public class CorsFilter extends Object implements Filter
 A Filter that enable client-side cross-origin requests by
 implementing W3C's CORS (Cross-Origin Resource
 Sharing) specification for resources. Each HttpServletRequest
 request is inspected as per specification, and appropriate response headers
 are added to HttpServletResponse.
 
By default, it also sets following request attributes, that help to determine the nature of the request downstream.
true if a CORS request; false
 otherwise.| Modifier and Type | Class and Description | 
|---|---|
| protected static class  | CorsFilter.CORSRequestTypeEnumerates varies types of CORS requests. | 
| Modifier and Type | Field and Description | 
|---|---|
| static Collection<String> | COMPLEX_HTTP_METHODSDeprecated. 
 Not used. Will be removed in Tomcat 9.0.x onwards. All HTTP
             methods not in  SIMPLE_HTTP_METHODSare assumed to be
             non-simple. | 
| static String | DEFAULT_ALLOWED_HTTP_HEADERSBy default, following headers are supported:
 Origin,Accept,X-Requested-With, Content-Type,
 Access-Control-Request-Method, and Access-Control-Request-Headers. | 
| static String | DEFAULT_ALLOWED_HTTP_METHODSBy default, following methods are supported: GET, POST, HEAD and OPTIONS. | 
| static String | DEFAULT_ALLOWED_ORIGINSBy default, no origins are allowed to make requests. | 
| static String | DEFAULT_DECORATE_REQUESTBy default, request is decorated with CORS attributes. | 
| static String | DEFAULT_EXPOSED_HEADERSBy default, none of the headers are exposed in response. | 
| static String | DEFAULT_PREFLIGHT_MAXAGEBy default, time duration to cache pre-flight response is 30 mins. | 
| static String | DEFAULT_SUPPORTS_CREDENTIALSBy default, support credentials is disabled. | 
| static Collection<String> | HTTP_METHODSDeprecated. 
 Not used. Will be removed in Tomcat 9.0.x onwards. | 
| static String | HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUESTBoolean value, suggesting if the request is a CORS request or not. | 
| static String | HTTP_REQUEST_ATTRIBUTE_ORIGINAttribute that contains the origin of the request. | 
| static String | HTTP_REQUEST_ATTRIBUTE_PREFIXThe prefix to a CORS request attribute. | 
| static String | HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERSRequest headers sent as 'Access-Control-Request-Headers' header, for
 pre-flight request. | 
| static String | HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPEType of CORS request, of type  CorsFilter.CORSRequestType. | 
| static String | PARAM_CORS_ALLOWED_HEADERSKey to retrieve allowed headers from  FilterConfig. | 
| static String | PARAM_CORS_ALLOWED_METHODSKey to retrieve allowed methods from  FilterConfig. | 
| static String | PARAM_CORS_ALLOWED_ORIGINSKey to retrieve allowed origins from  FilterConfig. | 
| static String | PARAM_CORS_EXPOSED_HEADERSKey to retrieve exposed headers from  FilterConfig. | 
| static String | PARAM_CORS_PREFLIGHT_MAXAGEKey to retrieve preflight max age from  FilterConfig. | 
| static String | PARAM_CORS_REQUEST_DECORATEKey to determine if request should be decorated. | 
| static String | PARAM_CORS_SUPPORT_CREDENTIALSKey to retrieve support credentials from  FilterConfig. | 
| static String | REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERSThe Access-Control-Request-Headers header indicates which headers will be
 used in the actual request as part of the preflight request. | 
| static String | REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHODThe Access-Control-Request-Method header indicates which method will be
 used in the actual request as part of the preflight request. | 
| static String | REQUEST_HEADER_ORIGINThe Origin header indicates where the cross-origin request or preflight
 request originates from. | 
| static String | REQUEST_HEADER_VARYDeprecated. 
