CXF 2.5.1 introduces the initial support for the Cross-Origin Resource Sharing specification that "defines a mechanism to enable client-side cross-origin requests".

This Mozilla.org page provides a very good explanation of CORS.

Please see the package.html for a good introduction to CORS and the way it is supported in CXF JAX-RS.

Note that the CORS filter uses the JAX-RS selection algorithm to ensure that the JAX-RS resource method capable of handling the request does exist.

Maven dependencies



Here is the test code showing how CrossOriginResourceSharing annotations can be applied at the resource and individual method levels.

Note that an origin is restricted to "http://area51.mil:31415" by the 'allowOrigins' property, which may contain multiple URI values. A boolean 'allowAllOrigins' property can be used instead (to simplify the testing or when it is deemed it is secure enough within a given environment to allow for all the origins).

        allowOrigins = {
        allowCredentials = true, 
        maxAge = 1, 
        allowHeaders = {
           "X-custom-1", "X-custom-2"
        exposeHeaders = {
           "X-custom-3", "X-custom-4"
public class AnnotatedCorsServer {
    private HttpHeaders headers;

    public String simpleGet(@PathParam("echo") String echo) {
        return echo;
    public Response postSomething() {
        return Response.ok().build();

    public Response deleteSomething() {
        return Response.ok().build();

    // This method will do a preflight check itself
    public Response options() {
        String origin = headers.getRequestHeader("Origin").get(0);
        if ("http://area51.mil:3333".equals(origin)) {
            return Response.ok()
                           .header(CorsHeaderConstants.HEADER_AC_ALLOW_METHODS, "DELETE PUT")
                           .header(CorsHeaderConstants.HEADER_AC_ALLOW_CREDENTIALS, "false")
                           .header(CorsHeaderConstants.HEADER_AC_ALLOW_ORIGIN, "http://area51.mil:3333")
        } else {
            return Response.ok().build();

         allowOrigins = { "http://area51.mil:31415" }, 
         allowCredentials = true, 
         exposeHeaders = { "X-custom-3", "X-custom-4" }
    public String annotatedGet(@PathParam("echo") String echo) {
        return echo;

     * A method annotated to test preflight.
     * @param input
     * @return
    public String annotatedPut(String input) {
        return input;

The server configuration fragment:

        <bean id="cors-filter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter"/>

	<jaxrs:server id="service" address="/rest">
			<ref bean="cors-server" />
			<ref bean="cors-filter" />

        <bean id="cors-server" scope="prototype" 
	      class="org.apache.cxf.systest.jaxrs.cors.AnnotatedCorsServer" />