View | Details | Raw Unified | Return to bug 55046
Collapse All | Expand All

(-)webapps/docs/config/filter.xml (-27 / +28 lines)
Lines 112-162 Link Here
112
    <p>The minimal configuration required to use this filter is:</p>
112
    <p>The minimal configuration required to use this filter is:</p>
113
    <source>
113
    <source>
114
&lt;filter&gt;
114
&lt;filter&gt;
115
  &lt;filter-name&gt;CORSFilter&lt;/filter-name&gt;
115
  &lt;filter-name&gt;CorsFilter&lt;/filter-name&gt;
116
  &lt;filter-class&gt;org.apache.catalina.filters.CORSFilter&lt;/filter-class&gt;
116
  &lt;filter-class&gt;org.apache.catalina.filters.CorsFilter&lt;/filter-class&gt;
117
&lt;/filter&gt;
117
&lt;/filter&gt;
118
&lt;filter-mapping&gt;
118
&lt;filter-mapping&gt;
119
  &lt;filter-name>CORSFilter&lt;/filter-name&gt;
119
  &lt;filter-name>CorsFilter&lt;/filter-name&gt;
120
  &lt;url-pattern>/*&lt;/url-pattern&gt;
120
  &lt;url-pattern>/*&lt;/url-pattern&gt;
121
&lt;/filter-mapping&gt;
121
&lt;/filter-mapping&gt;
122
    </source>
122
    </source>
123
  </subsection>
123
  </subsection>
124
  <subsection name="Filter Class Name">
124
  <subsection name="Filter Class Name">
125
    <p>The filter class name for the CORS Filter is
125
    <p>The filter class name for the CORS Filter is
126
    <strong><code>org.apache.catalina.filters.CORSFilter</code></strong>.</p>
126
    <strong><code>org.apache.catalina.filters.CorsFilter</code></strong>.</p>
127
  </subsection>
127
  </subsection>
128
  <subsection name="Initialisation parameters">
128
  <subsection name="Initialisation parameters">
129
    <p>The CORS Filter supports following initialisation parameters:</p>
129
    <p>The CORS Filter supports following initialisation parameters:</p>
130
    <attributes>
130
    <attributes>
131
      <attribute name="cors.allowed.origins" required="false">
131
      <attribute name="cors.allowed.origins" required="false">
132
        <p>A list of <a href="http://tools.ietf.org/html/rfc6454">origins</a>
132
        <p>A list of <a href="http://tools.ietf.org/html/rfc6454">origins</a>
133
        that are allowed to access the resource. A <code>'*'</code> can be
133
        that are allowed to access the resource. A <code>*</code> can be
134
        specified to enable access to resource from any origin. Otherwise, a
134
        specified to enable access to resource from any origin. Otherwise, a
135
        whitelist of comma separated origins can be provided. Eg:
135
        whitelist of comma separated origins can be provided. Eg: <code>
136
        http://www.w3.org, https://www.apache.org.
136
        http://www.w3.org, https://www.apache.org</code>.
137
        <strong>Defaults:</strong> <code>*</code> (Any origin is allowed to
137
        <strong>Defaults:</strong> <code>*</code> (Any origin is allowed to
138
        access the resource).</p>
138
        access the resource).</p>
139
      </attribute>
139
      </attribute>
140
      <attribute name="cors.allowed.methods" required="false">
140
      <attribute name="cors.allowed.methods" required="false">
141
        <p>A comma separated list of HTTP methods that can be used to access the
141
        <p>A comma separated list of HTTP methods that can be used to access the
142
        resource, using cross-origin requests. These are the methods which will
142
        resource, using cross-origin requests. These are the methods which will
143
        also be included as part of 'Access-Control-Allow-Methods' header in a
143
        also be included as part of <code>Access-Control-Allow-Methods</code> 
144
        pre-flight response. Eg: <code>GET,POST</code>.
144
        header in pre-flight response. Eg: <code>GET, POST</code>.
145
        <strong>Defaults:</strong> <code>GET,POST,HEAD,OPTIONS</code></p>
145
        <strong>Defaults:</strong> <code>GET, POST, HEAD, OPTIONS</code></p>
146
      </attribute>
146
      </attribute>
147
      <attribute name="cors.allowed.headers" required="false">
147
      <attribute name="cors.allowed.headers" required="false">
148
        <p>A comma separated list of request headers that can be used when
148
        <p>A comma separated list of request headers that can be used when
149
        making an actual request. These header will also be returned as part of
149
        making an actual request. These headers will also be returned as part 
150
        <code>'Access-Control-Allow-Headers'</code> header in a pre-flight
150
        of <code>Access-Control-Allow-Headers</code> header in a pre-flight
151
        response. Eg: <code>Origin,Accept</code>. <strong>Defaults:</strong>
151
        response. Eg: <code>Origin,Accept</code>. <strong>Defaults:</strong>
152
        <code>Origin, Accept, X-Requested-With, Content-Type,
152
        <code>Origin, Accept, X-Requested-With, Content-Type,
153
        Access-Control-Request-Method, Access-Control-Request-Headers</code></p>
153
        Access-Control-Request-Method, Access-Control-Request-Headers</code></p>
154
      </attribute>
154
      </attribute>
155
      <attribute name="cors.exposed.headers" required="false">
155
      <attribute name="cors.exposed.headers" required="false">
156
        <p>A comma separated list of headers other than the simple response
156
        <p>A comma separated list of headers other than simple response headers
157
        headers that browsers are allowed to access. These are the headers which
157
        that browsers are allowed to access. These are the headers which will 
158
        will also be included as part of 'Access-Control-Expose-Headers' header
158
        also be included as part of <code>Access-Control-Expose-Headers</code> 
159
        in the pre-flight response. Eg:
159
        header in the pre-flight response. Eg:
160
        <code>X-CUSTOM-HEADER-PING,X-CUSTOM-HEADER-PONG</code>.
