Lines 112-162
Link Here
|
112 |
<p>The minimal configuration required to use this filter is:</p> |
112 |
<p>The minimal configuration required to use this filter is:</p> |
113 |
<source> |
113 |
<source> |
114 |
<filter> |
114 |
<filter> |
115 |
<filter-name>CORSFilter</filter-name> |
115 |
<filter-name>CorsFilter</filter-name> |
116 |
<filter-class>org.apache.catalina.filters.CORSFilter</filter-class> |
116 |
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class> |
117 |
</filter> |
117 |
</filter> |
118 |
<filter-mapping> |
118 |
<filter-mapping> |
119 |
<filter-name>CORSFilter</filter-name> |
119 |
<filter-name>CorsFilter</filter-name> |
120 |
<url-pattern>/*</url-pattern> |
120 |
<url-pattern>/*</url-pattern> |
121 |
</filter-mapping> |
121 |
</filter-mapping> |
122 |
</source> |
122 |
</source> |
123 |
</subsection> |
123 |
</subsection> |
124 |
<subsection name="Filter Class Name"> |
124 |
<subsection name="Filter Class Name"> |
125 |
<p>The filter class name for the CORS Filter is |
125 |
<p>The filter class name for the CORS Filter is |
126 |
<strong><code>org.apache.catalina.filters.CORSFilter</code></strong>.</p> |
126 |
<strong><code>org.apache.catalina.filters.CorsFilter</code></strong>.</p> |
127 |
</subsection> |
127 |
</subsection> |
128 |
<subsection name="Initialisation parameters"> |
128 |
<subsection name="Initialisation parameters"> |
129 |
<p>The CORS Filter supports following initialisation parameters:</p> |
129 |
<p>The CORS Filter supports following initialisation parameters:</p> |
130 |
<attributes> |
130 |
<attributes> |
131 |
<attribute name="cors.allowed.origins" required="false"> |
131 |
<attribute name="cors.allowed.origins" required="false"> |
132 |
<p>A list of <a href="http://tools.ietf.org/html/rfc6454">origins</a> |
132 |
<p>A list of <a href="http://tools.ietf.org/html/rfc6454">origins</a> |
133 |
that are allowed to access the resource. A <code>'*'</code> can be |
133 |
that are allowed to access the resource. A <code>*</code> can be |
134 |
specified to enable access to resource from any origin. Otherwise, a |
134 |
specified to enable access to resource from any origin. Otherwise, a |
135 |
whitelist of comma separated origins can be provided. Eg: |
135 |
whitelist of comma separated origins can be provided. Eg: <code> |
136 |
http://www.w3.org, https://www.apache.org. |
136 |
http://www.w3.org, https://www.apache.org</code>. |
137 |
<strong>Defaults:</strong> <code>*</code> (Any origin is allowed to |
137 |
<strong>Defaults:</strong> <code>*</code> (Any origin is allowed to |
138 |
access the resource).</p> |
138 |
access the resource).</p> |
139 |
</attribute> |
139 |
</attribute> |
140 |
<attribute name="cors.allowed.methods" required="false"> |
140 |
<attribute name="cors.allowed.methods" required="false"> |
141 |
<p>A comma separated list of HTTP methods that can be used to access the |
141 |
<p>A comma separated list of HTTP methods that can be used to access the |
142 |
resource, using cross-origin requests. These are the methods which will |
142 |
resource, using cross-origin requests. These are the methods which will |
143 |
also be included as part of 'Access-Control-Allow-Methods' header in a |
143 |
also be included as part of <code>Access-Control-Allow-Methods</code> |
144 |
pre-flight response. Eg: <code>GET,POST</code>. |
144 |
header in pre-flight response. Eg: <code>GET, POST</code>. |
145 |
<strong>Defaults:</strong> <code>GET,POST,HEAD,OPTIONS</code></p> |
145 |
<strong>Defaults:</strong> <code>GET, POST, HEAD, OPTIONS</code></p> |
