net.gplatform.sudoor.server.cors

类 CorsFilter

java.lang.Object

net.gplatform.sudoor.server.cors.CorsFilter

所有已实现的接口:

javax.servlet.Filter

@Component
public final class CorsFilter
extends Object
implements javax.servlet.Filter

spring security headers will seprate multiple values, which will cause error in android browser with this filter we should not handle pre flight OPTION request via StopperFilter in SS any mor With @WebFilter there should be no need to register in web.xml or web-fragment.xml

作者:

Administrator

嵌套类概要

嵌套类

限定符和类型	类和说明
protected static class	CorsFilter.CORSRequestType Enumerates varies types of CORS requests.

字段概要

字段

限定符和类型	字段和说明
static Collection<String>	COMPLEX_HTTP_METHODS Collection of non-simple HTTP methods.
static String	DEFAULT_ALLOWED_HTTP_HEADERS By default, following headers are supported: Origin,Accept,X-Requested-With, Content-Type, Access-Control-Request-Method, and Access-Control-Request-Headers.
static String	DEFAULT_ALLOWED_HTTP_METHODS By default, following methods are supported: GET, POST, HEAD and OPTIONS.
static String	DEFAULT_ALLOWED_ORIGINS By default, all origins are allowed to make requests.
static String	DEFAULT_DECORATE_REQUEST By default, request is decorated with CORS attributes.
static String	DEFAULT_EXPOSED_HEADERS By default, none of the headers are exposed in response.
static String	DEFAULT_PREFLIGHT_MAXAGE By default, time duration to cache pre-flight response is 30 mins.
static String	DEFAULT_SUPPORTS_CREDENTIALS By default, support credentials is turned on.
static Collection<String>	HTTP_METHODS Collection of HTTP methods.
static String	HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST Boolean value, suggesting if the request is a CORS request or not.
static String	HTTP_REQUEST_ATTRIBUTE_ORIGIN Attribute that contains the origin of the request.
static String	HTTP_REQUEST_ATTRIBUTE_PREFIX The prefix to a CORS request attribute.
static String	HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.
static String	HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE Type of CORS request, of type CorsFilter.CORSRequestType.
static String	PARAM_CORS_ALLOWED_HEADERS Key to retrieve allowed headers from FilterConfig.
static String	PARAM_CORS_ALLOWED_METHODS Key to retrieve allowed methods from FilterConfig.
static String	PARAM_CORS_ALLOWED_ORIGINS Key to retrieve allowed origins from FilterConfig.
static String	PARAM_CORS_EXPOSED_HEADERS Key to retrieve exposed headers from FilterConfig.
static String	PARAM_CORS_PREFLIGHT_MAXAGE Key to retrieve preflight max age from FilterConfig.
static String	PARAM_CORS_REQUEST_DECORATE Key to determine if request should be decorated.
static String	PARAM_CORS_SUPPORT_CREDENTIALS Key to retrieve support credentials from FilterConfig.
static String	REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS The Access-Control-Request-Headers header indicates which headers will be used in the actual request as part of the preflight request.
static String	REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD The Access-Control-Request-Method header indicates which method will be used in the actual request as part of the preflight request.
static String	REQUEST_HEADER_ORIGIN The Origin header indicates where the cross-origin request or preflight request originates from.
static String	RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS The Access-Control-Allow-Credentials header indicates whether the response to request can be exposed when the omit credentials flag is unset.
static String	RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS The Access-Control-Allow-Headers header indicates, as part of the response to a preflight request, which header field names can be used during the actual request.
static String	RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS The Access-Control-Allow-Methods header indicates, as part of the response to a preflight request, which methods can be used during the actual request.
static String	RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header in the response.
static String	RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS The Access-Control-Expose-Headers header indicates which headers are safe to expose to the API of a CORS API specification
static String	RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached in a preflight result cache.
static Collection<String>	SIMPLE_HTTP_METHODS Collection of Simple HTTP methods.
static Collection<String>	SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES Collection of Simple HTTP request headers.
static Collection<String>	SIMPLE_HTTP_REQUEST_HEADERS Collection of Simple HTTP request headers.
static Collection<String>	SIMPLE_HTTP_RESPONSE_HEADERS Collection of Simple HTTP request headers.

