|
Lines 112-162
Link Here
|
| 112 |
<p>The minimal configuration required to use this filter is:</p> |
112 |
<p>The minimal configuration required to use this filter is:</p> |
| 113 |
<source> |
113 |
<source> |
| 114 |
<filter> |
114 |
<filter> |
| 115 |
<filter-name>CORSFilter</filter-name> |
115 |
<filter-name>CorsFilter</filter-name> |
| 116 |
<filter-class>org.apache.catalina.filters.CORSFilter</filter-class> |
116 |
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class> |
| 117 |
</filter> |
117 |
</filter> |
| 118 |
<filter-mapping> |
118 |
<filter-mapping> |
| 119 |
<filter-name>CORSFilter</filter-name> |
119 |
<filter-name>CorsFilter</filter-name> |
| 120 |
<url-pattern>/*</url-pattern> |
120 |
<url-pattern>/*</url-pattern> |
| 121 |
</filter-mapping> |
121 |
</filter-mapping> |
| 122 |
</source> |
122 |
</source> |
| 123 |
</subsection> |
123 |
</subsection> |
| 124 |
<subsection name="Filter Class Name"> |
124 |
<subsection name="Filter Class Name"> |
| 125 |
<p>The filter class name for the CORS Filter is |
125 |
<p>The filter class name for the CORS Filter is |
| 126 |
<strong><code>org.apache.catalina.filters.CORSFilter</code></strong>.</p> |
126 |
<strong><code>org.apache.catalina.filters.CorsFilter</code></strong>.</p> |
| 127 |
</subsection> |
127 |
</subsection> |
| 128 |
<subsection name="Initialisation parameters"> |
128 |
<subsection name="Initialisation parameters"> |
| 129 |
<p>The CORS Filter supports following initialisation parameters:</p> |
129 |
<p>The CORS Filter supports following initialisation parameters:</p> |
| 130 |
<attributes> |
130 |
<attributes> |
| 131 |
<attribute name="cors.allowed.origins" required="false"> |
131 |
<attribute name="cors.allowed.origins" required="false"> |
| 132 |
<p>A list of <a href="http://tools.ietf.org/html/rfc6454">origins</a> |
132 |
<p>A list of <a href="http://tools.ietf.org/html/rfc6454">origins</a> |
| 133 |
that are allowed to access the resource. A <code>'*'</code> can be |
133 |
that are allowed to access the resource. A <code>*</code> can be |
| 134 |
specified to enable access to resource from any origin. Otherwise, a |
134 |
specified to enable access to resource from any origin. Otherwise, a |
| 135 |
whitelist of comma separated origins can be provided. Eg: |
135 |
whitelist of comma separated origins can be provided. Eg: <code> |
| 136 |
http://www.w3.org, https://www.apache.org. |
136 |
http://www.w3.org, https://www.apache.org</code>. |
| 137 |
<strong>Defaults:</strong> <code>*</code> (Any origin is allowed to |
137 |
<strong>Defaults:</strong> <code>*</code> (Any origin is allowed to |
| 138 |
access the resource).</p> |
138 |
access the resource).</p> |
| 139 |
</attribute> |
139 |
</attribute> |
| 140 |
<attribute name="cors.allowed.methods" required="false"> |
140 |
<attribute name="cors.allowed.methods" required="false"> |
| 141 |
<p>A comma separated list of HTTP methods that can be used to access the |
141 |
<p>A comma separated list of HTTP methods that can be used to access the |
| 142 |
resource, using cross-origin requests. These are the methods which will |
142 |
resource, using cross-origin requests. These are the methods which will |
| 143 |
also be included as part of 'Access-Control-Allow-Methods' header in a |
143 |
also be included as part of <code>Access-Control-Allow-Methods</code> |
| 144 |
pre-flight response. Eg: <code>GET,POST</code>. |
144 |
header in pre-flight response. Eg: <code>GET, POST</code>. |
| 145 |
<strong>Defaults:</strong> <code>GET,POST,HEAD,OPTIONS</code></p> |
145 |
<strong>Defaults:</strong> <code>GET, POST, HEAD, OPTIONS</code></p> |
