Package io.jans.server.filters
Class AbstractCorsFilter
- java.lang.Object
-
- io.jans.server.filters.AbstractCorsFilter
-
- All Implemented Interfaces:
jakarta.servlet.Filter
public abstract class AbstractCorsFilter extends Object implements jakarta.servlet.Filter
CORS Filter to support both Tomcat and Jetty- Version:
- March 22, 2018
- Author:
- Yuriy Movchan, Javier Rojas Blum
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description protected static class
AbstractCorsFilter.CORSRequestType
Enumerates varies types of CORS requests.
-
Field Summary
Fields Modifier and Type Field Description static Collection<String>
COMPLEX_HTTP_METHODS
Collection
of non-simple HTTP methods.static String
DEFAULT_ALLOWED_HTTP_HEADERS
By default, following headers are supported: Origin,Accept,X-Requested-With, Content-Type, Access-Control-Request-Method, and Access-Control-Request-Headers.static String
DEFAULT_ALLOWED_HTTP_METHODS
By default, following methods are supported: GET, POST, HEAD and OPTIONS.static String
DEFAULT_ALLOWED_ORIGINS
By default, all origins are allowed to make requests.static String
DEFAULT_DECORATE_REQUEST
By default, request is decorated with CORS attributes.static String
DEFAULT_EXPOSED_HEADERS
By default, none of the headers are exposed in response.static String
DEFAULT_PREFLIGHT_MAXAGE
By default, time duration to cache pre-flight response is 30 mins.static String
DEFAULT_SUPPORTS_CREDENTIALS
By default, support credentials is turned on.static Collection<String>
HTTP_METHODS
Collection
of HTTP methods.static String
HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST
Boolean value, suggesting if the request is a CORS request or not.static String
HTTP_REQUEST_ATTRIBUTE_ORIGIN
Attribute that contains the origin of the request.static String
HTTP_REQUEST_ATTRIBUTE_PREFIX
The prefix to a CORS request attribute.static String
HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS
Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.static String
HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE
Type of CORS request, of typeAbstractCorsFilter.CORSRequestType
.static String
PARAM_CLIENT_ALLOWED_ORIGINS
static String
PARAM_CORS_ALLOWED_HEADERS
Key to retrieve allowed headers fromFilterConfig
.static String
PARAM_CORS_ALLOWED_METHODS
Key to retrieve allowed methods fromFilterConfig
.static String
PARAM_CORS_ALLOWED_ORIGINS
Key to retrieve allowed origins fromFilterConfig
.static String
PARAM_CORS_ENABLED
Key to retrieve if filter enabled fromFilterConfig
.static String
PARAM_CORS_EXPOSED_HEADERS
Key to retrieve exposed headers fromFilterConfig
.static String
PARAM_CORS_PREFLIGHT_MAXAGE
Key to retrieve preflight max age fromFilterConfig
.static String
PARAM_CORS_REQUEST_DECORATE
Key to determine if request should be decorated.static String
PARAM_CORS_SUPPORT_CREDENTIALS
Key to retrieve support credentials fromFilterConfig
.static String
REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS
The Access-Control-Request-Headers header indicates which headers will be used in the actual request as part of the preflight request.static String
REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD
The Access-Control-Request-Method header indicates which method will be used in the actual request as part of the preflight request.static String
REQUEST_HEADER_ORIGIN
The Origin header indicates where the cross-origin request or preflight request originates from.static String
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS
The Access-Control-Allow-Credentials header indicates whether the response to request can be exposed when the omit credentials flag is unset.static String
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS
The Access-Control-Allow-Headers header indicates, as part of the response to a preflight request, which header field names can be used during the actual request.static String
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS
The Access-Control-Allow-Methods header indicates, as part of the response to a preflight request, which methods can be used during the actual request.static String
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN
The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header in the response.static String
RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS
The Access-Control-Expose-Headers header indicates which headers are safe to expose to the API of a CORS API specificationstatic String
RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE
The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached in a preflight result cache.static Collection<String>
SIMPLE_HTTP_METHODS
Collection
of Simple HTTP methods.static Collection<String>
SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
Collection
of Simple HTTP request headers.static Collection<String>
SIMPLE_HTTP_REQUEST_HEADERS
Collection
of Simple HTTP request headers.static Collection<String>
SIMPLE_HTTP_RESPONSE_HEADERS
Collection
of Simple HTTP request headers.
