Package org.eclipse.jetty.servlets

Class CrossOriginFilter

  • All Implemented Interfaces:
    javax.servlet.Filter
    public class CrossOriginFilter
extends Object
implements javax.servlet.Filter
    Implementation of the cross-origin resource sharing.

    A typical example is to use this filter to allow cross-domain cometd communication using the standard long polling transport instead of the JSONP transport (that is less efficient and less reactive to failures).

    This filter allows the following configuration parameters:

    allowedOrigins
    a comma separated list of origins that are allowed to access the resources. Default value is *, meaning all origins.

    If an allowed origin contains one or more * characters (for example http://*.domain.com), then "*" characters are converted to ".*", "." characters are escaped to "\." and the resulting allowed origin interpreted as a regular expression.

    Allowed origins can therefore be more complex expressions such as https?://*.domain.[a-z]{3} that matches http or https, multiple subdomains and any 3 letter top-level domain (.com, .net, .org, etc.).

    allowedTimingOrigins
    a comma separated list of origins that are allowed to time the resource. Default value is the empty string, meaning no origins.

    The check whether the timing header is set, will be performed only if the user gets general access to the resource using the allowedOrigins.

    allowedMethods
    a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST,HEAD
    allowedHeaders
    a comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With,Content-Type,Accept,Origin. If the value is a single "*", this means that any headers will be accepted.
    preflightMaxAge
    the number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes
    allowCredentials
    a boolean indicating if the resource allows requests with credentials. Default value is true
    exposedHeaders
    a comma separated list of HTTP headers that are allowed to be exposed on the client. Default value is the empty list
    chainPreflight
    if true preflight requests are chained to their target resource for normal handling (as an OPTION request). Otherwise the filter will response to the preflight. Default is true.
    A typical configuration could be: 
     <web-app ...>
     ...
     <filter>
         <filter-name>cross-origin</filter-name>
         <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
     </filter>
     <filter-mapping>
         <filter-name>cross-origin</filter-name>
         <url-pattern>/cometd/*</url-pattern>
     </filter-mapping>
     ...
 </web-app>

    • Constructor Detail

      • CrossOriginFilter

        public CrossOriginFilter()

    • Method Detail

      • init

        public void init​(javax.servlet.FilterConfig config)
          throws javax.servlet.ServletException
        Specified by:
        init in interface javax.servlet.Filter
        Throws:
        javax.servlet.ServletException

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Throws:
        IOException
        javax.servlet.ServletException

      • isEnabled

        protected boolean isEnabled​(javax.servlet.http.HttpServletRequest request)

      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter