Find Usages Diff Raw Download HTML Widget
Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions 
1
  /*
2
   * Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd.
3
   *
4
   * All rights reserved. This program and the accompanying materials
5
   * are made available under the terms of the Eclipse Public License v1.0
6
   * and Apache License v2.0 which accompanies this distribution.
7
   * The Eclipse Public License is available at
8
   * http://www.eclipse.org/legal/epl-v10.html
9
   * The Apache License v2.0 is available at
10
  * http://www.opensource.org/licenses/apache2.0.php
11
  *
12
  * You may elect to redistribute this code under either of these licenses.
13
  */
14
 
15
 package org.eclipse.jetty.servlets;
16
 
21
 import java.util.List;
24
 import  javax.servlet.Filter;
25
 import  javax.servlet.FilterChain;
26
 import  javax.servlet.FilterConfig;
27
 import  javax.servlet.ServletException;
28
 import  javax.servlet.ServletRequest;
29
 import  javax.servlet.ServletResponse;
30
 import  javax.servlet.http.HttpServletRequest;
31
 import  javax.servlet.http.HttpServletResponse;
32
 

Implementation of the cross-origin resource sharing.

A typical example is to use this filter to allow cross-domain cometd communication using the standard long polling transport instead of the JSONP transport (that is less efficient and less reactive to failures).

This filter allows the following configuration parameters:

  • allowedOrigins, a comma separated list of origins that are allowed to access the resources. Default value is *, meaning all origins.
    If an allowed origin contains one or more * characters (for example http://*.domain.com), then "*" characters are converted to ".*", "." characters are escaped to "\." and the resulting allowed origin interpreted as a regular expression.
    Allowed origins can therefore be more complex expressions such as https?://*.domain.[a-z]{3} that matches http or https, multiple subdomains and any 3 letter top-level domain (.com, .net, .org, etc.).
  • allowedMethods, a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST
  • allowedHeaders, a comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With
  • preflightMaxAge, the number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes
  • allowCredentials, a boolean indicating if the resource allows requests with credentials. Default value is false

A typical configuration could be: 

 <web-app ...>
     ...
     <filter>
         <filter-name>cross-origin</filter-name>
         <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
     </filter>
     <filter-mapping>
         <filter-name>cross-origin</filter-name>
         <url-pattern>/cometd/*</url-pattern>
     </filter-mapping>
     ...
 </web-app>

Version:
$Revision$ $Date$
84
 
85
 public class CrossOriginFilter implements Filter
86
 {
87
     private static final Logger LOG = Log.getLogger(CrossOriginFilter.class);
88
 