-
Constructor Summary
Constructors Constructor Description AbstractCorsFilter()
-
Method Summary
All Methods Static Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description protected AbstractCorsFilter.CORSRequestType
checkRequestType(jakarta.servlet.http.HttpServletRequest request)
Determines the request type.protected void
decorateCORSProperties(jakarta.servlet.http.HttpServletRequest request, AbstractCorsFilter.CORSRequestType corsRequestType)
Decorates theHttpServletRequest
, with CORS attributes.void
destroy()
void
doFilter(jakarta.servlet.ServletRequest servletRequest, jakarta.servlet.ServletResponse servletResponse, jakarta.servlet.FilterChain filterChain)
Collection<String>
getAllowedHttpHeaders()
Returns aSet
of headers support by resource.Collection<String>
getAllowedHttpMethods()
Returns aSet
of HTTP methods that are allowed to make requests.Collection<String>
getAllowedOrigins()
Returns theSet
of allowed origins that are allowed to make requests.protected Collection<String>
getContextClientAllowedOrigins(jakarta.servlet.ServletRequest servletRequest)
Collection<String>
getExposedHeaders()
Returns aSet
of headers that should be exposed by browser.long
getPreflightMaxAge()
Returns the preflight response cache time in seconds.protected void
handlePreflightCORS(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain)
Handles CORS pre-flight request.protected void
handleSimpleCORS(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain)
Handles a CORS request of typeAbstractCorsFilter.CORSRequestType
.SIMPLE.protected boolean
hasContextClientAllowedOrigins(jakarta.servlet.ServletRequest servletRequest)
abstract void
init(jakarta.servlet.FilterConfig filterConfig)
boolean
isAnyOriginAllowed(jakarta.servlet.ServletRequest servletRequest)
Determines if any origin is allowed to make CORS request.boolean
isSupportsCredentials()
Determines is supports credentials is enabled.protected static boolean
isValidOrigin(String origin)
Checks if a given origin is valid or not.protected static String
join(Collection<String> elements, String joinSeparator)
Joins elements ofSet
into a string, where each element is separated by the provided separator.protected void
parseAndStore(String allowedOrigins, String allowedHttpMethods, String allowedHttpHeaders, String exposedHeaders, String supportsCredentials, String preflightMaxAge, String decorateRequest)
Parses each param-value and populates configuration variables.void
setAllowedOrigins(Collection<String> allowedOrigins)
Sets theSet
of allowed origins that are allowed to make requests.protected void
setContextClientAllowedOrigins(jakarta.servlet.ServletRequest servletRequest, Collection<String> clientAllowedOrigins)
-
-
-
Field Detail
-
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN
public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN
The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header in the response.- See Also:
- Constant Field Values
-
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS
public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS
The Access-Control-Allow-Credentials header indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.- See Also:
- Constant Field Values
-
RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS
public static final String RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS
The Access-Control-Expose-Headers header indicates which headers are safe to expose to the API of a CORS API specification- See Also:
- Constant Field Values
-
RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE
public static final String RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE
The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached in a preflight result cache.- See Also:
- Constant Field Values
-
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS
public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS
The Access-Control-Allow-Methods header indicates, as part of the response to a preflight request, which methods can be used during the actual request.- See Also:
