Package org.restlet.engine.application

Class CorsFilter

java.lang.Object
org.restlet.Restlet
org.restlet.routing.Filter
org.restlet.engine.application.CorsFilter
All Implemented Interfaces:
Uniform
public class CorsFilter extends Filter
Filter that helps support CORS requests. This filter lets the target resources specify the allowed methods. Example: 
 Router router = new Router(getContext());
 
 CorsFilter corsFilter = new CorsFilter(getContext(), router);
 corsFilter.setAllowedOrigins(new HashSet(Arrays.asList("http://server.com")));
 corsFilter.setAllowedCredentials(true);
Author:
Manuel Boillod

  • Field Details

    • allowAllRequestedHeaders

      public boolean allowAllRequestedHeaders
      If true, copies the value of 'Access-Control-Request-Headers' request header into the 'Access-Control-Allow-Headers' response header. If false, use allowedHeaders. Default is true.

  • Constructor Details

    • CorsFilter

      public CorsFilter()
      Constructor.

    • CorsFilter

      public CorsFilter(Context context)
      Constructor.
      Parameters:
      context - The context.

    • CorsFilter

      public CorsFilter(Context context, Restlet next)
      Constructor.
      Parameters:
      context - The context.
      next - The next Restlet.

  • Method Details

    • afterHandle

      protected void afterHandle(Request request, Response response)
      Add CORS headers to response
      Overrides:
      afterHandle in class Filter
      Parameters:
      request - The request to handle.
      response - The response

    • beforeHandle

      protected int beforeHandle(Request request, Response response)
      Skip the call to the server resource if the skippingResourceForCorsOptions is true and if the current request use the OPTIONS method and is a CORS request.
      Overrides:
      beforeHandle in class Filter
      Parameters:
      request - The request to handle.
      response - The response to update.
      Returns:
      The continuation status. Either Filter.CONTINUE or Filter.SKIP or Filter.STOP.

    • getAllowedHeaders

      public Set<String> getAllowedHeaders()
      Returns the modifiable set of headers allowed by the actual request on the current resource.
      Note that when used with HTTP connectors, this property maps to the "Access-Control-Allow-Headers" header.
      Returns:
      The set of headers allowed by the actual request on the current resource.

    • getAllowedOrigins

      public Set<String> getAllowedOrigins()
      Returns the URI an origin server allows for the requested resource. Use "*" as a wildcard character.
      Note that when used with HTTP connectors, this property maps to the "Access-Control-Allow-Origin" header.
      Returns:
      The origin allowed by the requested resource.

    • getCorsResponseHelper

      protected CorsResponseHelper getCorsResponseHelper()
      Returns a lazy-initialized instance of CorsResponseHelper.

    • getDefaultAllowedMethods

      public Set<Method> getDefaultAllowedMethods()
      Returns the list of methods allowed by default, used when skippingResourceForCorsOptions is turned on.
      Returns:
      The list of methods allowed by default, used when skippingResourceForCorsOptions is turned on.

    • getExposedHeaders

      public Set<String> getExposedHeaders()
      Returns a modifiable whitelist of headers an origin server allows for the requested resource.
      Note that when used with HTTP connectors, this property maps to the "Access-Control-Expose-Headers" header.
      Returns:
      The set of headers an origin server allows for the requested resource.

    • getMaxAge

      public int getMaxAge()
      Indicates how long (in seconds) the results of a preflight request can be cached in a preflight result cache.
      In case of a negative value, the results of a preflight request is not meant to be cached.
      Note that when used with HTTP connectors, this property maps to the "Access-Control-Max-Age" header.
      Returns:
      Indicates how long the results of a preflight request can be cached in a preflight result cache.

    • isAllowAllRequestedHeaders

      public boolean isAllowAllRequestedHeaders()
      If true, indicates that the value of 'Access-Control-Request-Headers' request header will be copied into the 'Access-Control-Allow-Headers' response header. If false, use allowedHeaders.

    • isAllowedCredentials

      public boolean isAllowedCredentials()
      If true, adds 'Access-Control-Allow-Credentials' header.
      Returns:
      True, if the 'Access-Control-Allow-Credentials' header will be added.

    • isSkippingResourceForCorsOptions

      public boolean isSkippingResourceForCorsOptions()
      If true, the filter does not call the server resource for OPTIONS method of CORS request and set Access-Control-Allow-Methods header with defaultAllowedMethods. Default is false.
      Returns:
      True if the filter does not call the server resource for OPTIONS method of CORS request.

    • setAllowedCredentials

      public CorsFilter setAllowedCredentials(boolean allowedCredentials)
      If true, adds 'Access-Control-Allow-Credentials' header.
      Parameters:
      allowedCredentials - True to add the 'Access-Control-Allow-Credentials' header.
      Returns:
      Itself for chaining methods calls.

    • setAllowedHeaders

      public CorsFilter setAllowedHeaders(Set<String> allowedHeaders)
      Sets the value of the 'Access-Control-Allow-Headers' response header. Used only if allowAllRequestedHeaders is false.
      Parameters:
      allowedHeaders - The value of 'Access-Control-Allow-Headers' response header.
      Returns:
      Itself for chaining methods calls.

    • setAllowedOrigins

      public CorsFilter setAllowedOrigins(Set<String> allowedOrigins)
      Sets the value of 'Access-Control-Allow-Origin' header.
      Parameters:
      allowedOrigins - The value of 'Access-Control-Allow-Origin' header.
      Returns:
      Itself for chaining methods calls.

    • setAllowingAllRequestedHeaders

      public CorsFilter setAllowingAllRequestedHeaders(boolean allowingAllRequestedHeaders)
      If true, copies the value of 'Access-Control-Request-Headers' request header into the 'Access-Control-Allow-Headers' response header. If false, use allowedHeaders.
      Parameters:
      allowingAllRequestedHeaders - True to copy the value of 'Access-Control-Request-Headers' request header into the 'Access-Control-Allow-Headers' response header. If false, use allowedHeaders.
      Returns:
      Itself for chaining methods calls.

    • setDefaultAllowedMethods

      public CorsFilter setDefaultAllowedMethods(Set<Method> defaultAllowedMethods)
      Sets the list of methods allowed by default, used when skippingResourceForCorsOptions is turned on.
      Parameters:
      defaultAllowedMethods - The list of methods allowed by default, used when skippingResourceForCorsOptions is turned on.
      Returns:
      Itself for chaining methods calls.

    • setExposedHeaders

      public CorsFilter setExposedHeaders(Set<String> exposedHeaders)
      Sets the value of 'Access-Control-Expose-Headers' response header.
      Parameters:
      exposedHeaders - The value of 'Access-Control-Expose-Headers' response header.
      Returns:
      Itself for chaining methods calls.

    • setMaxAge

      public CorsFilter setMaxAge(int maxAge)
      Sets the value of 'Access-Control-Max-Age' response header.
      In case of negative value, the header is not set.
      Parameters:
      maxAge - The value of 'Access-Control-Max-Age' response header.

    • setSkippingResourceForCorsOptions

      public CorsFilter setSkippingResourceForCorsOptions(boolean skipResourceForCorsOptions)
      Sets the value of skipResourceForCorsOptions field.
      Parameters:
      skipResourceForCorsOptions - True if the filter does not call the server resource for OPTIONS method of CORS request.
      Returns:
      Itself for chaining methods calls.