Apache CXF API

org.apache.cxf.jaxrs.cors
Class CrossOriginResourceSharingFilter

java.lang.Object
  extended by org.apache.cxf.jaxrs.cors.CrossOriginResourceSharingFilter
All Implemented Interfaces:
RequestHandler, ResponseHandler

public class CrossOriginResourceSharingFilter
extends Object
implements RequestHandler, ResponseHandler

An single class that provides both an input and an output filter for CORS, following http://www.w3.org/TR/cors/. The input examines the input headers. If the request is valid, it stores the information in the Exchange to allow the response handler to add the appropriate headers to the response. If you need complex or subtle control of the behavior here (e.g. clearing the prefight cache) you might be better off reading the source of this and implementing this inside your service. This class will perform preflight processing even if there is a resource method annotated to handle @OPTIONS, unless that method is annotated as follows:


Constructor Summary
CrossOriginResourceSharingFilter()
           
 
Method Summary
 List<String> getAllowHeaders()
           
 List<String> getAllowOrigins()
           
 List<String> getExposeHeaders()
           
 Integer getMaxAge()
           
 javax.ws.rs.core.Response handleRequest(Message m, ClassResourceInfo resourceClass)
           
 javax.ws.rs.core.Response handleResponse(Message m, OperationResourceInfo ori, javax.ws.rs.core.Response response)
           
 boolean isAllowAnyHeaders()
           
 boolean isAllowCredentials()
           
 boolean isDefaultOptionsMethodsHandlePreflight()
           
 void setAllowAllOrigins(boolean allowAllOrigins)
          Whether to implement Access-Control-Allow-Origin: *
 void setAllowAnyHeaders(boolean allowAnyHeader)
          Completely relax the Access-Control-Request-Headers check.
 void setAllowCredentials(boolean allowCredentials)
          The value for the Access-Control-Allow-Credentials header.
 void setAllowHeaders(List<String> allowedHeaders)
          The list of allowed headers for preflight checks.
 void setAllowOrigins(List<String> allowedOrigins)
          The origin strings to allow.
 void setDefaultOptionsMethodsHandlePreflight(boolean defaultOptionsMethodsHandlePreflight)
          What to do when a preflight request comes along for a resource that has a handler method for \@OPTIONS and there is no @CrossResourceSharing(localPreflight = val) annotation on the method.
 void setExposeHeaders(List<String> exposeHeaders)
          A list of non-simple headers to be exposed via Access-Control-Expose-Headers.
 void setMaxAge(Integer maxAge)
          The value for Access-Control-Max-Age.
 void setPreflightErrorStatus(Integer status)
          Preflight error response status, default is 200.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

CrossOriginResourceSharingFilter

public CrossOriginResourceSharingFilter()
Method Detail

handleRequest

public javax.ws.rs.core.Response handleRequest(Message m,
                                               ClassResourceInfo resourceClass)
Specified by:
handleRequest in interface RequestHandler

handleResponse

public javax.ws.rs.core.Response handleResponse(Message m,
                                                OperationResourceInfo ori,
                                                javax.ws.rs.core.Response response)
Specified by:
handleResponse in interface ResponseHandler

setAllowOrigins

public void setAllowOrigins(List<String> allowedOrigins)
The origin strings to allow. Call setAllowAllOrigins(boolean) to enable '*'.

Parameters:
allowedOrigins - a list of case-sensitive origin strings.

getAllowOrigins

public List<String> getAllowOrigins()

setAllowAllOrigins

public void setAllowAllOrigins(boolean allowAllOrigins)
Whether to implement Access-Control-Allow-Origin: *

Parameters:
allowAllOrigins - if true, all origins are accepted and "*" is returned in the header. Sections 5.1.1 and 5.1.2, and 5.2.1 and 5.2.2. If false, then the list of allowed origins must be

getAllowHeaders

public List<String> getAllowHeaders()

setAllowHeaders

public void setAllowHeaders(List<String> allowedHeaders)
The list of allowed headers for preflight checks. Section 5.2.6

Parameters:
allowedHeaders - a list of permitted headers.

getExposeHeaders

public List<String> getExposeHeaders()

getMaxAge

public Integer getMaxAge()

isAllowCredentials

public boolean isAllowCredentials()

setAllowCredentials

public void setAllowCredentials(boolean allowCredentials)
The value for the Access-Control-Allow-Credentials header. If false, no header is added. If true, the header is added with the value 'true'.

Parameters:
allowCredentials -

setExposeHeaders

public void setExposeHeaders(List<String> exposeHeaders)
A list of non-simple headers to be exposed via Access-Control-Expose-Headers.

Parameters:
exposeHeaders - the list of (case-sensitive) header names.

setMaxAge

public void setMaxAge(Integer maxAge)
The value for Access-Control-Max-Age.

Parameters:
maxAge - An integer 'delta-seconds' or null. If null, no header is added.

setPreflightErrorStatus

public void setPreflightErrorStatus(Integer status)
Preflight error response status, default is 200.

Parameters:
status - HTTP status code.

isDefaultOptionsMethodsHandlePreflight

public boolean isDefaultOptionsMethodsHandlePreflight()

setDefaultOptionsMethodsHandlePreflight

public void setDefaultOptionsMethodsHandlePreflight(boolean defaultOptionsMethodsHandlePreflight)
What to do when a preflight request comes along for a resource that has a handler method for \@OPTIONS and there is no @CrossResourceSharing(localPreflight = val) annotation on the method. If this is true, then the filter defers to the resource class method. If this is false, then this filter performs preflight processing.

Parameters:
defaultOptionsMethodsHandlePreflight - true to defer to resource methods.

isAllowAnyHeaders

public boolean isAllowAnyHeaders()

setAllowAnyHeaders

public void setAllowAnyHeaders(boolean allowAnyHeader)
Completely relax the Access-Control-Request-Headers check. Any headers in this header will be permitted. Handy for dealing with Chrome / Firefox / Safari incompatibilities.

Parameters:
allowAnyHeader - whether to allow any header. If false, respect the allowHeaders property.

Apache CXF API

Apache CXF