Module org.eclipse.jetty.server

Package org.eclipse.jetty.server.handler

Class CrossOriginHandler

java.lang.Object

org.eclipse.jetty.util.component.AbstractLifeCycle

org.eclipse.jetty.util.component.ContainerLifeCycle

org.eclipse.jetty.server.Handler.Abstract

org.eclipse.jetty.server.Handler.AbstractContainer

org.eclipse.jetty.server.Handler.Wrapper

org.eclipse.jetty.server.handler.CrossOriginHandler

All Implemented Interfaces:

Handler, Handler.Container, Handler.Singleton, Request.Handler, org.eclipse.jetty.util.component.Container, org.eclipse.jetty.util.component.Destroyable, org.eclipse.jetty.util.component.Dumpable, org.eclipse.jetty.util.component.Dumpable.DumpableContainer, org.eclipse.jetty.util.component.LifeCycle, org.eclipse.jetty.util.thread.Invocable

@ManagedObject
public class CrossOriginHandler
extends Handler.Wrapper

Implementation of the CORS protocol defined by the fetch standard.

This Handler should be present in the Handler tree to prevent cross site request forgery attacks.

A typical case is a web page containing a script downloaded from the origin server at domain.com, where the script makes requests to the cross server at cross.domain.com. The cross server at cross.domain.com has the CrossOriginHandler installed and will see requests such as:

 GET / HTTP/1.1
 Host: cross.domain.com
 Origin: http://domain.com
 

The cross server at cross.domain.com must decide whether these cross-origin requests are allowed or not, by configuring the CrossOriginHandler allowed origins to contain only the origin server with origin http://domain.com.

The cross server must also decide whether cross-origin requests are allowed to contain credentials (cookies and authentication headers) or not, by configuring setAllowCredentials(boolean).

By default, no origin is allowed, and credentials are not allowed.

Nested Class Summary

Nested classes/interfaces inherited from class org.eclipse.jetty.server.Handler.Abstract

Handler.Abstract.NonBlocking

Nested classes/interfaces inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

org.eclipse.jetty.util.component.AbstractLifeCycle.AbstractLifeCycleListener, org.eclipse.jetty.util.component.AbstractLifeCycle.StopException

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Container

org.eclipse.jetty.util.component.Container.InheritedListener, org.eclipse.jetty.util.component.Container.Listener

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.Dumpable

org.eclipse.jetty.util.component.Dumpable.DumpableContainer

Nested classes/interfaces inherited from interface org.eclipse.jetty.server.Handler

Handler.Abstract, Handler.AbstractContainer, Handler.Collection, Handler.Container, Handler.Sequence, Handler.Singleton, Handler.Wrapper

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.thread.Invocable

org.eclipse.jetty.util.thread.Invocable.Callable, org.eclipse.jetty.util.thread.Invocable.InvocationType, org.eclipse.jetty.util.thread.Invocable.ReadyTask, org.eclipse.jetty.util.thread.Invocable.Task

Nested classes/interfaces inherited from interface org.eclipse.jetty.util.component.LifeCycle

org.eclipse.jetty.util.component.LifeCycle.Listener

Nested classes/interfaces inherited from interface org.eclipse.jetty.server.Request.Handler

Request.Handler.AbortException

Field Summary

Fields inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

FAILED, STARTED, STARTING, STOPPED, STOPPING

Fields inherited from interface org.eclipse.jetty.util.component.Dumpable

KEY

Fields inherited from interface org.eclipse.jetty.util.thread.Invocable

__nonBlocking, NOOP

Constructor Summary

Constructors

Constructor	Description
CrossOriginHandler()

Method Summary

Modifier and Type	Method	Description
protected void	doStart()
Set<String>	getAllowedHeaders()
Set<String>	getAllowedMethods()
Set<String>	getAllowedOriginPatterns()
Set<String>	getAllowedTimingOriginPatterns()
Set<String>	getExposedHeaders()
Duration	getPreflightMaxAge()
boolean	handle(Request request, Response response, org.eclipse.jetty.util.Callback callback)	Invoked to handle the passed HTTP request and response.
boolean	isAllowCredentials()
boolean	isDeliverNonAllowedOriginRequests()
boolean	isDeliverNonAllowedOriginWebSocketUpgradeRequests()
boolean	isDeliverPreflightRequests()
void	setAllowCredentials(boolean allow)	Sets whether the cross server allows cross-origin requests to include credentials such as cookies or authentication headers.
void	setAllowedHeaders(Set<String> headers)	Sets the set of allowed headers in a cross-origin request.
void	setAllowedMethods(Set<String> methods)	Sets the set of allowed methods in a cross-origin request.
void	setAllowedOriginPatterns(Set<String> origins)	Sets the set of allowed origin regex strings in a cross-origin request.
void	setAllowedTimingOriginPatterns(Set<String> origins)	Sets the set of allowed timing origin regex strings in a cross-origin request.
void	setDeliverNonAllowedOriginRequests(boolean deliverNonAllowedOrigin)	Sets whether requests whose origin is not allowed are delivered to the child Handler.
void	setDeliverNonAllowedOriginWebSocketUpgradeRequests(boolean deliverNonAllowedOriginWebSocketUpgrade)	Sets whether WebSocket upgrade requests whose origin is not allowed are delivered to the child Handler.
void	setDeliverPreflightRequests(boolean deliver)	Sets whether preflight requests are delivered to the child Handler.
void	setExposedHeaders(Set<String> headers)	Sets the set of headers exposed in a cross-origin response.
void	setPreflightMaxAge(Duration duration)

