Find Usages Diff Raw Download HTML Widget
Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions 
1
  /*
2
   * Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd.
3
   *
4
   * All rights reserved. This program and the accompanying materials
5
   * are made available under the terms of the Eclipse Public License v1.0
6
   * and Apache License v2.0 which accompanies this distribution.
7
   * The Eclipse Public License is available at
8
   * http://www.eclipse.org/legal/epl-v10.html
9
   * The Apache License v2.0 is available at
10
  * http://www.opensource.org/licenses/apache2.0.php
11
  *
12
  * You may elect to redistribute this code under either of these licenses.
13
  */
14
 
15
 package org.eclipse.jetty.servlets;
16
 
20
 import java.util.List;
29
 

Implementation of the cross-origin resource sharing.

A typical example is to use this filter to allow cross-domain cometd communication using the standard long polling transport instead of the JSONP transport (that is less efficient and less reactive to failures).

This filter allows the following configuration parameters:

  • allowedOrigins, a comma separated list of origins that are allowed to access the resources. Default value is *, meaning all origins
  • allowedMethods, a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST
  • allowedHeaders, a comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With
  • preflightMaxAge, the number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes
  • allowCredentials, a boolean indicating if the resource allows requests with credentials. Default value is false

A typical configuration could be: 

 <web-app ...>
     ...
     <filter>
         <filter-name>cross-origin</filter-name>
         <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
     </filter>
     <filter-mapping>
         <filter-name>cross-origin</filter-name>
         <url-pattern>/cometd/*</url-pattern>
     </filter-mapping>
     ...
 </web-app>

Version:
$Revision$ $Date$
74
 
75
 public class CrossOriginFilter implements Filter
76
 {
77
     private static final Logger LOG = Log.getLogger(CrossOriginFilter.class);
78
 
79
     // Request headers
80
     private static final String ORIGIN_HEADER = "Origin";
81
     private static final String ACCESS_CONTROL_REQUEST_METHOD_HEADER = "Access-Control-Request-Method";
82
     private static final String ACCESS_CONTROL_REQUEST_HEADERS_HEADER = "Access-Control-Request-Headers";
83
     // Response headers
84
     private static final String ACCESS_CONTROL_ALLOW_ORIGIN_HEADER = "Access-Control-Allow-Origin";
85
     private static final String ACCESS_CONTROL_ALLOW_METHODS_HEADER = "Access-Control-Allow-Methods";
86
     private static final String ACCESS_CONTROL_ALLOW_HEADERS_HEADER = "Access-Control-Allow-Headers";
87
     private static final String ACCESS_CONTROL_MAX_AGE_HEADER = "Access-Control-Max-Age";
88
     private static final String ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER = "Access-Control-Allow-Credentials";
89
     // Implementation constants
90
     private static final String ALLOWED_ORIGINS_PARAM = "allowedOrigins";
91
     private static final String ALLOWED_METHODS_PARAM = "allowedMethods";
92
     private static final String ALLOWED_HEADERS_PARAM = "allowedHeaders";
93
     private static final String PREFLIGHT_MAX_AGE_PARAM = "preflightMaxAge";
94
     private static final String ALLOWED_CREDENTIALS_PARAM = "allowCredentials";
95
     private static final String ANY_ORIGIN = "*";
96
     private static final List<StringSIMPLE_HTTP_METHODS = Arrays.asList("GET""POST""HEAD");
97
 
