HowToDoInJava

Related Tutorials
Home / Java / Java Servlets / Java CORS Filter Example

Java CORS Filter Example

Cross-origin resource sharing (CORS) is a mechanism that allows JavaScript on a web page to make AJAX requests to another domain, different from the domain from where it originated. By default, such web requests are forbidden in browsers, and they will result into same origin security policy errors. Using Java CORS filter, you may allow the webpage to make requests from other domains as well (known as cross domain requests).

Read More : Spring security CORS filter

1. How CORS Filter Work?

CORS capability works by adding some specific HTTP headers that tell the browser that downloaded webpage should be allowed to make web requests to given/all domains. Also, you can add information to instruct browser to allow only certain HTTP methods (GET/PUT/POST/DELETE etc) on those domain URLs.

You will read a term ‘preflight request‘ in rest of the post, so let’s understand it first.

A CORS preflight request is a CORS request that checks to see if the CORS protocol is understood by another domain. It is an OPTIONS request using two HTTP request headers: Access-Control-Request-Method and Access-Control-Request-Headers , and the Origin header.

A preflight request is automatically issued by a browser when needed; in normal cases, front-end developers don’t need to write such requests themselves. In response to a preflight request the resource indicates which methods and headers it is willing to handle and whether it supports credentials.

Now let’s go through CORS related HTTP headers to understand more.

1.1. Response Headers

  • Access-Control-Allow-Origin : specifies the authorized domains to make cross-domain request. Use “*” as value if there is no restrictions.
  • Access-Control-Allow-Credentials : specifies if cross-domain requests can have authorization credentials or not.
  • Access-Control-Expose-Headers : indicates which headers are safe to expose.
  • Access-Control-Max-Age : indicates how long the results of a preflight request can be cached.
  • Access-Control-Allow-Methods : indicates the methods allowed when accessing the resource.
  • Access-Control-Allow-Headers : indicates which header field names can be used during the actual request.

1.2. Request Headers

  • Origin : indicates where the cross-origin actual request or preflight request originates from.
  • Access-Control-Request-Method : used when issuing a preflight request to let the server know what HTTP method will be used in actual request.
  • Access-Control-Request-Headers : used when issuing a preflight request to let the server know what HTTP headers will be used in actual request.

2. Java CORS Filter Example

Now let’s a very basic implementation of CORS filter which can be added to any web application.

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * Servlet Filter implementation class CORSFilter
 */
// Enable it for Servlet 3.x implementations
/* @ WebFilter(asyncSupported = true, urlPatterns = { "/*" }) */
public class CORSFilter implements Filter {

	/**
	 * Default constructor.
	 */
	public CORSFilter() {
		// TODO Auto-generated constructor stub
	}

	/**
	 * @see Filter#destroy()
	 */
	public void destroy() {
		// TODO Auto-generated method stub
	}

	/**
	 * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
	 */
	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
			throws IOException, ServletException {

		HttpServletRequest request = (HttpServletRequest) servletRequest;
		System.out.println("CORSFilter HTTP Request: " + request.getMethod());

		// Authorize (allow) all domains to consume the content
		((HttpServletResponse) servletResponse).addHeader("Access-Control-Allow-Origin", "*");
		((HttpServletResponse) servletResponse).addHeader("Access-Control-Allow-Methods","GET, OPTIONS, HEAD, PUT, POST");

		HttpServletResponse resp = (HttpServletResponse) servletResponse;

		// For HTTP OPTIONS verb/method reply with ACCEPTED status code -- per CORS handshake
		if (request.getMethod().equals("OPTIONS")) {
			resp.setStatus(HttpServletResponse.SC_ACCEPTED);
			return;
		}

		// pass the request along the filter chain
		chain.doFilter(request, servletResponse);
	}

	/**
	 * @see Filter#init(FilterConfig)
	 */
	public void init(FilterConfig fConfig) throws ServletException {
		// TODO Auto-generated method stub
	}

}

Now register this filter in web.xml.