构造器概要

构造器

构造器和说明
CorsFilter()

方法概要

方法

限定符和类型	方法和说明
protected CorsFilter.CORSRequestType	checkRequestType(javax.servlet.http.HttpServletRequest request) Determines the request type.
protected static void	decorateCORSProperties(javax.servlet.http.HttpServletRequest request, CorsFilter.CORSRequestType corsRequestType) Decorates the HttpServletRequest, with CORS attributes.
void	destroy()
void	doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain filterChain)
Collection<String>	getAllowedHttpHeaders() Returns a Set of headers support by resource.
Collection<String>	getAllowedHttpMethods() Returns a Set of HTTP methods that are allowed to make requests.
Collection<String>	getAllowedOrigins() Returns the Set of allowed origins that are allowed to make requests.
Collection<String>	getExposedHeaders() Returns a Set of headers that should be exposed by browser.
long	getPreflightMaxAge() Returns the preflight response cache time in seconds.
protected void	handlePreflightCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) Handles CORS pre-flight request.
protected void	handleSimpleCORS(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) Handles a CORS request of type CorsFilter.CORSRequestType.SIMPLE.
void	init(javax.servlet.FilterConfig filterConfig)
boolean	isAnyOriginAllowed() Determines if any origin is allowed to make CORS request.
boolean	isSupportsCredentials() Determines is supports credentials is enabled.
protected static boolean	isValidOrigin(String origin) Checks if a given origin is valid or not.
protected static String	join(Collection<String> elements, String joinSeparator) Joins elements of Set into a string, where each element is separated by the provided separator.

从类继承的方法 java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

字段详细资料

RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN

public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN

The Access-Control-Allow-Origin header indicates whether a resource can be shared based by returning the value of the Origin request header in the response.

另请参阅:

常量字段值

RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS

public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS

The Access-Control-Allow-Credentials header indicates whether the response to request can be exposed when the omit credentials flag is unset. When part of the response to a preflight request it indicates that the actual request can include user credentials.

另请参阅:

常量字段值

RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS

public static final String RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS

The Access-Control-Expose-Headers header indicates which headers are safe to expose to the API of a CORS API specification

另请参阅:

常量字段值

RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE

public static final String RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE

The Access-Control-Max-Age header indicates how long the results of a preflight request can be cached in a preflight result cache.

另请参阅:

常量字段值

RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS

public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS

The Access-Control-Allow-Methods header indicates, as part of the response to a preflight request, which methods can be used during the actual request.

另请参阅:

常量字段值

RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS

public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS

The Access-Control-Allow-Headers header indicates, as part of the response to a preflight request, which header field names can be used during the actual request.

另请参阅:

常量字段值

REQUEST_HEADER_ORIGIN

public static final String REQUEST_HEADER_ORIGIN

The Origin header indicates where the cross-origin request or preflight request originates from.

另请参阅:

常量字段值

REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD

public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD

The Access-Control-Request-Method header indicates which method will be used in the actual request as part of the preflight request.

另请参阅:

常量字段值

REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS

public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS

The Access-Control-Request-Headers header indicates which headers will be used in the actual request as part of the preflight request.

另请参阅:

常量字段值

HTTP_REQUEST_ATTRIBUTE_PREFIX

public static final String HTTP_REQUEST_ATTRIBUTE_PREFIX

The prefix to a CORS request attribute.

另请参阅:

常量字段值

HTTP_REQUEST_ATTRIBUTE_ORIGIN

public static final String HTTP_REQUEST_ATTRIBUTE_ORIGIN

Attribute that contains the origin of the request.

另请参阅:

常量字段值

HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST

public static final String HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST

Boolean value, suggesting if the request is a CORS request or not.

另请参阅:

常量字段值

HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE

public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE

Type of CORS request, of type CorsFilter.CORSRequestType.

另请参阅:

常量字段值

HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS

public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS

Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.

另请参阅:

常量字段值

HTTP_METHODS

public static final Collection<String> HTTP_METHODS

Collection of HTTP methods. Case sensitive.

