Module io.inverno.mod.security.http

Package io.inverno.mod.security.http.cors

Class CORSInterceptor<A extends io.inverno.mod.http.base.ExchangeContext,B extends Exchange<A>>

java.lang.Object

io.inverno.mod.security.http.cors.CORSInterceptor<A,B>

Type Parameters:

A - the type of the exchange context

B - the type of exchange handled by the handler

All Implemented Interfaces:

ExchangeInterceptor<A,B>

public class CORSInterceptor<A extends io.inverno.mod.http.base.ExchangeContext,B extends Exchange<A>>
extends Object
implements ExchangeInterceptor<A,B>

A security interceptor that implements Cross-origin resource sharing (CORS) as defined by HTTP CORS protocol.

Since:

1.5

Author:

Jeremy Kuhn

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	CORSInterceptor.Builder	A CORS interceptor builder.
protected static class	CORSInterceptor.Origin	Represents an origin composed of a scheme, a host and a port.

Field Summary

Fields

Modifier and Type	Field	Description
protected final boolean	allowCredentials	Flag indicating whether credentials must be allowed.
protected final String	allowedHeaders	The allowed headers.
protected final String	allowedMethods	The allowed methods.
protected final Set<CORSInterceptor.Origin>	allowedOrigins	The set of allowed origins.
protected final Set<Pattern>	allowedOriginsPattern	The set of allowed origins patterns.
protected final boolean	allowPrivateNetwork	Flag indicating whether private netword must be allowed.
protected final String	exposedHeaders	The exposed headers.
protected final boolean	isStatic	Flag indicating whether the interceptor is a static interceptor (allow one static origin).
protected final boolean	isWildcard	Flag indicating whether the interceptor is a wildcard interceptor (allow all origins).
protected final Integer	maxAge	The max age in seconds for CORS information cache.

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	CORSInterceptor(Set<CORSInterceptor.Origin> allowedOrigins, Set<Pattern> allowedOriginsPattern, boolean allowCredentials, Set<String> allowedHeaders, Set<io.inverno.mod.http.base.Method> allowedMethods, Set<String> exposedHeaders, Integer maxAge, boolean allowPrivateNetwork)	Creates a CORS interceptor.

Method Summary

Modifier and Type	Method	Description
static CORSInterceptor.Builder	builder(String... allowedOrigins)	Returns a CORS interceptor builder for the specified allowed origins.
protected void	checkOrigin(CORSInterceptor.Origin origin)	Determines whether the origin is a valid origin.
reactor.core.publisher.Mono<? extends B>	intercept(B exchange)
protected boolean	isSameOrigin(B exchange, CORSInterceptor.Origin origin)	Determines whether the request was issued from the same origin.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface io.inverno.mod.http.server.ExchangeInterceptor

andThen, compose

Field Details

allowedOrigins

protected final Set<CORSInterceptor.Origin> allowedOrigins

The set of allowed origins.

allowedOriginsPattern

protected final Set<Pattern> allowedOriginsPattern

The set of allowed origins patterns.

allowCredentials

protected final boolean allowCredentials

Flag indicating whether credentials must be allowed.

allowedHeaders

protected final String allowedHeaders

The allowed headers.

allowedMethods

protected final String allowedMethods

The allowed methods.

exposedHeaders

protected final String exposedHeaders

The exposed headers.

maxAge

protected final Integer maxAge

The max age in seconds for CORS information cache.

allowPrivateNetwork

protected final boolean allowPrivateNetwork

Flag indicating whether private netword must be allowed.

isWildcard

protected final boolean isWildcard

Flag indicating whether the interceptor is a wildcard interceptor (allow all origins).

isStatic

protected final boolean isStatic

Flag indicating whether the interceptor is a static interceptor (allow one static origin).

Constructor Details

CORSInterceptor

protected CORSInterceptor(Set<CORSInterceptor.Origin> allowedOrigins,
 Set<Pattern> allowedOriginsPattern,
 boolean allowCredentials,
 Set<String> allowedHeaders,
 Set<io.inverno.mod.http.base.Method> allowedMethods,
 Set<String> exposedHeaders,
 Integer maxAge,
 boolean allowPrivateNetwork)

Creates a CORS interceptor.

Parameters:

allowedOrigins - the set of allowed origins

allowedOriginsPattern - the set of allowed origins patterns

allowCredentials - true to allow credentials, false otherwise

allowedHeaders - the set of allowed headers

allowedMethods - the set of allowed methods

exposedHeaders - the set of exposed headers

maxAge - the max age

allowPrivateNetwork - true to allow private network, false otherwise

Method Details

builder

public static CORSInterceptor.Builder builder(String... allowedOrigins)

Returns a CORS interceptor builder for the specified allowed origins.

Parameters:

allowedOrigins - a list of static allowed origins

Returns:

a new CORS interceptor builder

intercept

public reactor.core.publisher.Mono<? extends B> intercept(B exchange)

Specified by:

intercept in interface ExchangeInterceptor<A extends io.inverno.mod.http.base.ExchangeContext,B extends Exchange<A>>

isSameOrigin

protected boolean isSameOrigin(B exchange,
 CORSInterceptor.Origin origin)

Determines whether the request was issued from the same origin.

Parameters:

exchange - the exchange

origin - the target origin

Returns:

true if the origin is the same, false otherwise or if it could not be determined

checkOrigin

protected void checkOrigin(CORSInterceptor.Origin origin)
                    throws io.inverno.mod.http.base.BadRequestException,
io.inverno.mod.http.base.ForbiddenException

Determines whether the origin is a valid origin.

Parameters:

origin - the origin to check

Throws:

io.inverno.mod.http.base.ForbiddenException - if the origin is not authorized

io.inverno.mod.http.base.BadRequestException