146 |
</attribute> |
146 |
</attribute> |
147 |
<attribute name="cors.allowed.headers" required="false"> |
147 |
<attribute name="cors.allowed.headers" required="false"> |
148 |
<p>A comma separated list of request headers that can be used when |
148 |
<p>A comma separated list of request headers that can be used when |
149 |
making an actual request. These header will also be returned as part of |
149 |
making an actual request. These headers will also be returned as part |
150 |
<code>'Access-Control-Allow-Headers'</code> header in a pre-flight |
150 |
of <code>Access-Control-Allow-Headers</code> header in a pre-flight |
151 |
response. Eg: <code>Origin,Accept</code>. <strong>Defaults:</strong> |
151 |
response. Eg: <code>Origin,Accept</code>. <strong>Defaults:</strong> |
152 |
<code>Origin, Accept, X-Requested-With, Content-Type, |
152 |
<code>Origin, Accept, X-Requested-With, Content-Type, |
153 |
Access-Control-Request-Method, Access-Control-Request-Headers</code></p> |
153 |
Access-Control-Request-Method, Access-Control-Request-Headers</code></p> |
154 |
</attribute> |
154 |
</attribute> |
155 |
<attribute name="cors.exposed.headers" required="false"> |
155 |
<attribute name="cors.exposed.headers" required="false"> |
156 |
<p>A comma separated list of headers other than the simple response |
156 |
<p>A comma separated list of headers other than simple response headers |
157 |
headers that browsers are allowed to access. These are the headers which |
157 |
that browsers are allowed to access. These are the headers which will |
158 |
will also be included as part of 'Access-Control-Expose-Headers' header |
158 |
also be included as part of <code>Access-Control-Expose-Headers</code> |
159 |
in the pre-flight response. Eg: |
159 |
header in the pre-flight response. Eg: |
160 |
<code>X-CUSTOM-HEADER-PING,X-CUSTOM-HEADER-PONG</code>. |
160 |
<code>X-CUSTOM-HEADER-PING,X-CUSTOM-HEADER-PONG</code>. |
161 |
<strong>Default:</strong> None. Non-simple headers are not exposed by |
161 |
<strong>Default:</strong> None. Non-simple headers are not exposed by |
162 |
default.</p> |
162 |
default.</p> |
Lines 164-178
Link Here
|
164 |
<attribute name="cors.preflight.maxage" required="false"> |
164 |
<attribute name="cors.preflight.maxage" required="false"> |
165 |
<p>The amount of seconds, browser is allowed to cache the result of the |
165 |
<p>The amount of seconds, browser is allowed to cache the result of the |
166 |
pre-flight request. This will be included as part of |
166 |
pre-flight request. This will be included as part of |
167 |
<code>'Access-Control-Max-Age'</code> header in the pre-flight response. |
167 |
<code>Access-Control-Max-Age</code> header in the pre-flight response. |
168 |
A negative value will prevent CORS Filter from adding this response |
168 |
A negative value will prevent CORS Filter from adding this response |
169 |
header from pre-flight response. <strong>Defaults:</strong> |
169 |
header to pre-flight response. <strong>Defaults:</strong> |
170 |
<code>1800</code></p> |
170 |
<code>1800</code></p> |
171 |
</attribute> |
171 |
</attribute> |
172 |
<attribute name="cors.support.credentials" required="false"> |
172 |
<attribute name="cors.support.credentials" required="false"> |
173 |
<p>A flag that indicates whether the resource supports user credentials. |
173 |
<p>A flag that indicates whether the resource supports user credentials. |
174 |
This flag is exposed as part of |
174 |
This flag is exposed as part of |