98
     private boolean anyOriginAllowed = false;
99
     private List<StringallowedOrigins = new ArrayList<String>();
100
    private List<StringallowedMethods = new ArrayList<String>();
101
    private List<StringallowedHeaders = new ArrayList<String>();
102
    private int preflightMaxAge = 0;
103
    private boolean allowCredentials = true;
105
    public void init(FilterConfig configthrows ServletException
106
    {
107
        String allowedOriginsConfig = config.getInitParameter();
108
        if (allowedOriginsConfig == nullallowedOriginsConfig = "*";
109
        String[] allowedOrigins = allowedOriginsConfig.split(",");
110
        for (String allowedOrigin : allowedOrigins)
111
        {
112
            allowedOrigin = allowedOrigin.trim();
113
            if (allowedOrigin.length() > 0)
114
            {
115
                if (.equals(allowedOrigin))
116
                {
117
                     = true;
118
                    this..clear();
119
                    break;
120
                }
121
                else
122
                {
123
                    this..add(allowedOrigin);
124
                }
125
            }
126
        }
128
        String allowedMethodsConfig = config.getInitParameter();
129
        if (allowedMethodsConfig == nullallowedMethodsConfig = "GET,POST";
130
        .addAll(Arrays.asList(allowedMethodsConfig.split(",")));
132
        String allowedHeadersConfig = config.getInitParameter();
133
        if (allowedHeadersConfig == nullallowedHeadersConfig = "X-Requested-With,Content-Type,Accept,Origin";
134
        .addAll(Arrays.asList(allowedHeadersConfig.split(",")));
136
        String preflightMaxAgeConfig = config.getInitParameter();
137
        if (preflightMaxAgeConfig == nullpreflightMaxAgeConfig = "1800"// Default is 30 minutes
138
        try
139
        {
140
             = Integer.parseInt(preflightMaxAgeConfig);
141
        }
142
        catch (NumberFormatException x)
143
        {
144
            .info("Cross-origin filter, could not parse '{}' parameter as integer: {}"preflightMaxAgeConfig);
145
        }
147
        String allowedCredentialsConfig = config.getInitParameter();
148
        if (allowedCredentialsConfig == nullallowedCredentialsConfig = "false";
149
         = Boolean.parseBoolean(allowedCredentialsConfig);
151
        .debug("Cross-origin filter configuration: " +
152
                   + " = " + allowedOriginsConfig + ", " +
153
                   + " = " + allowedMethodsConfig + ", " +
154
                   + " = " + allowedHeadersConfig + ", " +
155
                   + " = " + preflightMaxAgeConfig + ", " +
156
                   + " = " + allowedCredentialsConfig);
157
    }
159
    public void doFilter(ServletRequest requestServletResponse responseFilterChain chainthrows IOExceptionServletException
160
    {
161
        handle((HttpServletRequest)request, (HttpServletResponse)responsechain);
162
    }
164
    private void handle(HttpServletRequest requestHttpServletResponse responseFilterChain chainthrows IOExceptionServletException
165
    {
166
        String origin = request.getHeader();
167
        // Is it a cross origin request ?
168
        if (origin != null && isEnabled(request))
169
        {
170
            if (originMatches(origin))
171
            {
172
                if (isSimpleRequest(request))
173
                {
174
                    .debug("Cross-origin request to {} is a simple cross-origin request"request.getRequestURI());
175
                    handleSimpleResponse(requestresponseorigin);
176
                }
177
                else
178
                {
179
                    .debug("Cross-origin request to {} is a preflight cross-origin request"request.getRequestURI());
180
                    handlePreflightResponse(requestresponseorigin);
181
                }
182
            }
183
            else
184
            {
185
                .debug("Cross-origin request to " + request.getRequestURI() + " with origin " + origin + " does not match allowed origins " + );
186
            }
187
        }
189
        chain.doFilter(requestresponse);
190
    }
192
    protected boolean isEnabled(HttpServletRequest request)
193
    {
194
        // WebSocket clients such as Chrome 5 implement a version of the WebSocket
195
        // protocol that does not accept extra response headers on the upgrade response
196
        if ("Upgrade".equalsIgnoreCase(request.getHeader("Connection")) &&
197
            "WebSocket".equalsIgnoreCase(request.getHeader("Upgrade")))
198
        {
199
            return false;
200
        }
201
        return true;
202
    }
204
    private boolean originMatches(String origin)
205
    {
206
        if (return true;
207
        for (String allowedOrigin : )
208
        {
209
            if (allowedOrigin.equals(origin)) return true;
210
        }
211
        return false;
212
    }
214
    private boolean isSimpleRequest(HttpServletRequest request)
215
    {
216
        String method = request.getMethod();
217
        if (.contains(method))
218
        {
219
            // TODO: implement better section 6.1
220
            // Section 6.1 says that for a request to be simple, custom request headers must be simple.
221
            // Here for simplicity I just check if there is a Access-Control-Request-Method header,
222
            // which is required for preflight requests
223
            return request.getHeader() == null;
224
        }
225
        return false;
226
    }
228
    private void handleSimpleResponse(HttpServletRequest requestHttpServletResponse responseString origin)
229
    {
230
        response.setHeader(origin);
231
        if (response.setHeader("true");
232
    }
234
    private void handlePreflightResponse(HttpServletRequest requestHttpServletResponse responseString origin)
235
    {
236
        // Implementation of section 5.2
238
        // 5.2.3 and 5.2.5
239
        boolean methodAllowed = isMethodAllowed(request);
240
        if (!methodAllowedreturn;
241
        // 5.2.4 and 5.2.6
242
        boolean headersAllowed = areHeadersAllowed(request);
243
        if (!headersAllowedreturn;
244
        // 5.2.7
245
        response.setHeader(origin);
246
        if (response.setHeader("true");
247
        // 5.2.8
248
        if ( > 0) response.setHeader(, String.valueOf());
249
        // 5.2.9
251
        // 5.2.10
253
    }
255
    private boolean isMethodAllowed(HttpServletRequest request)
256
    {
257
        String accessControlRequestMethod = request.getHeader();
258
        .debug("{} is {}"accessControlRequestMethod);
259
        boolean result = false;
260
        if (accessControlRequestMethod != null)
261
        {
262
            result = .contains(accessControlRequestMethod);
263
        }
264
        .debug("Method {} is" + (result ? "" : " not") + " among allowed methods {}"accessControlRequestMethod);
265
        return result;
266
    }
268
    private boolean areHeadersAllowed(HttpServletRequest request)
269
    {
270
        String accessControlRequestHeaders = request.getHeader();
271
        .debug("{} is {}"accessControlRequestHeaders);
272
        boolean result = true;
273
        if (accessControlRequestHeaders != null)
274
        {
275
            String[] headers = accessControlRequestHeaders.split(",");
276
            for (String header : headers)
277
            {
278
                boolean headerAllowed = false;
279
                for (String allowedHeader : )
280
                {
281
                    if (header.trim().equalsIgnoreCase(allowedHeader.trim()))
282
                    {
283
                        headerAllowed = true;
284
                        break;
285
                    }
286
                }
287
                if (!headerAllowed)
288
                {
289
                    result = false;
290
                    break;
291
                }
292
            }
293
        }
294
        .debug("Headers [{}] are" + (result ? "" : " not") + " among allowed headers {}"accessControlRequestHeaders);
295
        return result;
296
    }
298
    private String commify(List<Stringstrings)
299
    {
300
        StringBuilder builder = new StringBuilder();
301
        for (int i = 0; i < strings.size(); ++i)
302
        {
303
            if (i > 0) builder.append(",");
304
            String string = strings.get(i);
305
            builder.append(string);
306
        }
307
        return builder.toString();
308
    }
310
    public void destroy()
311
    {
312
         = false;
313
        .clear();
314
        .clear();
315
        .clear();
316
         = 0;
317
         = false;
318
    }
New to GrepCode? Check out our FAQ X