| 146 |
</attribute> |
146 |
</attribute> |
| 147 |
<attribute name="cors.allowed.headers" required="false"> |
147 |
<attribute name="cors.allowed.headers" required="false"> |
| 148 |
<p>A comma separated list of request headers that can be used when |
148 |
<p>A comma separated list of request headers that can be used when |
| 149 |
making an actual request. These header will also be returned as part of |
149 |
making an actual request. These headers will also be returned as part |
| 150 |
<code>'Access-Control-Allow-Headers'</code> header in a pre-flight |
150 |
of <code>Access-Control-Allow-Headers</code> header in a pre-flight |
| 151 |
response. Eg: <code>Origin,Accept</code>. <strong>Defaults:</strong> |
151 |
response. Eg: <code>Origin,Accept</code>. <strong>Defaults:</strong> |
| 152 |
<code>Origin, Accept, X-Requested-With, Content-Type, |
152 |
<code>Origin, Accept, X-Requested-With, Content-Type, |
| 153 |
Access-Control-Request-Method, Access-Control-Request-Headers</code></p> |
153 |
Access-Control-Request-Method, Access-Control-Request-Headers</code></p> |
| 154 |
</attribute> |
154 |
</attribute> |
| 155 |
<attribute name="cors.exposed.headers" required="false"> |
155 |
<attribute name="cors.exposed.headers" required="false"> |
| 156 |
<p>A comma separated list of headers other than the simple response |
156 |
<p>A comma separated list of headers other than simple response headers |
| 157 |
headers that browsers are allowed to access. These are the headers which |
157 |
that browsers are allowed to access. These are the headers which will |
| 158 |
will also be included as part of 'Access-Control-Expose-Headers' header |
158 |
also be included as part of <code>Access-Control-Expose-Headers</code> |
| 159 |
in the pre-flight response. Eg: |
159 |
header in the pre-flight response. Eg: |
| 160 |
<code>X-CUSTOM-HEADER-PING,X-CUSTOM-HEADER-PONG</code>. |
160 |
<code>X-CUSTOM-HEADER-PING,X-CUSTOM-HEADER-PONG</code>. |
| 161 |
<strong>Default:</strong> None. Non-simple headers are not exposed by |
161 |
<strong>Default:</strong> None. Non-simple headers are not exposed by |
| 162 |
default.</p> |
162 |
default.</p> |
|
Lines 164-178
Link Here
|
| 164 |
<attribute name="cors.preflight.maxage" required="false"> |
164 |
<attribute name="cors.preflight.maxage" required="false"> |
| 165 |
<p>The amount of seconds, browser is allowed to cache the result of the |
165 |
<p>The amount of seconds, browser is allowed to cache the result of the |
| 166 |
pre-flight request. This will be included as part of |
166 |
pre-flight request. This will be included as part of |
| 167 |
<code>'Access-Control-Max-Age'</code> header in the pre-flight response. |
167 |
<code>Access-Control-Max-Age</code> header in the pre-flight response. |
| 168 |
A negative value will prevent CORS Filter from adding this response |
168 |
A negative value will prevent CORS Filter from adding this response |
| 169 |
header from pre-flight response. <strong>Defaults:</strong> |
169 |
header to pre-flight response. <strong>Defaults:</strong> |
| 170 |
<code>1800</code></p> |
170 |
<code>1800</code></p> |
| 171 |
</attribute> |
171 |
</attribute> |
| 172 |
<attribute name="cors.support.credentials" required="false"> |
172 |
<attribute name="cors.support.credentials" required="false"> |
| 173 |
<p>A flag that indicates whether the resource supports user credentials. |
173 |
<p>A flag that indicates whether the resource supports user credentials. |
| 174 |
This flag is exposed as part of |
174 |
This flag is exposed as part of |
| 175 |