160
        <code>X-CUSTOM-HEADER-PING,X-CUSTOM-HEADER-PONG</code>.
161
        <strong>Default:</strong> None. Non-simple headers are not exposed by
161
        <strong>Default:</strong> None. Non-simple headers are not exposed by
162
        default.</p>
162
        default.</p>
Lines 164-178 Link Here
164
      <attribute name="cors.preflight.maxage" required="false">
164
      <attribute name="cors.preflight.maxage" required="false">
165
        <p>The amount of seconds, browser is allowed to cache the result of the
165
        <p>The amount of seconds, browser is allowed to cache the result of the
166
        pre-flight request. This will be included as part of
166
        pre-flight request. This will be included as part of
167
        <code>'Access-Control-Max-Age'</code> header in the pre-flight response.
167
        <code>Access-Control-Max-Age</code> header in the pre-flight response.
168
        A negative value will prevent CORS Filter from adding this response
168
        A negative value will prevent CORS Filter from adding this response
169
        header from pre-flight response. <strong>Defaults:</strong>
169
        header to pre-flight response. <strong>Defaults:</strong>
170
        <code>1800</code></p>
170
        <code>1800</code></p>
171
      </attribute>
171
      </attribute>
172
      <attribute name="cors.support.credentials" required="false">
172
      <attribute name="cors.support.credentials" required="false">
173
        <p>A flag that indicates whether the resource supports user credentials.
173
        <p>A flag that indicates whether the resource supports user credentials.
174
        This flag is exposed as part of
174
        This flag is exposed as part of
175
        <code>'Access-Control-Allow-Credentials'</code> header in a pre-flight
175
        <code>Access-Control-Allow-Credentials</code> header in a pre-flight
176
        response. It helps browser determine whether or not an actual request
176
        response. It helps browser determine whether or not an actual request
177
        can be made using credentials. <strong>Defaults:</strong>
177
        can be made using credentials. <strong>Defaults:</strong>
178
        <code>true</code></p>
178
        <code>true</code></p>
Lines 187-194 Link Here
187
    defaults:</p>
187
    defaults:</p>
188
    <source>
188
    <source>
189
&lt;filter&gt;
189
&lt;filter&gt;
190
  &lt;filter-name&gt;CORSFilter&lt;/filter-name&gt;
190
  &lt;filter-name&gt;CorsFilter&lt;/filter-name&gt;
191
  &lt;filter-class&gt;org.apache.catalina.filters.CORSFilter&lt;/filter-class&gt;
191
  &lt;filter-class&gt;org.apache.catalina.filters.CorsFilter&lt;/filter-class&gt;
192
  &lt;init-param&gt;
192
  &lt;init-param&gt;
193
    &lt;param-name&gt;cors.allowed.origins&lt;/param-name&gt;
193
    &lt;param-name&gt;cors.allowed.origins&lt;/param-name&gt;
194
    &lt;param-value&gt;*&lt;/param-value&gt;
194
    &lt;param-value&gt;*&lt;/param-value&gt;
Lines 215-235 Link Here
215
  &lt;/init-param&gt;
215
  &lt;/init-param&gt;
216
&lt;/filter&gt;
216
&lt;/filter&gt;
217
&lt;filter-mapping&gt;
217
&lt;filter-mapping&gt;
218
  &lt;filter-name&gt;CORS Filter&lt;/filter-name&gt;
218
  &lt;filter-name&gt;CorsFilter&lt;/filter-name&gt;
219
  &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
219
  &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
220
&lt;/filter-mapping&gt;
220
&lt;/filter-mapping&gt;
221
    </source>
221
    </source>
222
  </subsection>
222
  </subsection>
223
  <subsection name="CORS Filter and HttpServletRequest attributes">
223
  <subsection name="CORS Filter and HttpServletRequest attributes">
224
    <p>CORS Filter adds information about a request, in the HttpServletRequest
224
    <p>CORS Filter adds information about the request, in HttpServletRequest
225
    object, for consumption downstream. Following attributes are set, if
225
    object, for consumption downstream. Following attributes are set, if
226
    <code>cors.request.decorate</code> initialisation parameter is
226
    <code>cors.request.decorate</code> initialisation parameter is
227
    <code>true</code>:</p>
227
    <code>true</code>:</p>
228
    <ul>
228
    <ul>
229
      <li><strong>cors.isCorsRequest:</strong> Flag to determine if a request is
229
      <li><strong>cors.isCorsRequest:</strong> Flag to determine if request is
230
          a CORS request.</li>
230
          a CORS request.</li>
231
      <li><strong>cors.request.origin:</strong> The Origin URL, i.e. the URL of
231
      <li><strong>cors.request.origin:</strong> The Origin URL, i.e. the URL of
232
          the page from where the request is originated.</li>
232
          the page from where the request originated.</li>
233
      <li><strong>cors.request.type:</strong> Type of CORS request. Possible
233
      <li><strong>cors.request.type:</strong> Type of CORS request. Possible
234
          values:
234
          values:
235
        <ul>
235
        <ul>
Lines 244-251 Link Here
244
        </ul>
244
        </ul>
245
      </li>
245
      </li>
246
      <li><strong>cors.request.headers:</strong> Request headers sent as
246
      <li><strong>cors.request.headers:</strong> Request headers sent as
247
          'Access-Control-Request-Headers' header, for a pre-flight request.
247
          <code>Access-Control-Request-Headers</code> header, for a pre-flight 
248
          </li>
248
          request.
249
      </li>
249
    </ul>
250
    </ul>
250
  </subsection>
251
  </subsection>
251
</section>
252
</section>

Return to bug 55046