Package org.eclipse.jetty.server.handler

Class CrossOriginHandler

java.lang.Object
org.eclipse.jetty.util.component.AbstractLifeCycle
org.eclipse.jetty.util.component.ContainerLifeCycle
org.eclipse.jetty.server.Handler.Abstract
org.eclipse.jetty.server.Handler.AbstractContainer
org.eclipse.jetty.server.Handler.Wrapper
org.eclipse.jetty.server.handler.CrossOriginHandler
All Implemented Interfaces:
Handler, Handler.Container, Handler.Singleton, Request.Handler, Container, Destroyable, Dumpable, Dumpable.DumpableContainer, LifeCycle, Invocable
@ManagedObject public class CrossOriginHandler extends Handler.Wrapper

Implementation of the CORS protocol defined by the fetch standard.

This Handler should be present in the Handler tree to prevent cross site request forgery attacks.

A typical case is a web page containing a script downloaded from the origin server at domain.com, where the script makes requests to the cross server at cross.domain.com. The cross server at cross.domain.com has the CrossOriginHandler installed and will see requests such as:


 GET / HTTP/1.1
 Host: cross.domain.com
 Origin: http://domain.com

The cross server at cross.domain.com must decide whether these cross-origin requests are allowed or not, by configuring the CrossOriginHandler allowed origins to contain only the origin server with origin http://domain.com.

The cross server must also decide whether cross-origin requests are allowed to contain credentials (cookies and authentication headers) or not, by configuring setAllowCredentials(boolean).

By default, no origin is allowed, and credentials are not allowed.

  • Constructor Details

    • CrossOriginHandler

      public CrossOriginHandler()

  • Method Details

    • isAllowCredentials

      @ManagedAttribute("Whether the server allows cross-origin requests to include credentials (cookies, authentication headers, etc.)") public boolean isAllowCredentials()
      Returns:
      whether the cross server allows cross-origin requests to include credentials

    • setAllowCredentials

      public void setAllowCredentials(boolean allow)

      Sets whether the cross server allows cross-origin requests to include credentials such as cookies or authentication headers.

      For example, when the cross server allows credentials to be included, cross-origin requests will contain cookies, otherwise they will not.

      The default is true.

      Parameters:
      allow - whether the cross server allows cross-origin requests to include credentials

    • getAllowedHeaders

      @ManagedAttribute("The set of allowed headers in a cross-origin request") public Set<String> getAllowedHeaders()
      Returns:
      the immutable set of allowed headers in a cross-origin request

    • setAllowedHeaders

      public void setAllowedHeaders(Set<String> headers)

      Sets the set of allowed headers in a cross-origin request.

      The cross server receives a preflight request that specifies the headers of the cross-origin request, and the cross server replies to the preflight request with the set of allowed headers. Browsers are responsible to check whether the headers of the cross-origin request are allowed, and if they are not produce an error.

      The headers can be either the character * to indicate any header, or actual header names.

      Parameters:
      headers - the set of allowed headers in a cross-origin request

    • getAllowedMethods

      @ManagedAttribute("The set of allowed methods in a cross-origin request") public Set<String> getAllowedMethods()
      Returns:
      the immutable set of allowed methods in a cross-origin request

    • setAllowedMethods

      public void setAllowedMethods(Set<String> methods)

      Sets the set of allowed methods in a cross-origin request.

      The cross server receives a preflight request that specifies the method of the cross-origin request, and the cross server replies to the preflight request with the set of allowed methods. Browsers are responsible to check whether the method of the cross-origin request is allowed, and if it is not produce an error.

      Parameters:
      methods - the set of allowed methods in a cross-origin request

    • getAllowedOriginPatterns

      @ManagedAttribute("The set of allowed origin regex strings in a cross-origin request") public Set<String> getAllowedOriginPatterns()
      Returns:
      the immutable set of allowed origin regex strings in a cross-origin request

    • setAllowedOriginPatterns

      public void setAllowedOriginPatterns(Set<String> origins)

      Sets the set of allowed origin regex strings in a cross-origin request.

      The cross server receives a preflight or a cross-origin request specifying the HttpHeader.ORIGIN, and replies with the same origin if allowed, otherwise the HttpHeader.ACCESS_CONTROL_ALLOW_ORIGIN is not added to the response (and the client should fail the cross-origin or preflight request).

      The origins are either the character *, or regular expressions, so dot characters separating domain segments must be escaped:

      
 crossOriginHandler.setAllowedOriginPatterns(Set.of("https://.*\\.domain\\.com"));

      The default value is *.

      Parameters:
      origins - the set of allowed origin regex strings in a cross-origin request

    • getAllowedTimingOriginPatterns

      @ManagedAttribute("The set of allowed timing origin regex strings in a cross-origin request") public Set<String> getAllowedTimingOriginPatterns()
      Returns:
      the immutable set of allowed timing origin regex strings in a cross-origin request

    • setAllowedTimingOriginPatterns

      public void setAllowedTimingOriginPatterns(Set<String> origins)

      Sets the set of allowed timing origin regex strings in a cross-origin request.