Methods inherited from class org.eclipse.jetty.server.Handler.Wrapper

getHandler, getInvocationType, setHandler

Methods inherited from class org.eclipse.jetty.server.Handler.AbstractContainer

findContainerOf, getDescendant, getDescendants, isDynamic, setDynamic, setServer

Methods inherited from class org.eclipse.jetty.server.Handler.Abstract

destroy, doStop, getServer

Methods inherited from class org.eclipse.jetty.util.component.ContainerLifeCycle

addBean, addBean, addEventListener, addManaged, contains, dump, dump, dump, dumpObjects, dumpStdErr, getBean, getBeans, getBeans, getContainedBeans, getContainedBeans, installBean, installBean, isAuto, isManaged, isUnmanaged, manage, removeBean, removeBeans, removeEventListener, setBeans, start, stop, unmanage, updateBean, updateBean, updateBeans, updateBeans

Methods inherited from class org.eclipse.jetty.util.component.AbstractLifeCycle

getEventListeners, getState, getState, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, setEventListeners, start, stop, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.eclipse.jetty.util.component.Container

getCachedBeans, getEventListeners

Methods inherited from interface org.eclipse.jetty.util.component.Destroyable

destroy

Methods inherited from interface org.eclipse.jetty.util.component.Dumpable

dumpSelf

Methods inherited from interface org.eclipse.jetty.util.component.Dumpable.DumpableContainer

isDumpable

Methods inherited from interface org.eclipse.jetty.server.Handler

getServer, setServer

Methods inherited from interface org.eclipse.jetty.server.Handler.Container

getContainer, getDescendant, getDescendants, getDescendants

Methods inherited from interface org.eclipse.jetty.server.Handler.Singleton

getHandlers, getTail, insertHandler, setHandler

Methods inherited from interface org.eclipse.jetty.util.component.LifeCycle

addEventListener, isFailed, isRunning, isStarted, isStarting, isStopped, isStopping, removeEventListener, start, stop

Constructor Details

CrossOriginHandler

public CrossOriginHandler()

Method Details

isAllowCredentials

@ManagedAttribute("Whether the server allows cross-origin requests to include credentials (cookies, authentication headers, etc.)")
public boolean isAllowCredentials()

Returns:

whether the cross server allows cross-origin requests to include credentials

setAllowCredentials

public void setAllowCredentials(boolean allow)

Sets whether the cross server allows cross-origin requests to include credentials such as cookies or authentication headers.

For example, when the cross server allows credentials to be included, cross-origin requests will contain cookies, otherwise they will not.

The default is true.

Parameters:

allow - whether the cross server allows cross-origin requests to include credentials

getAllowedHeaders

@ManagedAttribute("The set of allowed headers in a cross-origin request")
public Set<String> getAllowedHeaders()

Returns:

the immutable set of allowed headers in a cross-origin request

setAllowedHeaders

public void setAllowedHeaders(Set<String> headers)

Sets the set of allowed headers in a cross-origin request.

The cross server receives a preflight request that specifies the headers of the cross-origin request, and the cross server replies to the preflight request with the set of allowed headers. Browsers are responsible to check whether the headers of the cross-origin request are allowed, and if they are not produce an error.

The headers can be either the character * to indicate any header, or actual header names.

Parameters:

headers - the set of allowed headers in a cross-origin request

getAllowedMethods

@ManagedAttribute("The set of allowed methods in a cross-origin request")
public Set<String> getAllowedMethods()

Returns:

the immutable set of allowed methods in a cross-origin request

setAllowedMethods

public void setAllowedMethods(Set<String> methods)

Sets the set of allowed methods in a cross-origin request.

The cross server receives a preflight request that specifies the method of the cross-origin request, and the cross server replies to the preflight request with the set of allowed methods. Browsers are responsible to check whether the method of the cross-origin request is allowed, and if it is not produce an error.

Parameters:

methods - the set of allowed methods in a cross-origin request

getAllowedOriginPatterns

@ManagedAttribute("The set of allowed origin regex strings in a cross-origin request")
public Set<String> getAllowedOriginPatterns()

Returns:

the immutable set of allowed origin regex strings in a cross-origin request

setAllowedOriginPatterns

public void setAllowedOriginPatterns(Set<String> origins)

Sets the set of allowed origin regex strings in a cross-origin request.

The cross server receives a preflight or a cross-origin request specifying the HttpHeader.ORIGIN, and replies with the same origin if allowed, otherwise the HttpHeader.ACCESS_CONTROL_ALLOW_ORIGIN is not added to the response (and the client should fail the cross-origin or preflight request).