- Constant Field Values
-
RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS
public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS
The Access-Control-Allow-Headers header indicates, as part of the response to a preflight request, which header field names can be used during the actual request.- See Also:
- Constant Field Values
-
REQUEST_HEADER_ORIGIN
public static final String REQUEST_HEADER_ORIGIN
The Origin header indicates where the cross-origin request or preflight request originates from.- See Also:
- Constant Field Values
-
REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD
public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD
The Access-Control-Request-Method header indicates which method will be used in the actual request as part of the preflight request.- See Also:
- Constant Field Values
-
REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS
public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS
The Access-Control-Request-Headers header indicates which headers will be used in the actual request as part of the preflight request.- See Also:
- Constant Field Values
-
HTTP_REQUEST_ATTRIBUTE_PREFIX
public static final String HTTP_REQUEST_ATTRIBUTE_PREFIX
The prefix to a CORS request attribute.- See Also:
- Constant Field Values
-
HTTP_REQUEST_ATTRIBUTE_ORIGIN
public static final String HTTP_REQUEST_ATTRIBUTE_ORIGIN
Attribute that contains the origin of the request.- See Also:
- Constant Field Values
-
HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST
public static final String HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST
Boolean value, suggesting if the request is a CORS request or not.- See Also:
- Constant Field Values
-
HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE
public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE
Type of CORS request, of typeAbstractCorsFilter.CORSRequestType
.- See Also:
- Constant Field Values
-
HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS
public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS
Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.- See Also:
- Constant Field Values
-
HTTP_METHODS
public static final Collection<String> HTTP_METHODS
Collection
of HTTP methods. Case sensitive.
-
COMPLEX_HTTP_METHODS
public static final Collection<String> COMPLEX_HTTP_METHODS
Collection
of non-simple HTTP methods. Case sensitive.
-
SIMPLE_HTTP_METHODS
public static final Collection<String> SIMPLE_HTTP_METHODS
Collection
of Simple HTTP methods. Case sensitive.- See Also:
- http://www.w3.org/TR/cors/#terminology
-
SIMPLE_HTTP_REQUEST_HEADERS
public static final Collection<String> SIMPLE_HTTP_REQUEST_HEADERS
Collection
of Simple HTTP request headers. Case in-sensitive.- See Also:
- http://www.w3.org/TR/cors/#terminology
-
SIMPLE_HTTP_RESPONSE_HEADERS
public static final Collection<String> SIMPLE_HTTP_RESPONSE_HEADERS
Collection
of Simple HTTP request headers. Case in-sensitive.- See Also:
- http://www.w3.org/TR/cors/#terminology
-
SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
public static final Collection<String> SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
Collection
of Simple HTTP request headers. Case in-sensitive.- See Also:
- http://www.w3.org/TR/cors/#terminology
-
DEFAULT_ALLOWED_ORIGINS
public static final String DEFAULT_ALLOWED_ORIGINS
By default, all origins are allowed to make requests.- See Also:
- Constant Field Values
-
DEFAULT_ALLOWED_HTTP_METHODS
public static final String DEFAULT_ALLOWED_HTTP_METHODS
By default, following methods are supported: GET, POST, HEAD and OPTIONS.- See Also:
- Constant Field Values
-
DEFAULT_PREFLIGHT_MAXAGE
public static final String DEFAULT_PREFLIGHT_MAXAGE
By default, time duration to cache pre-flight response is 30 mins.- See Also:
- Constant Field Values
-
DEFAULT_SUPPORTS_CREDENTIALS
public static final String DEFAULT_SUPPORTS_CREDENTIALS
By default, support credentials is turned on.- See Also:
- Constant Field Values