另请参阅:

http://tools.ietf.org/html/rfc2616#section-5.1.1

COMPLEX_HTTP_METHODS

public static final Collection<String> COMPLEX_HTTP_METHODS

Collection of non-simple HTTP methods. Case sensitive.

SIMPLE_HTTP_METHODS

public static final Collection<String> SIMPLE_HTTP_METHODS

Collection of Simple HTTP methods. Case sensitive.

另请参阅:

http://www.w3.org/TR/cors/#terminology

SIMPLE_HTTP_REQUEST_HEADERS

public static final Collection<String> SIMPLE_HTTP_REQUEST_HEADERS

Collection of Simple HTTP request headers. Case in-sensitive.

另请参阅:

http://www.w3.org/TR/cors/#terminology

SIMPLE_HTTP_RESPONSE_HEADERS

public static final Collection<String> SIMPLE_HTTP_RESPONSE_HEADERS

Collection of Simple HTTP request headers. Case in-sensitive.

另请参阅:

http://www.w3.org/TR/cors/#terminology

SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES

public static final Collection<String> SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES

Collection of Simple HTTP request headers. Case in-sensitive.

另请参阅:

http://www.w3.org/TR/cors/#terminology

DEFAULT_ALLOWED_ORIGINS

public static final String DEFAULT_ALLOWED_ORIGINS

By default, all origins are allowed to make requests.

另请参阅:

常量字段值

DEFAULT_ALLOWED_HTTP_METHODS

public static final String DEFAULT_ALLOWED_HTTP_METHODS

By default, following methods are supported: GET, POST, HEAD and OPTIONS.

另请参阅:

常量字段值

DEFAULT_PREFLIGHT_MAXAGE

public static final String DEFAULT_PREFLIGHT_MAXAGE

By default, time duration to cache pre-flight response is 30 mins.

另请参阅:

常量字段值

DEFAULT_SUPPORTS_CREDENTIALS

public static final String DEFAULT_SUPPORTS_CREDENTIALS

By default, support credentials is turned on.

另请参阅:

常量字段值

DEFAULT_ALLOWED_HTTP_HEADERS

public static final String DEFAULT_ALLOWED_HTTP_HEADERS

By default, following headers are supported: Origin,Accept,X-Requested-With, Content-Type, Access-Control-Request-Method, and Access-Control-Request-Headers.

另请参阅:

常量字段值

DEFAULT_EXPOSED_HEADERS

public static final String DEFAULT_EXPOSED_HEADERS

By default, none of the headers are exposed in response.

另请参阅:

常量字段值

DEFAULT_DECORATE_REQUEST

public static final String DEFAULT_DECORATE_REQUEST

By default, request is decorated with CORS attributes.

另请参阅:

常量字段值

PARAM_CORS_ALLOWED_ORIGINS

public static final String PARAM_CORS_ALLOWED_ORIGINS

Key to retrieve allowed origins from FilterConfig.

另请参阅:

常量字段值

PARAM_CORS_SUPPORT_CREDENTIALS

public static final String PARAM_CORS_SUPPORT_CREDENTIALS

Key to retrieve support credentials from FilterConfig.

另请参阅:

常量字段值

PARAM_CORS_EXPOSED_HEADERS

public static final String PARAM_CORS_EXPOSED_HEADERS

Key to retrieve exposed headers from FilterConfig.

另请参阅:

常量字段值

PARAM_CORS_ALLOWED_HEADERS

public static final String PARAM_CORS_ALLOWED_HEADERS

Key to retrieve allowed headers from FilterConfig.

另请参阅:

常量字段值

PARAM_CORS_ALLOWED_METHODS

public static final String PARAM_CORS_ALLOWED_METHODS

Key to retrieve allowed methods from FilterConfig.

另请参阅:

常量字段值

PARAM_CORS_PREFLIGHT_MAXAGE

public static final String PARAM_CORS_PREFLIGHT_MAXAGE

Key to retrieve preflight max age from FilterConfig.

另请参阅:

常量字段值

PARAM_CORS_REQUEST_DECORATE

public static final String PARAM_CORS_REQUEST_DECORATE

Key to determine if request should be decorated.