175 |
<code>'Access-Control-Allow-Credentials'</code> header in a pre-flight |
175 |
<code>Access-Control-Allow-Credentials</code> header in a pre-flight |
176 |
response. It helps browser determine whether or not an actual request |
176 |
response. It helps browser determine whether or not an actual request |
177 |
can be made using credentials. <strong>Defaults:</strong> |
177 |
can be made using credentials. <strong>Defaults:</strong> |
178 |
<code>true</code></p> |
178 |
<code>true</code></p> |
Lines 187-194
Link Here
|
187 |
defaults:</p> |
187 |
defaults:</p> |
188 |
<source> |
188 |
<source> |
189 |
<filter> |
189 |
<filter> |
190 |
<filter-name>CORSFilter</filter-name> |
190 |
<filter-name>CorsFilter</filter-name> |
191 |
<filter-class>org.apache.catalina.filters.CORSFilter</filter-class> |
191 |
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class> |
192 |
<init-param> |
192 |
<init-param> |
193 |
<param-name>cors.allowed.origins</param-name> |
193 |
<param-name>cors.allowed.origins</param-name> |
194 |
<param-value>*</param-value> |
194 |
<param-value>*</param-value> |
Lines 215-235
Link Here
|
215 |
</init-param> |
215 |
</init-param> |
216 |
</filter> |
216 |
</filter> |
217 |
<filter-mapping> |
217 |
<filter-mapping> |
218 |
<filter-name>CORS Filter</filter-name> |
218 |
<filter-name>CorsFilter</filter-name> |
219 |
<url-pattern>/*</url-pattern> |
219 |
<url-pattern>/*</url-pattern> |
220 |
</filter-mapping> |
220 |
</filter-mapping> |
221 |
</source> |
221 |
</source> |
222 |
</subsection> |
222 |
</subsection> |
223 |
<subsection name="CORS Filter and HttpServletRequest attributes"> |
223 |
<subsection name="CORS Filter and HttpServletRequest attributes"> |
224 |
<p>CORS Filter adds information about a request, in the HttpServletRequest |
224 |
<p>CORS Filter adds information about the request, in HttpServletRequest |
225 |
object, for consumption downstream. Following attributes are set, if |
225 |
object, for consumption downstream. Following attributes are set, if |
226 |
<code>cors.request.decorate</code> initialisation parameter is |
226 |
<code>cors.request.decorate</code> initialisation parameter is |
227 |
<code>true</code>:</p> |
227 |
<code>true</code>:</p> |
228 |
<ul> |
228 |
<ul> |
229 |
<li><strong>cors.isCorsRequest:</strong> Flag to determine if a request is |
229 |
<li><strong>cors.isCorsRequest:</strong> Flag to determine if request is |
230 |
a CORS request.</li> |
230 |
a CORS request.</li> |
231 |
<li><strong>cors.request.origin:</strong> The Origin URL, i.e. the URL of |
231 |
<li><strong>cors.request.origin:</strong> The Origin URL, i.e. the URL of |
232 |
the page from where the request is originated.</li> |
232 |
the page from where the request originated.</li> |
233 |
<li><strong>cors.request.type:</strong> Type of CORS request. Possible |
233 |
<li><strong>cors.request.type:</strong> Type of CORS request. Possible |
234 |
values: |
234 |
values: |
235 |
<ul> |
235 |
<ul> |
Lines 244-251
Link Here
|
244 |
</ul> |
244 |
</ul> |
245 |
</li> |
245 |
</li> |
246 |
<li><strong>cors.request.headers:</strong> Request headers sent as |
246 |
<li><strong>cors.request.headers:</strong> Request headers sent as |
247 |
'Access-Control-Request-Headers' header, for a pre-flight request. |
247 |
<code>Access-Control-Request-Headers</code> header, for a pre-flight |
248 |
</li> |
248 |
request. |
|
|
249 |
</li> |
249 |
</ul> |
250 |
</ul> |
250 |
</subsection> |
251 |
</subsection> |
251 |
</section> |
252 |
</section> |