-
DEFAULT_ALLOWED_HTTP_HEADERS
public static final String DEFAULT_ALLOWED_HTTP_HEADERS
By default, following headers are supported: Origin,Accept,X-Requested-With, Content-Type, Access-Control-Request-Method, and Access-Control-Request-Headers.- See Also:
- Constant Field Values
-
DEFAULT_EXPOSED_HEADERS
public static final String DEFAULT_EXPOSED_HEADERS
By default, none of the headers are exposed in response.- See Also:
- Constant Field Values
-
DEFAULT_DECORATE_REQUEST
public static final String DEFAULT_DECORATE_REQUEST
By default, request is decorated with CORS attributes.- See Also:
- Constant Field Values
-
PARAM_CORS_ENABLED
public static final String PARAM_CORS_ENABLED
Key to retrieve if filter enabled fromFilterConfig
.- See Also:
- Constant Field Values
-
PARAM_CORS_ALLOWED_ORIGINS
public static final String PARAM_CORS_ALLOWED_ORIGINS
Key to retrieve allowed origins fromFilterConfig
.- See Also:
- Constant Field Values
-
PARAM_CORS_SUPPORT_CREDENTIALS
public static final String PARAM_CORS_SUPPORT_CREDENTIALS
Key to retrieve support credentials fromFilterConfig
.- See Also:
- Constant Field Values
-
PARAM_CORS_EXPOSED_HEADERS
public static final String PARAM_CORS_EXPOSED_HEADERS
Key to retrieve exposed headers fromFilterConfig
.- See Also:
- Constant Field Values
-
PARAM_CORS_ALLOWED_HEADERS
public static final String PARAM_CORS_ALLOWED_HEADERS
Key to retrieve allowed headers fromFilterConfig
.- See Also:
- Constant Field Values
-
PARAM_CORS_ALLOWED_METHODS
public static final String PARAM_CORS_ALLOWED_METHODS
Key to retrieve allowed methods fromFilterConfig
.- See Also:
- Constant Field Values
-
PARAM_CORS_PREFLIGHT_MAXAGE
public static final String PARAM_CORS_PREFLIGHT_MAXAGE
Key to retrieve preflight max age fromFilterConfig
.- See Also:
- Constant Field Values
-
PARAM_CORS_REQUEST_DECORATE
public static final String PARAM_CORS_REQUEST_DECORATE
Key to determine if request should be decorated.- See Also:
- Constant Field Values
-
PARAM_CLIENT_ALLOWED_ORIGINS
public static final String PARAM_CLIENT_ALLOWED_ORIGINS
- See Also:
- Constant Field Values
-
-
Method Detail
-
doFilter
public void doFilter(jakarta.servlet.ServletRequest servletRequest, jakarta.servlet.ServletResponse servletResponse, jakarta.servlet.FilterChain filterChain) throws IOException, jakarta.servlet.ServletException
- Specified by:
doFilter
in interfacejakarta.servlet.Filter
- Throws:
IOException
jakarta.servlet.ServletException
-
init
public abstract void init(jakarta.servlet.FilterConfig filterConfig) throws jakarta.servlet.ServletException
- Specified by:
init
in interfacejakarta.servlet.Filter
- Throws:
jakarta.servlet.ServletException
-
handleSimpleCORS
protected void handleSimpleCORS(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) throws IOException, jakarta.servlet.ServletException
Handles a CORS request of typeAbstractCorsFilter.CORSRequestType
.SIMPLE.- Parameters:
request
- TheHttpServletRequest
object.response
- TheHttpServletResponse
object.filterChain
- TheFilterChain
object.- Throws:
IOException
jakarta.servlet.ServletException
- See Also:
- Simple Cross-Origin Request, Actual Request, and Redirects
-
handlePreflightCORS
protected void handlePreflightCORS(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) throws IOException, jakarta.servlet.ServletException
Handles CORS pre-flight request.- Parameters:
request
- TheHttpServletRequest
object.response
- TheHttpServletResponse
object.filterChain
- TheFilterChain
object.- Throws:
IOException
jakarta.servlet.ServletException
-
destroy
public void destroy()
- Specified by:
destroy
in interfacejakarta.servlet.Filter
-
decorateCORSProperties
protected void decorateCORSProperties(jakarta.servlet.http.HttpServletRequest request, AbstractCorsFilter.CORSRequestType corsRequestType)
Decorates theHttpServletRequest
, with CORS attributes.- cors.isCorsRequest: Flag to determine if request is a CORS
request. Set to
true
if CORS request;false
otherwise. - cors.request.origin: The Origin URL.