<filter>
	<filter-name>CorsFilter</filter-name>
	<filter-class>com.howtodoinjava.examples.cors.CORSFilter</filter-class>
</filter>

<filter-mapping>
	<filter-name>CorsFilter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

That’s all regarding using CORS filters in java web applications. Drop me your questions in comments section.

Happy Learning !!

References:

CORS Specification
Pre-flight requests

About Lokesh Gupta

A family guy with fun loving nature. Love computers, programming and solving everyday problems. Find me on Facebook and Twitter.

Reader Interactions

Feedback, Discussion and Comments

  1. DSIGAMANI

    HI

    If already i have implemented with CORS filter in web.xml and i am trying to implement another filter like HMAC filter in class or web.xml will it work?

  2. Olga

    //resp.setStatus(HttpServletResponse.SC_ACCEPTED);
    to get this example to work I had to comment out this status, and use a default 200ok response instead. Preflight response with 202 ACCEPTED didn’t work for me.

    • Camilo

      Hi Olga, could you tell me what you did?

  3. Kishore

    I need to add my custom Filter as a library for existing web applications without code changes in that application, kind of plug and play.

    Extended myclass with OncePerRequestFilter and Overrided dofilterInternal with my changes, but failed to add this in existing application.

    it works if I add below code @Bean
    public RequestFilter getdeta(){ return new RequestFilter(); }

    Is that possible to achieve it without adding the above code?

    Thanks in Advance

  4. JLLMNCHR

    Hi,
    how can a simple log of the JSON object received and the JSON object returned be achieved?
    Thanks!

  5. Henry

    Hi! Is it possible to modify this in order to only allow access to specific web services? THanks

    • Lokesh Gupta

      Spec suggests that “Rather than allowing a space-separated list of origins, it is either a single origin or the string “null”.

      I will suggest to use something like this. I have not tested it but it should work.

      String $http_origin = new URL(httpServletRequest.getRequestURL().toString()).getHost(); 

if($http_origin == &amp;quot;http://www.domain1.com&amp;quot; 
       || $http_origin == &amp;quot;http://www.domain2.com&amp;quot; 
       || $http_origin == &amp;quot;http://www.domain3.com&amp;quot;)
{  
    ((HttpServletResponse) servletResponse).addHeader(&amp;quot;Access-Control-Allow-Origin&amp;quot;, $http_origin);
}

  6. Luis Carlos

    The only solution on internet that really helped me. Thanks!!

  7. aakash

    since resp is instance of ServletResponse, can we chain that variable, instead of servletResponse?

  8. simer

    hello,
    i have servlet class should i insert the code in servlet class or i should create a new corsfilter class ?

    • Lokesh Gupta

      Add new servlet. Remember the SRP principle. [Link]

  9. andrew

    Hi,
    Wouldn’t this code set CORS headers with every response ? Isn’t that redundant ? Shouldn’t we only return headers for an OPTIONS call ?

  10. Sae H

    Thank you! It works perfectly! You saved my day.

  11. Juarez

    Great!!! Thanks!!

  12. leo

    whoever made this post, you should know that many people save their time of work and can doing something other that they love just because of you, thanks 🙂

  13. al

    i have a webapp that runs on one domain and sets a ContentPane (using a HttpPaneEx from echopoint) with a URL using html and .js files on another domain. Although this filter executes, the URL with html and .js do not get the headers set. Is there a way to do this?
    ApplicationInstance.getActive().getDefaultWindow().setContent(myContentPane);

    ContentPane
    httpPaneEx.setURI(http://otherdomain)

  14. MARK ANTHONY PAJUNAR

    Hi. I put a breakpoint inside a code it seems that my app doesn’t see my CORSFilter file.

    • Lokesh Gupta

      Check if its correctly registered in application.

  15. Idorenyin Obong

    Please, I can’t find any web.xml file. My project is built with Maven. However, I am seeing a logback.XML file, which starts with

    Can I place the filter config there?

    • Lokesh Gupta

      Perhaps you are using servlet 3. Use @WebFilter annotation. This is commented in above example.

      @ WebFilter(asyncSupported = true, urlPatterns = { &quot;/*&quot; })
Comments are closed on this article!