The origins are either the character *, or regular expressions, so dot characters separating domain segments must be escaped:

 crossOriginHandler.setAllowedOriginPatterns(Set.of("https://.*\\.domain\\.com"));
 

The default value is *.

Parameters:

origins - the set of allowed origin regex strings in a cross-origin request

getAllowedTimingOriginPatterns

@ManagedAttribute("The set of allowed timing origin regex strings in a cross-origin request")
public Set<String> getAllowedTimingOriginPatterns()

Returns:

the immutable set of allowed timing origin regex strings in a cross-origin request

setAllowedTimingOriginPatterns

public void setAllowedTimingOriginPatterns(Set<String> origins)

Sets the set of allowed timing origin regex strings in a cross-origin request.

Parameters:

origins - the set of allowed timing origin regex strings in a cross-origin request

isDeliverPreflightRequests

@ManagedAttribute("whether preflight requests are delivered to the child Handler")
public boolean isDeliverPreflightRequests()

Returns:

whether preflight requests are delivered to the child Handler

setDeliverPreflightRequests

public void setDeliverPreflightRequests(boolean deliver)

Sets whether preflight requests are delivered to the child Handler.

Default value is false.

Parameters:

deliver - whether preflight requests are delivered to the child Handler

isDeliverNonAllowedOriginRequests

@ManagedAttribute("whether requests whose origin is not allowed are delivered to the child Handler")
public boolean isDeliverNonAllowedOriginRequests()

Returns:

whether requests whose origin is not allowed are delivered to the child Handler

setDeliverNonAllowedOriginRequests

public void setDeliverNonAllowedOriginRequests(boolean deliverNonAllowedOrigin)

Sets whether requests whose origin is not allowed are delivered to the child Handler.

Default value is true.

Parameters:

deliverNonAllowedOrigin - whether requests whose origin is not allowed are delivered to the child Handler

isDeliverNonAllowedOriginWebSocketUpgradeRequests

@ManagedAttribute("whether WebSocket upgrade requests whose origin is not allowed are delivered to the child Handler")
public boolean isDeliverNonAllowedOriginWebSocketUpgradeRequests()

Returns:

whether WebSocket upgrade requests whose origin is not allowed are delivered to the child Handler

setDeliverNonAllowedOriginWebSocketUpgradeRequests

public void setDeliverNonAllowedOriginWebSocketUpgradeRequests(boolean deliverNonAllowedOriginWebSocketUpgrade)

Sets whether WebSocket upgrade requests whose origin is not allowed are delivered to the child Handler.

Default value is false.

Parameters:

deliverNonAllowedOriginWebSocketUpgrade - whether WebSocket upgrade requests whose origin is not allowed are delivered to the child Handler

getExposedHeaders

@ManagedAttribute("The set of headers exposed in a cross-origin response")
public Set<String> getExposedHeaders()

Returns:

the immutable set of headers exposed in a cross-origin response

setExposedHeaders

public void setExposedHeaders(Set<String> headers)

Sets the set of headers exposed in a cross-origin response.

The cross server receives a cross-origin request and indicates which response headers are exposed to scripts running in the browser.

Parameters:

headers - the set of headers exposed in a cross-origin response

getPreflightMaxAge

@ManagedAttribute("How long the preflight results can be cached by browsers")
public Duration getPreflightMaxAge()

Returns:

how long the preflight results can be cached by browsers

setPreflightMaxAge

public void setPreflightMaxAge(Duration duration)

Parameters:

duration - how long the preflight results can be cached by browsers

doStart

protected void doStart()
                throws Exception

Overrides:

doStart in class Handler.Abstract

Throws:

Exception

handle

public boolean handle(Request request,
 Response response,
 org.eclipse.jetty.util.Callback callback)
               throws Exception

Description copied from interface: Request.Handler

Invoked to handle the passed HTTP request and response.

The request is accepted by returning true, then handling must be concluded by completing the passed callback. The handling may be asynchronous, i.e. this method may return true and complete the given callback later, possibly from a different thread. If this method returns false, then the callback must not be invoked and any mutation on the response reversed.

Exceptions thrown by this method may be subsequently handled by an error Request.Handler, if present, otherwise a default HTTP 500 error is generated and the callback completed while writing the error response.

The simplest implementation is:

 public boolean handle(Request request, Response response, Callback callback)
 {
     callback.succeeded();
     return true;
 }
 

A HelloWorld implementation is:

 public boolean handle(Request request, Response response, Callback callback)
 {
     response.write(true, ByteBuffer.wrap("Hello World\n".getBytes(StandardCharsets.UTF_8)), callback);
     return true;
 }
 

Specified by:

handle in interface Request.Handler

Overrides:

handle in class Handler.Wrapper

Parameters:

request - the HTTP request to handle

response - the HTTP response to handle

callback - the callback to complete when the handling is complete

Returns:

True if and only if the request will be handled, a response generated and the callback eventually called. This may occur within the scope of the call to this method, or asynchronously some time later. If false is returned, then this method must not generate a response, nor complete the callback.

Throws:

Exception - if there is a failure during the handling. Catchers cannot assume that the callback will be called and thus should attempt to complete the request as if a false had been returned.

See Also:

• Request.Handler.AbortException