CORS_ENABLED

      public static final String PARAM_CORS_ENABLED
      Key to retrieve if filter enabled from FilterConfig.
      See Also:
    • PARAM_CORS_ALLOWED_ORIGINS

      public static final String PARAM_CORS_ALLOWED_ORIGINS
      Key to retrieve allowed origins from FilterConfig.
      See Also:
    • PARAM_CORS_SUPPORT_CREDENTIALS

      public static final String PARAM_CORS_SUPPORT_CREDENTIALS
      Key to retrieve support credentials from FilterConfig.
      See Also:
    • PARAM_CORS_EXPOSED_HEADERS

      public static final String PARAM_CORS_EXPOSED_HEADERS
      Key to retrieve exposed headers from FilterConfig.
      See Also:
    • PARAM_CORS_ALLOWED_HEADERS

      public static final String PARAM_CORS_ALLOWED_HEADERS
      Key to retrieve allowed headers from FilterConfig.
      See Also:
    • PARAM_CORS_ALLOWED_METHODS

      public static final String PARAM_CORS_ALLOWED_METHODS
      Key to retrieve allowed methods from FilterConfig.
      See Also:
    • PARAM_CORS_PREFLIGHT_MAXAGE

      public static final String PARAM_CORS_PREFLIGHT_MAXAGE
      Key to retrieve preflight max age from FilterConfig.
      See Also:
    • PARAM_CORS_REQUEST_DECORATE

      public static final String PARAM_CORS_REQUEST_DECORATE
      Key to determine if request should be decorated.
      See Also:
    • PARAM_CLIENT_ALLOWED_ORIGINS

      public static final String PARAM_CLIENT_ALLOWED_ORIGINS
      See Also:
  • Constructor Details

    • AbstractCorsFilter

      public AbstractCorsFilter()
  • Method Details

    • doFilter

      public void doFilter(jakarta.servlet.ServletRequest servletRequest, jakarta.servlet.ServletResponse servletResponse, jakarta.servlet.FilterChain filterChain) throws IOException, jakarta.servlet.ServletException
      Specified by:
      doFilter in interface jakarta.servlet.Filter
      Throws:
      IOException
      jakarta.servlet.ServletException
    • init

      public abstract void init(jakarta.servlet.FilterConfig filterConfig) throws jakarta.servlet.ServletException
      Specified by:
      init in interface jakarta.servlet.Filter
      Throws:
      jakarta.servlet.ServletException
    • handleSimpleCORS

      protected void handleSimpleCORS(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) throws IOException, jakarta.servlet.ServletException
      Handles a CORS request of type AbstractCorsFilter.CORSRequestType.SIMPLE.
      Parameters:
      request - The HttpServletRequest object.
      response - The HttpServletResponse object.
      filterChain - The FilterChain object.
      Throws:
      IOException
      jakarta.servlet.ServletException
      See Also:
    • handlePreflightCORS

      protected void handlePreflightCORS(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) throws IOException, jakarta.servlet.ServletException
      Handles CORS pre-flight request.
      Parameters:
      request - The HttpServletRequest object.
      response - The HttpServletResponse object.
      filterChain - The FilterChain object.
      Throws:
      IOException
      jakarta.servlet.ServletException
    • destroy

      public void destroy()
      Specified by:
      destroy in interface jakarta.servlet.Filter
    • decorateCORSProperties

      protected void decorateCORSProperties(jakarta.servlet.http.HttpServletRequest request, AbstractCorsFilter.CORSRequestType corsRequestType)
      Decorates the HttpServletRequest, with CORS attributes.
      • cors.isCorsRequest: Flag to determine if request is a CORS request. Set to true if CORS request; false otherwise.
      • cors.request.origin: The Origin URL.
      • cors.request.type: Type of request. Values: simple or preflight or not_cors or invalid_cors
      • cors.request.headers: Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.
      Parameters:
      request - The HttpServletRequest object.
      corsRequestType - The AbstractCorsFilter.CORSRequestType object.
    • join

      protected static String join(Collection<String> elements, String joinSeparator)
      Joins elements of Set into a string, where each element is separated by the provided separator.
      Parameters:
      elements - The Set containing elements to join together.
      joinSeparator - The character to be used for separating elements.
      Returns:
      The joined String; null if elements Set is null.
    • checkRequestType

      protected AbstractCorsFilter.CORSRequestType checkRequestType(jakarta.servlet.http.HttpServletRequest request)
      Determines the request type.
      Parameters:
      request -
    • parseAndStore

      protected void parseAndStore(String allowedOrigins, String allowedHttpMethods, String allowedHttpHeaders, String exposedHeaders, String supportsCredentials, String preflightMaxAge, String decorateRequest) throws jakarta.servlet.ServletException
      Parses each param-value and populates configuration variables. If a param is provided, it overrides the default.
      Parameters:
      allowedOrigins - A String of comma separated origins.
      allowedHttpMethods - A String of comma separated HTTP methods.
      allowedHttpHeaders - A String of comma separated HTTP headers.
      exposedHeaders - A String of comma separated headers that needs to be exposed.
      supportsCredentials - "true" if support credentials needs to be enabled.
      preflightMaxAge - The amount of seconds the user agent is allowed to cache the result of the pre-flight request.
      Throws:
      jakarta.servlet.ServletException
    • isValidOrigin

      protected static boolean isValidOrigin(String origin)
      Checks if a given origin is valid or not. Criteria:
      • If an encoded character is present in origin, it's not valid.
      • Origin should be a valid URI
      Parameters:
      origin -
      See Also:
    • isAnyOriginAllowed

      public boolean isAnyOriginAllowed(jakarta.servlet.ServletRequest servletRequest)
      Determines if any origin is allowed to make CORS request.
      Returns:
      true if it's enabled; false otherwise.
    • setContextClientAllowedOrigins

      protected void setContextClientAllowedOrigins(jakarta.servlet.ServletRequest servletRequest, Collection<String> clientAllowedOrigins)
    • getContextClientAllowedOrigins

      protected Collection<String> getContextClientAllowedOrigins(jakarta.servlet.ServletRequest servletRequest)
    • hasContextClientAllowedOrigins

      protected boolean hasContextClientAllowedOrigins(jakarta.servlet.ServletRequest servletRequest)
    • getExposedHeaders

      public Collection<String> getExposedHeaders()
      Returns a Set of headers that should be exposed by browser.
    • isSupportsCredentials

      public boolean isSupportsCredentials()
      Determines is supports credentials is enabled.
    • getPreflightMaxAge

      public long getPreflightMaxAge()
      Returns the preflight response cache time in seconds.
      Returns:
      Time to cache in seconds.
    • getAllowedOrigins

      public Collection<String> getAllowedOrigins()
      Returns the Set of allowed origins that are allowed to make requests.
      Returns:
      Set
    • setAllowedOrigins

      public void setAllowedOrigins(Collection<String> allowedOrigins)
      Sets the Set of allowed origins that are allowed to make requests.
      Parameters:
      allowedOrigins - Set
    • getAllowedHttpMethods

      public Collection<String> getAllowedHttpMethods()
      Returns a Set of HTTP methods that are allowed to make requests.
      Returns:
      Set
    • getAllowedHttpHeaders

      public Collection<String> getAllowedHttpHeaders()
      Returns a Set of headers support by resource.
      Returns:
      Set