      Parameters:
      origins - the set of allowed timing origin regex strings in a cross-origin request

    • isDeliverPreflightRequests

      @ManagedAttribute("whether preflight requests are delivered to the child Handler") public boolean isDeliverPreflightRequests()
      Returns:
      whether preflight requests are delivered to the child Handler

    • setDeliverPreflightRequests

      public void setDeliverPreflightRequests(boolean deliver)

      Sets whether preflight requests are delivered to the child Handler.

      Default value is false.

      Parameters:
      deliver - whether preflight requests are delivered to the child Handler

    • isDeliverNonAllowedOriginRequests

      @ManagedAttribute("whether requests whose origin is not allowed are delivered to the child Handler") public boolean isDeliverNonAllowedOriginRequests()
      Returns:
      whether requests whose origin is not allowed are delivered to the child Handler

    • setDeliverNonAllowedOriginRequests

      public void setDeliverNonAllowedOriginRequests(boolean deliverNonAllowedOrigin)

      Sets whether requests whose origin is not allowed are delivered to the child Handler.

      Default value is true.

      Parameters:
      deliverNonAllowedOrigin - whether requests whose origin is not allowed are delivered to the child Handler

    • isDeliverNonAllowedOriginWebSocketUpgradeRequests

      @ManagedAttribute("whether WebSocket upgrade requests whose origin is not allowed are delivered to the child Handler") public boolean isDeliverNonAllowedOriginWebSocketUpgradeRequests()
      Returns:
      whether WebSocket upgrade requests whose origin is not allowed are delivered to the child Handler

    • setDeliverNonAllowedOriginWebSocketUpgradeRequests

      public void setDeliverNonAllowedOriginWebSocketUpgradeRequests(boolean deliverNonAllowedOriginWebSocketUpgrade)

      Sets whether WebSocket upgrade requests whose origin is not allowed are delivered to the child Handler.

      Default value is false.

      Parameters:
      deliverNonAllowedOriginWebSocketUpgrade - whether WebSocket upgrade requests whose origin is not allowed are delivered to the child Handler

    • getExposedHeaders

      @ManagedAttribute("The set of headers exposed in a cross-origin response") public Set<String> getExposedHeaders()
      Returns:
      the immutable set of headers exposed in a cross-origin response

    • setExposedHeaders

      public void setExposedHeaders(Set<String> headers)

      Sets the set of headers exposed in a cross-origin response.

      The cross server receives a cross-origin request and indicates which response headers are exposed to scripts running in the browser.

      Parameters:
      headers - the set of headers exposed in a cross-origin response

    • getPreflightMaxAge

      @ManagedAttribute("How long the preflight results can be cached by browsers") public Duration getPreflightMaxAge()
      Returns:
      how long the preflight results can be cached by browsers

    • setPreflightMaxAge

      public void setPreflightMaxAge(Duration duration)
      Parameters:
      duration - how long the preflight results can be cached by browsers

    • doStart

      protected void doStart() throws Exception
      Description copied from class: ContainerLifeCycle
      Starts the managed lifecycle beans in the order they were added.
      Overrides:
      doStart in class Handler.Abstract
      Throws:
      AbstractLifeCycle.StopException - If thrown, the lifecycle will immediately be stopped.
      Exception - If there was a problem starting. Will cause a transition to FAILED state

    • handle

      public boolean handle(Request request, Response response, Callback callback) throws Exception
      Description copied from interface: Request.Handler

      Invoked to handle the passed HTTP request and response.

      The request is accepted by returning true, then handling must be concluded by completing the passed callback. The handling may be asynchronous, i.e. this method may return true and complete the given callback later, possibly from a different thread. If this method returns false, then the callback must not be invoked and any mutation on the response reversed.

      Exceptions thrown by this method may be subsequently handled by an error Request.Handler, if present, otherwise a default HTTP 500 error is generated and the callback completed while writing the error response.

      The simplest implementation is:

       public boolean handle(Request request, Response response, Callback callback)
 {
     callback.succeeded();
     return true;
 }

      A HelloWorld implementation is:

       public boolean handle(Request request, Response response, Callback callback)
 {
     response.write(true, ByteBuffer.wrap("Hello World\n".getBytes(StandardCharsets.UTF_8)), callback);
     return true;
 }
      Specified by:
      handle in interface Request.Handler
      Overrides:
      handle in class Handler.Wrapper
      Parameters:
      request - the HTTP request to handle
      response - the HTTP response to handle
      callback - the callback to complete when the handling is complete
      Returns:
      True if and only if the request will be handled, a response generated and the callback eventually called. This may occur within the scope of the call to this method, or asynchronously some time later. If false is returned, then this method must not generate a response, nor complete the callback.
      Throws:
      Exception - if there is a failure during the handling. Catchers cannot assume that the callback will be called and thus should attempt to complete the request as if a false had been returned.