89
     // Request headers
90
     private static final String ORIGIN_HEADER = "Origin";
91
     public static final String ACCESS_CONTROL_REQUEST_METHOD_HEADER = "Access-Control-Request-Method";
92
     public static final String ACCESS_CONTROL_REQUEST_HEADERS_HEADER = "Access-Control-Request-Headers";
93
     // Response headers
94
     public static final String ACCESS_CONTROL_ALLOW_ORIGIN_HEADER = "Access-Control-Allow-Origin";
95
     public static final String ACCESS_CONTROL_ALLOW_METHODS_HEADER = "Access-Control-Allow-Methods";
96
     public static final String ACCESS_CONTROL_ALLOW_HEADERS_HEADER = "Access-Control-Allow-Headers";
97
     public static final String ACCESS_CONTROL_MAX_AGE_HEADER = "Access-Control-Max-Age";
98
     public static final String ACCESS_CONTROL_ALLOW_CREDENTIALS_HEADER = "Access-Control-Allow-Credentials";
99
     // Implementation constants
100
    public static final String ALLOWED_ORIGINS_PARAM = "allowedOrigins";
101
    public static final String ALLOWED_METHODS_PARAM = "allowedMethods";
102
    public static final String ALLOWED_HEADERS_PARAM = "allowedHeaders";
103
    public static final String PREFLIGHT_MAX_AGE_PARAM = "preflightMaxAge";
104
    public static final String ALLOW_CREDENTIALS_PARAM = "allowCredentials";
105
    private static final String ANY_ORIGIN = "*";
106
    private static final List<StringSIMPLE_HTTP_METHODS = Arrays.asList("GET""POST""HEAD");
108
    private boolean anyOriginAllowed;
109
    private List<StringallowedOrigins = new ArrayList<String>();
110
    private List<StringallowedMethods = new ArrayList<String>();
111
    private List<StringallowedHeaders = new ArrayList<String>();
112
    private int preflightMaxAge = 0;
113
    private boolean allowCredentials;
115
    public void init(FilterConfig configthrows ServletException
116
    {
117
        String allowedOriginsConfig = config.getInitParameter();
118
        if (allowedOriginsConfig == null)
119
            allowedOriginsConfig = "*";
120
        String[] allowedOrigins = allowedOriginsConfig.split(",");
121
        for (String allowedOrigin : allowedOrigins)
122
        {
123
            allowedOrigin = allowedOrigin.trim();
124
            if (allowedOrigin.length() > 0)
125
            {
126
                if (.equals(allowedOrigin))
127
                {
128
                     = true;
129
                    this..clear();
130
                    break;
131
                }
132
                else
133
                {
134
                    this..add(allowedOrigin);
135
                }
136
            }
137
        }
139
        String allowedMethodsConfig = config.getInitParameter();
140
        if (allowedMethodsConfig == null)
141
            allowedMethodsConfig = "GET,POST,HEAD";
142
        .addAll(Arrays.asList(allowedMethodsConfig.split(",")));
144
        String allowedHeadersConfig = config.getInitParameter();
145
        if (allowedHeadersConfig == null)
146
            allowedHeadersConfig = "X-Requested-With,Content-Type,Accept,Origin";
147
        .addAll(Arrays.asList(allowedHeadersConfig.split(",")));
149
        String preflightMaxAgeConfig = config.getInitParameter();
150
        if (preflightMaxAgeConfig == null)
151
            preflightMaxAgeConfig = "1800"// Default is 30 minutes
152
        try
153
        {
154
             = Integer.parseInt(preflightMaxAgeConfig);
155
        }
156
        catch (NumberFormatException x)
157
        {
158
            .info("Cross-origin filter, could not parse '{}' parameter as integer: {}"preflightMaxAgeConfig);
159
        }
161
        String allowedCredentialsConfig = config.getInitParameter();
162
        if (allowedCredentialsConfig == null)
163
            allowedCredentialsConfig = "true";
164
         = Boolean.parseBoolean(allowedCredentialsConfig);
166
        if (.isDebugEnabled())
167
        {
168
            .debug("Cross-origin filter configuration: " +
169
                     + " = " + allowedOriginsConfig + ", " +
170
                     + " = " + allowedMethodsConfig + ", " +
171
                     + " = " + allowedHeadersConfig + ", " +
172
                     + " = " + preflightMaxAgeConfig + ", " +
173
                     + " = " + allowedCredentialsConfig);
174
        }
175
    }
177
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chainthrows IOException, ServletException
178
    {
179
        handle((HttpServletRequest)request, (HttpServletResponse)responsechain);
180
    }
182
    private void handle(HttpServletRequest request, HttpServletResponse response, FilterChain chainthrows IOException, ServletException
183
    {
184
        String origin = request.getHeader();
185
        // Is it a cross origin request ?
186
        if (origin != null && isEnabled(request))
187
        {
188
            if (originMatches(origin))
189
            {
190
                if (isSimpleRequest(request))
191
                {
192
                    .debug("Cross-origin request to {} is a simple cross-origin request"request.getRequestURI());
193
                    handleSimpleResponse(requestresponseorigin);
194
                }
195
                else if (isPreflightRequest(request))
196
                {
197
                    .debug("Cross-origin request to {} is a preflight cross-origin request"request.getRequestURI());
198
                    handlePreflightResponse(requestresponseorigin);
199
                }
200
                else
201
                {
202
                    .debug("Cross-origin request to {} is a non-simple cross-origin request"request.getRequestURI());
203
                    handleSimpleResponse(requestresponseorigin);
204
                }
205
            }
206
            else
207
            {
208
                .debug("Cross-origin request to " + request.getRequestURI() + " with origin " + origin + " does not match allowed origins " + );
209
            }
210
        }
212
        chain.doFilter(requestresponse);
213
    }
215
    protected boolean isEnabled(HttpServletRequest request)
216
    {
217
        // WebSocket clients such as Chrome 5 implement a version of the WebSocket
218
        // protocol that does not accept extra response headers on the upgrade response