 Unused. Will be removed in Tomcat 10 | 
| static String | RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALSThe Access-Control-Allow-Credentials header indicates whether the
 response to request can be exposed when the omit credentials flag is
 unset. | 
| static String | RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERSThe Access-Control-Allow-Headers header indicates, as part of the
 response to a preflight request, which header field names can be used
 during the actual request. | 
| static String | RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODSThe Access-Control-Allow-Methods header indicates, as part of the
 response to a preflight request, which methods can be used during the
 actual request. | 
| static String | RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGINThe Access-Control-Allow-Origin header indicates whether a resource can
 be shared based by returning the value of the Origin request header in
 the response. | 
| static String | RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERSThe Access-Control-Expose-Headers header indicates which headers are safe
 to expose to the API of a CORS API specification | 
| static String | RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGEThe Access-Control-Max-Age header indicates how long the results of a
 preflight request can be cached in a preflight result cache. | 
| static Collection<String> | SIMPLE_HTTP_METHODSCollectionof Simple HTTP methods. | 
| static Collection<String> | SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUESCollectionof media type values for the Content-Type header that
 will be treated as 'simple'. | 
| static Collection<String> | SIMPLE_HTTP_REQUEST_HEADERSCollectionof Simple HTTP request headers. | 
| static Collection<String> | SIMPLE_HTTP_RESPONSE_HEADERSCollectionof Simple HTTP request headers. | 
| Constructor and Description | 
|---|
| CorsFilter() | 
| Modifier and Type | Method and Description | 
|---|---|
| protected CorsFilter.CORSRequestType | checkRequestType(HttpServletRequest request)Determines the request type. | 
| protected static void | decorateCORSProperties(HttpServletRequest request,
                      CorsFilter.CORSRequestType corsRequestType)Decorates the  HttpServletRequest, with CORS attributes. | 
| void | destroy()Called by the web container to indicate to a filter that it is being
 taken out of service. | 
| void | doFilter(ServletRequest servletRequest,
        ServletResponse servletResponse,
        FilterChain filterChain)The  doFiltermethod of the Filter is called by the container
 each time a request/response pair is passed through the chain due to a
 client request for a resource at the end of the chain. | 
| Collection<String> | getAllowedHttpHeaders()Returns a  Setof headers support by resource. | 
| Collection<String> | getAllowedHttpMethods()Returns a  Setof HTTP methods that are allowed to make requests. | 
| Collection<String> | getAllowedOrigins()Returns the  Setof allowed origins that are allowed to make
 requests. | 
| Collection<String> | getExposedHeaders()Returns a  Setof headers that should be exposed by browser. | 
| long | getPreflightMaxAge()Returns the preflight response cache time in seconds. | 
| protected void | handlePreflightCORS(HttpServletRequest request,
                   HttpServletResponse response,
                   FilterChain filterChain)Handles CORS pre-flight request. | 
| protected void | handleSimpleCORS(HttpServletRequest request,
                HttpServletResponse response,
                FilterChain filterChain)Handles a CORS request of type  CorsFilter.CORSRequestType.SIMPLE. | 
| void | init(FilterConfig filterConfig)Called by the web container to indicate to a filter that it is being
 placed into service. | 
| boolean | isAnyOriginAllowed()Determines if any origin is allowed to make CORS request. | 
| boolean | isSupportsCredentials()Determines is supports credentials is enabled. | 
| protected static boolean | isValidOrigin(String origin)Deprecated. 
 This will be removed in Tomcat 10
             Use  RequestUtil.isValidOrigin(String) | 
| protected static String | join(Collection<String> elements,
    String joinSeparator)Joins elements of  Setinto a string, where each element is
 separated by the provided separator. | 
public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN
public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS
public static final String RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS
public static final String RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE
public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS
public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS
@Deprecated public static final String REQUEST_HEADER_VARY
public static final String REQUEST_HEADER_ORIGIN
public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD
public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS
public static final String HTTP_REQUEST_ATTRIBUTE_PREFIX
public static final String HTTP_REQUEST_ATTRIBUTE_ORIGIN
public static final String HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST
public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE
CorsFilter.CORSRequestType.public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS
@Deprecated public static final Collection<String> HTTP_METHODS
