Package org.apache.cxf.rs.security.cors

Class CrossOriginResourceSharingFilter

java.lang.Object

org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter

All Implemented Interfaces:

jakarta.ws.rs.container.ContainerRequestFilter, jakarta.ws.rs.container.ContainerResponseFilter

@Provider
@PreMatching
@Priority(999)
public class CrossOriginResourceSharingFilter
extends Object
implements jakarta.ws.rs.container.ContainerRequestFilter, jakarta.ws.rs.container.ContainerResponseFilter

A single class that provides both an input and an output filter for CORS, following http://www.w3.org/TR/cors/. The input filter examines the input headers. If the request is valid, it stores the information in the Exchange to allow the response handler to add the appropriate headers to the response. If you need complex or subtle control of the behavior here (e.g. clearing the prefight cache) you might be better off reading the source of this class and implementing this inside your service. This class will perform preflight processing even if there is a resource method annotated to handle @OPTIONS, unless that method is annotated as follows:

Constructor Summary

Constructors

Constructor	Description
CrossOriginResourceSharingFilter()

Method Summary

Modifier and Type	Method	Description
void	filter(jakarta.ws.rs.container.ContainerRequestContext context)
void	filter(jakarta.ws.rs.container.ContainerRequestContext requestContext, jakarta.ws.rs.container.ContainerResponseContext responseContext)
List<String>	getAllowHeaders()
List<String>	getAllowOrigins()
List<String>	getExposeHeaders()
Integer	getMaxAge()
boolean	isAllowCredentials()
void	setAllowCredentials(boolean allowCredentials)	The value for the Access-Control-Allow-Credentials header.
void	setAllowHeaders(List<String> allowedHeaders)	The list of allowed headers for preflight checks.
void	setAllowOrigins(List<String> allowedOrigins)	The origin strings to allow.
void	setBlockCorsIfUnauthorized(boolean blockCorsIfUnauthorized)
void	setDefaultOptionsMethodsHandlePreflight(boolean defaultOptionsMethodsHandlePreflight)	What to do when a preflight request comes along for a resource that has a handler method for \@OPTIONS and there is no @CrossResourceSharing(localPreflight = val) annotation on the method.
void	setExposeHeaders(List<String> exposeHeaders)	A list of non-simple headers to be exposed via Access-Control-Expose-Headers.
void	setFindResourceMethod(boolean findResourceMethod)
void	setMaxAge(Integer maxAge)	The value for Access-Control-Max-Age.
void	setPreflightErrorStatus(Integer status)	Preflight error response status, default is 200.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

CrossOriginResourceSharingFilter

public CrossOriginResourceSharingFilter()

Method Details

filter

public void filter(jakarta.ws.rs.container.ContainerRequestContext context)

Specified by:

filter in interface jakarta.ws.rs.container.ContainerRequestFilter

filter

public void filter(jakarta.ws.rs.container.ContainerRequestContext requestContext,
 jakarta.ws.rs.container.ContainerResponseContext responseContext)

Specified by:

filter in interface jakarta.ws.rs.container.ContainerResponseFilter

setAllowOrigins

public void setAllowOrigins(List<String> allowedOrigins)

The origin strings to allow. An empty list allows all origins.

Parameters:

allowedOrigins - a list of case-sensitive origin strings.

getAllowOrigins

public List<String> getAllowOrigins()

Returns:

the list of allowed origins.

getAllowHeaders

public List<String> getAllowHeaders()

setAllowHeaders

public void setAllowHeaders(List<String> allowedHeaders)

The list of allowed headers for preflight checks. Section 5.2.6

Parameters:

allowedHeaders - a list of permitted headers.

getExposeHeaders

public List<String> getExposeHeaders()

getMaxAge

public Integer getMaxAge()

isAllowCredentials

public boolean isAllowCredentials()

setAllowCredentials

public void setAllowCredentials(boolean allowCredentials)

The value for the Access-Control-Allow-Credentials header. If false, no header is added. If true, the header is added with the value 'true'.

Parameters:

allowCredentials -

setExposeHeaders

public void setExposeHeaders(List<String> exposeHeaders)

A list of non-simple headers to be exposed via Access-Control-Expose-Headers.

Parameters:

exposeHeaders - the list of (case-sensitive) header names.

setMaxAge

public void setMaxAge(Integer maxAge)

The value for Access-Control-Max-Age.

Parameters:

maxAge - An integer 'delta-seconds' or null. If null, no header is added.

setPreflightErrorStatus

public void setPreflightErrorStatus(Integer status)

Preflight error response status, default is 200.

Parameters:

status - HTTP status code.

setDefaultOptionsMethodsHandlePreflight

public void setDefaultOptionsMethodsHandlePreflight(boolean defaultOptionsMethodsHandlePreflight)

What to do when a preflight request comes along for a resource that has a handler method for \@OPTIONS and there is no @CrossResourceSharing(localPreflight = val) annotation on the method. If this is true, then the filter defers to the resource class method. If this is false, then this filter performs preflight processing.

Parameters:

defaultOptionsMethodsHandlePreflight - true to defer to resource methods.

setFindResourceMethod

public void setFindResourceMethod(boolean findResourceMethod)

setBlockCorsIfUnauthorized

public void setBlockCorsIfUnauthorized(boolean blockCorsIfUnauthorized)