219
        for (Enumeration connections = request.getHeaders("Connection"); connections.hasMoreElements();)
220
        {
221
            String connection = (String)connections.nextElement();
222
            if ("Upgrade".equalsIgnoreCase(connection))
223
            {
224
                for (Enumeration upgrades = request.getHeaders("Upgrade"); upgrades.hasMoreElements();)
225
                {
226
                    String upgrade = (String)upgrades.nextElement();
227
                    if ("WebSocket".equalsIgnoreCase(upgrade))
228
                        return false;
229
                }
230
            }
231
        }
232
        return true;
233
    }
235
    private boolean originMatches(String originList)
236
    {
237
        if ()
238
            return true;
240
        if (originList.trim().length() == 0)
241
            return false;
243
        String[] origins = originList.split(" ");
244
        for (String origin : origins)
245
        {
246
            if (origin.trim().length() == 0)
247
                continue;
249
            for (String allowedOrigin : )
250
            {
251
                if (allowedOrigin.contains("*"))
252
                {
253
                    Matcher matcher = createMatcher(origin,allowedOrigin);
254
                    if (matcher.matches())
255
                        return true;
256
                }
257
                else if (allowedOrigin.equals(origin))
258
                {
259
                    return true;
260
                }
261
            }
262
        }
263
        return false;
264
    }
266
    private Matcher createMatcher(String originString allowedOrigin)
267
    {
268
        String regex = parseAllowedWildcardOriginToRegex(allowedOrigin);
269
        Pattern pattern = Pattern.compile(regex);
270
        return pattern.matcher(origin);
271
    }
273
    private String parseAllowedWildcardOriginToRegex(String allowedOrigin)
274
    {
275
        String regex = allowedOrigin.replace(".","\\.");
276
        return regex.replace("*",".*"); // we want to be greedy here to match multiple subdomains, thus we use .*
277
    }
279
    private boolean isSimpleRequest(HttpServletRequest request)
280
    {
281
        String method = request.getMethod();
282
        if (.contains(method))
283
        {
284
            // TODO: implement better detection of simple headers
285
            // The specification says that for a request to be simple, custom request headers must be simple.
286
            // Here for simplicity I just check if there is a Access-Control-Request-Method header,
287
            // which is required for preflight requests
288
            return request.getHeader() == null;
289
        }
290
        return false;
291
    }
293
    private boolean isPreflightRequest(HttpServletRequest request)
294
    {
295
        String method = request.getMethod();
296
        if (!"OPTIONS".equalsIgnoreCase(method))
297
            return false;
298
        if (request.getHeader() == null)
299
            return false;
300
        return true;
301
    }
303
    private void handleSimpleResponse(HttpServletRequest request, HttpServletResponse responseString origin)
304
    {
305
        response.setHeader(origin);
306
        if ()
307
            response.setHeader("true");
308
    }
310
    private void handlePreflightResponse(HttpServletRequest request, HttpServletResponse responseString origin)
311
    {
312
        boolean methodAllowed = isMethodAllowed(request);
313
        if (!methodAllowed)
314
            return;
315
        boolean headersAllowed = areHeadersAllowed(request);
316
        if (!headersAllowed)
317
            return;
318
        response.setHeader(origin);
319
        if ()
320
            response.setHeader("true");
321
        if ( > 0)
322
            response.setHeader(, String.valueOf());
323
        response.setHeader(commify());
324
        response.setHeader(commify());
325
    }
327
    private boolean isMethodAllowed(HttpServletRequest request)
328
    {
329
        String accessControlRequestMethod = request.getHeader();
330
        .debug("{} is {}"accessControlRequestMethod);
331
        boolean result = false;
332
        if (accessControlRequestMethod != null)
333
            result = .contains(accessControlRequestMethod);
334
        .debug("Method {} is" + (result ? "" : " not") + " among allowed methods {}"accessControlRequestMethod);
335
        return result;
336
    }
338
    private boolean areHeadersAllowed(HttpServletRequest request)
339
    {
340
        String accessControlRequestHeaders = request.getHeader();
341
        .debug("{} is {}"accessControlRequestHeaders);
342
        boolean result = true;
343
        if (accessControlRequestHeaders != null)
344
        {
345
            String[] headers = accessControlRequestHeaders.split(",");
346
            for (String header : headers)
347
            {
348
                boolean headerAllowed = false;
349
                for (String allowedHeader : )
350
                {
351
                    if (header.trim().equalsIgnoreCase(allowedHeader.trim()))
352
                    {
353
                        headerAllowed = true;
354
                        break;
355
                    }
356
                }
357
                if (!headerAllowed)
358
                {
359
                    result = false;
360
                    break;
361
                }
362
            }
363
        }
364
        .debug("Headers [{}] are" + (result ? "" : " not") + " among allowed headers {}"accessControlRequestHeaders);
365
        return result;
366
    }
368
    private String commify(List<Stringstrings)
369
    {
370
        StringBuilder builder = new StringBuilder();
371
        for (int i = 0; i < strings.size(); ++i)
372
        {
373
            if (i > 0) builder.append(",");
374
            String string = strings.get(i);
375
            builder.append(string);
376
        }
377
        return builder.toString();
378
    }
380
    public void destroy()
381
    {
382
         = false;
383
        .clear();
384
        .clear();
385
        .clear();
386
         = 0;
387
         = false;
388
    }
New to GrepCode? Check out our FAQ X