Collection of HTTP methods. Case sensitive.@Deprecated public static final Collection<String> COMPLEX_HTTP_METHODS
SIMPLE_HTTP_METHODS are assumed to be
             non-simple.Collection of non-simple HTTP methods. Case sensitive.public static final Collection<String> SIMPLE_HTTP_METHODS
Collection of Simple HTTP methods. Case sensitive.public static final Collection<String> SIMPLE_HTTP_REQUEST_HEADERS
Collection of Simple HTTP request headers. Case in-sensitive.public static final Collection<String> SIMPLE_HTTP_RESPONSE_HEADERS
Collection of Simple HTTP request headers. Case in-sensitive.public static final Collection<String> SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES
Collection of media type values for the Content-Type header that
 will be treated as 'simple'. Note media-type values are compared ignoring
 parameters and in a case-insensitive manner.public static final String DEFAULT_ALLOWED_ORIGINS
public static final String DEFAULT_ALLOWED_HTTP_METHODS
public static final String DEFAULT_PREFLIGHT_MAXAGE
public static final String DEFAULT_SUPPORTS_CREDENTIALS
public static final String DEFAULT_ALLOWED_HTTP_HEADERS
public static final String DEFAULT_EXPOSED_HEADERS
public static final String DEFAULT_DECORATE_REQUEST
public static final String PARAM_CORS_ALLOWED_ORIGINS
FilterConfig.public static final String PARAM_CORS_SUPPORT_CREDENTIALS
FilterConfig.public static final String PARAM_CORS_EXPOSED_HEADERS
FilterConfig.public static final String PARAM_CORS_ALLOWED_HEADERS
FilterConfig.public static final String PARAM_CORS_ALLOWED_METHODS
FilterConfig.public static final String PARAM_CORS_PREFLIGHT_MAXAGE
FilterConfig.public static final String PARAM_CORS_REQUEST_DECORATE
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException
FilterdoFilter method of the Filter is called by the container
 each time a request/response pair is passed through the chain due to a
 client request for a resource at the end of the chain. The FilterChain
 passed in to this method allows the Filter to pass on the request and
 response to the next entity in the chain.
 
 A typical implementation of this method would follow the following
 pattern:- 
 1. Examine the request
 2. Optionally wrap the request object with a custom implementation to
 filter content or headers for input filtering 
 3. Optionally wrap the response object with a custom implementation to
 filter content or headers for output filtering 
 4. a) Either invoke the next entity in the chain using
 the FilterChain object (chain.doFilter()), 
 4. b) or not pass on the request/response pair to the
 next entity in the filter chain to block the request processing
 5. Directly set headers on the response after invocation of the next
 entity in the filter chain.
doFilter in interface FilterservletRequest - The request to processservletResponse - The response associated with the requestfilterChain - Provides access to the next filter in the chain for this
                 filter to pass the request and response to for further
                 processingIOException - if an I/O error occurs during this filter's
                     processing of the requestServletException - if the processing fails for any other reasonpublic void init(FilterConfig filterConfig) throws ServletException
FilterThe web container cannot place the filter into service if the init method either:
init in interface FilterfilterConfig - The configuration information associated with the
                     filter instance being initialisedServletException - if the initialisation failsprotected void handleSimpleCORS(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException
CorsFilter.CORSRequestType.SIMPLE.request - The HttpServletRequest object.response - The HttpServletResponse object.filterChain - The FilterChain object.IOExceptionServletExceptionprotected void handlePreflightCORS(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException
request - The HttpServletRequest object.response - The HttpServletResponse object.filterChain - The FilterChain object.IOExceptionServletExceptionpublic void destroy()
Filterprotected static void decorateCORSProperties(HttpServletRequest request, CorsFilter.CORSRequestType corsRequestType)
HttpServletRequest, with CORS attributes.
 true if CORS request; false
 otherwise.simple or preflight or not_cors or
 invalid_corsrequest - The HttpServletRequest object.corsRequestType - The CorsFilter.CORSRequestType object.protected static String join(Collection<String> elements, String joinSeparator)
Set into a string, where each element is
 separated by the provided separator.protected CorsFilter.CORSRequestType checkRequestType(HttpServletRequest request)
request - @Deprecated protected static boolean isValidOrigin(String origin)
RequestUtil.isValidOrigin(String)URIorigin - public boolean isAnyOriginAllowed()
true if it's enabled; false otherwise.public Collection<String> getExposedHeaders()
Set of headers that should be exposed by browser.public boolean isSupportsCredentials()
public long getPreflightMaxAge()
public Collection<String> getAllowedOrigins()
Set of allowed origins that are allowed to make
 requests.Setpublic Collection<String> getAllowedHttpMethods()
Set of HTTP methods that are allowed to make requests.Setpublic Collection<String> getAllowedHttpHeaders()
Set of headers support by resource.SetCopyright © 2000-2020 Apache Software Foundation. All Rights Reserved.