- cors.request.type: Type of request. Values:
simple
orpreflight
ornot_cors
orinvalid_cors
- cors.request.headers: Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.
- Parameters:
request
- TheHttpServletRequest
object.corsRequestType
- TheAbstractCorsFilter.CORSRequestType
object.
- cors.isCorsRequest: Flag to determine if request is a CORS
request. Set to
-
join
protected static String join(Collection<String> elements, String joinSeparator)
Joins elements ofSet
into a string, where each element is separated by the provided separator.
-
checkRequestType
protected AbstractCorsFilter.CORSRequestType checkRequestType(jakarta.servlet.http.HttpServletRequest request)
Determines the request type.- Parameters:
request
-
-
parseAndStore
protected void parseAndStore(String allowedOrigins, String allowedHttpMethods, String allowedHttpHeaders, String exposedHeaders, String supportsCredentials, String preflightMaxAge, String decorateRequest) throws jakarta.servlet.ServletException
Parses each param-value and populates configuration variables. If a param is provided, it overrides the default.- Parameters:
allowedOrigins
- AString
of comma separated origins.allowedHttpMethods
- AString
of comma separated HTTP methods.allowedHttpHeaders
- AString
of comma separated HTTP headers.exposedHeaders
- AString
of comma separated headers that needs to be exposed.supportsCredentials
- "true" if support credentials needs to be enabled.preflightMaxAge
- The amount of seconds the user agent is allowed to cache the result of the pre-flight request.- Throws:
jakarta.servlet.ServletException
-
isValidOrigin
protected static boolean isValidOrigin(String origin)
Checks if a given origin is valid or not. Criteria:- If an encoded character is present in origin, it's not valid.
- Origin should be a valid
URI
- Parameters:
origin
-- See Also:
- RFC952
-
isAnyOriginAllowed
public boolean isAnyOriginAllowed(jakarta.servlet.ServletRequest servletRequest)
Determines if any origin is allowed to make CORS request.- Returns:
true
if it's enabled; false otherwise.
-
setContextClientAllowedOrigins
protected void setContextClientAllowedOrigins(jakarta.servlet.ServletRequest servletRequest, Collection<String> clientAllowedOrigins)
-
getContextClientAllowedOrigins
protected Collection<String> getContextClientAllowedOrigins(jakarta.servlet.ServletRequest servletRequest)
-
hasContextClientAllowedOrigins
protected boolean hasContextClientAllowedOrigins(jakarta.servlet.ServletRequest servletRequest)
-
getExposedHeaders
public Collection<String> getExposedHeaders()
Returns aSet
of headers that should be exposed by browser.
-
isSupportsCredentials
public boolean isSupportsCredentials()
Determines is supports credentials is enabled.
-
getPreflightMaxAge
public long getPreflightMaxAge()
Returns the preflight response cache time in seconds.- Returns:
- Time to cache in seconds.
-
getAllowedOrigins
public Collection<String> getAllowedOrigins()
Returns theSet
of allowed origins that are allowed to make requests.- Returns:
Set
-
setAllowedOrigins
public void setAllowedOrigins(Collection<String> allowedOrigins)
Sets theSet
of allowed origins that are allowed to make requests.- Parameters:
allowedOrigins
-Set
-
getAllowedHttpMethods
public Collection<String> getAllowedHttpMethods()
Returns aSet
of HTTP methods that are allowed to make requests.- Returns:
Set
-
getAllowedHttpHeaders
public Collection<String> getAllowedHttpHeaders()
Returns aSet
of headers support by resource.- Returns:
Set
-
-