Package com.thetransactioncompany.cors

Cross-Origin Resource Sharing (CORS) Filter

This package provides a Java servlet filter that implements the Cross-Origin Resource Sharing (CORS) mechanism for making cross-site HTTP requests from web browsers. The CORS W3C working draft stabilised in 2009 and as of 2010 CORS is supported by all major browsers such as Firefox, Safari, Chrome and IE.

To enable CORS for a particular HTTP resource, such as a servlet, JSP or plain HTML file, attach a CORSFilter to it via a <filter-mapping> element in the web.xml descriptor file. The default CORS filter policy is to allow any origin (including credentials). To impose a stricter access policy configure the filter using the supported <init-param> elements or a Java properties file. See the CORSFilter JavaDoc for configuration details.

The CORS Filter can be configured to tag the allowed CORS HTTP requests with HttpServletRequest.addAttribute to provide the following information to downstream handlers:

• cors.isCorsRequest {Boolean} Indicates if the HTTP request is CORS.
• cors.origin {String} the value of the "Origin" header, null if undefined.
• cors.requestType {String} If the request is CORS, indicates its type - "actual" for simple / actual or "preflight".
• cors.requestHeaders {String} if the request is CORS preflight, the value of the "Access-Control-Request-Headers" header, null if undefined.

This CORS filter version implements the W3C recommendation from 16 January 2014.

Supported CORS request types:

• Simple / actual requests
• Preflight requests

Supported CORS headers:

• Request headers:
  • Origin
  • Access-Control-Request-Method
  • Access-Control-Request-Headers
• Response headers:
  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers
  • Access-Control-Expose-Headers
  • Access-Control-Max-Age

Package dependencies:

• com.thetransactioncompany.util provides parsing of the filter init parameters (included in the CORS filter distribution).

Class Summary

Class	Description
CORSConfiguration	The CORS filter configuration.
CORSConfigurationLoader	CORS configuration loader.
CORSFilter	Cross-Origin Resource Sharing (CORS) servlet filter.
CORSRequestHandler	Handles incoming cross-origin (CORS) requests according to the configured access policy.
CORSResponseWrapper	HTTP response wrapper that preserves the CORS response headers on ServletResponse.reset().
HeaderName	HTTP header name constants and utilities.
HeaderUtils	Header utilities.
Origin	Resource request origin (not validated), as defined in The Web Origin Concept (RFC 6454).
RequestTagger	Request tagger.
ValidatedOrigin	Validated resource request origin, as defined in The Web Origin Concept (RFC 6454).

Enum Summary

Enum	Description
CORSRequestType	Enumeration of the CORS request types.

Exception Summary

Exception	Description
CORSConfigurationException	CORS filter configuration exception, intended to report invalid init parameters at startup.
CORSException	Base Cross-Origin Resource Sharing (CORS) exception, typically thrown during processing of CORS requests.
OriginException	Origin exception.