另请参阅:

常量字段值

构造器详细资料

CorsFilter

public CorsFilter()

方法详细资料

doFilter

public void doFilter(javax.servlet.ServletRequest servletRequest,
            javax.servlet.ServletResponse servletResponse,
            javax.servlet.FilterChain filterChain)
              throws IOException,
                     javax.servlet.ServletException

指定者:

doFilter 在接口中 javax.servlet.Filter

抛出:

IOException

javax.servlet.ServletException

init

public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException

指定者:

init 在接口中 javax.servlet.Filter

抛出:

javax.servlet.ServletException

handleSimpleCORS

protected void handleSimpleCORS(javax.servlet.http.HttpServletRequest request,
                    javax.servlet.http.HttpServletResponse response,
                    javax.servlet.FilterChain filterChain)
                         throws IOException,
                                javax.servlet.ServletException

Handles a CORS request of type CorsFilter.CORSRequestType.SIMPLE.

参数:

request - The HttpServletRequest object.

response - The HttpServletResponse object.

filterChain - The FilterChain object.

抛出:

IOException

javax.servlet.ServletException

另请参阅:

Simple Cross-Origin Request, Actual Request, and Redirects

handlePreflightCORS

protected void handlePreflightCORS(javax.servlet.http.HttpServletRequest request,
                       javax.servlet.http.HttpServletResponse response,
                       javax.servlet.FilterChain filterChain)
                            throws IOException,
                                   javax.servlet.ServletException

Handles CORS pre-flight request.

参数:

request - The HttpServletRequest object.

response - The HttpServletResponse object.

filterChain - The FilterChain object.

抛出:

IOException

javax.servlet.ServletException

destroy

public void destroy()

指定者:

destroy 在接口中 javax.servlet.Filter

decorateCORSProperties

protected static void decorateCORSProperties(javax.servlet.http.HttpServletRequest request,
                          CorsFilter.CORSRequestType corsRequestType)

Decorates the HttpServletRequest, with CORS attributes.

• cors.isCorsRequest: Flag to determine if request is a CORS request. Set to true if CORS request; false otherwise.
• cors.request.origin: The Origin URL.
• cors.request.type: Type of request. Values: simple or preflight or not_cors or invalid_cors
• cors.request.headers: Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.

参数:

request - The HttpServletRequest object.

corsRequestType - The CorsFilter.CORSRequestType object.

join

protected static String join(Collection<String> elements,
          String joinSeparator)

Joins elements of Set into a string, where each element is separated by the provided separator.

参数:

elements - The Set containing elements to join together.

joinSeparator - The character to be used for separating elements.

返回:

The joined String; null if elements Set is null.

checkRequestType

protected CorsFilter.CORSRequestType checkRequestType(javax.servlet.http.HttpServletRequest request)

Determines the request type.

参数:

request -

isValidOrigin

protected static boolean isValidOrigin(String origin)

Checks if a given origin is valid or not. Criteria:

• If an encoded character is present in origin, it's not valid.
• Origin should be a valid URI

参数:

origin -

另请参阅:

RFC952

isAnyOriginAllowed

public boolean isAnyOriginAllowed()

Determines if any origin is allowed to make CORS request.

返回:

true if it's enabled; false otherwise.

getExposedHeaders

public Collection<String> getExposedHeaders()

Returns a Set of headers that should be exposed by browser.

isSupportsCredentials

public boolean isSupportsCredentials()

Determines is supports credentials is enabled.

getPreflightMaxAge

public long getPreflightMaxAge()

Returns the preflight response cache time in seconds.

返回:

Time to cache in seconds.

getAllowedOrigins

public Collection<String> getAllowedOrigins()

Returns the Set of allowed origins that are allowed to make requests.

返回:

Set

getAllowedHttpMethods

public Collection<String> getAllowedHttpMethods()

Returns a Set of HTTP methods that are allowed to make requests.

返回:

Set

getAllowedHttpHeaders

public Collection<String> getAllowedHttpHeaders()

Returns a Set of headers support by resource.

返回:

Set