<code>'Access-Control-Allow-Credentials'</code> header in a pre-flight |
175 |
<code>Access-Control-Allow-Credentials</code> header in a pre-flight |
| 176 |
response. It helps browser determine whether or not an actual request |
176 |
response. It helps browser determine whether or not an actual request |
| 177 |
can be made using credentials. <strong>Defaults:</strong> |
177 |
can be made using credentials. <strong>Defaults:</strong> |
| 178 |
<code>true</code></p> |
178 |
<code>true</code></p> |
|
Lines 187-194
Link Here
|
| 187 |
defaults:</p> |
187 |
defaults:</p> |
| 188 |
<source> |
188 |
<source> |
| 189 |
<filter> |
189 |
<filter> |
| 190 |
<filter-name>CORSFilter</filter-name> |
190 |
<filter-name>CorsFilter</filter-name> |
| 191 |
<filter-class>org.apache.catalina.filters.CORSFilter</filter-class> |
191 |
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class> |
| 192 |
<init-param> |
192 |
<init-param> |
| 193 |
<param-name>cors.allowed.origins</param-name> |
193 |
<param-name>cors.allowed.origins</param-name> |
| 194 |
<param-value>*</param-value> |
194 |
<param-value>*</param-value> |
|
Lines 215-235
Link Here
|
| 215 |
</init-param> |
215 |
</init-param> |
| 216 |
</filter> |
216 |
</filter> |
| 217 |
<filter-mapping> |
217 |
<filter-mapping> |
| 218 |
<filter-name>CORS Filter</filter-name> |
218 |
<filter-name>CorsFilter</filter-name> |
| 219 |
<url-pattern>/*</url-pattern> |
219 |
<url-pattern>/*</url-pattern> |
| 220 |
</filter-mapping> |
220 |
</filter-mapping> |
| 221 |
</source> |
221 |
</source> |
| 222 |
</subsection> |
222 |
</subsection> |
| 223 |
<subsection name="CORS Filter and HttpServletRequest attributes"> |
223 |
<subsection name="CORS Filter and HttpServletRequest attributes"> |
| 224 |
<p>CORS Filter adds information about a request, in the HttpServletRequest |
224 |
<p>CORS Filter adds information about the request, in HttpServletRequest |
| 225 |
object, for consumption downstream. Following attributes are set, if |
225 |
object, for consumption downstream. Following attributes are set, if |
| 226 |
<code>cors.request.decorate</code> initialisation parameter is |
226 |
<code>cors.request.decorate</code> initialisation parameter is |
| 227 |
<code>true</code>:</p> |
227 |
<code>true</code>:</p> |
| 228 |
<ul> |
228 |
<ul> |
| 229 |
<li><strong>cors.isCorsRequest:</strong> Flag to determine if a request is |
229 |
<li><strong>cors.isCorsRequest:</strong> Flag to determine if request is |
| 230 |
a CORS request.</li> |
230 |
a CORS request.</li> |
| 231 |
<li><strong>cors.request.origin:</strong> The Origin URL, i.e. the URL of |
231 |
<li><strong>cors.request.origin:</strong> The Origin URL, i.e. the URL of |
| 232 |
the page from where the request is originated.</li> |
232 |
the page from where the request originated.</li> |
| 233 |
<li><strong>cors.request.type:</strong> Type of CORS request. Possible |
233 |
<li><strong>cors.request.type:</strong> Type of CORS request. Possible |
| 234 |
values: |
234 |
values: |
| 235 |
<ul> |
235 |
<ul> |
|
Lines 244-251
Link Here
|
| 244 |
</ul> |
244 |
</ul> |
| 245 |
</li> |
245 |
</li> |
| 246 |
<li><strong>cors.request.headers:</strong> Request headers sent as |
246 |
<li><strong>cors.request.headers:</strong> Request headers sent as |
| 247 |
'Access-Control-Request-Headers' header, for a pre-flight request. |
247 |
<code>Access-Control-Request-Headers</code> header, for a pre-flight |
| 248 |
</li> |
248 |
request. |
|
|
249 |
</li> |
| 249 |
</ul> |
250 |
</ul> |
| 250 |
</subsection> |
251 |
</subsection> |
| 251 |
</section> |
252 |
</section> |