Skip to main content

CORS implementation using Java Filter

What is CORS

CORS is cross origin resource sharing which allows or block the cross domain calls from a web application between different domains. By default you are able to make Ajax calls to other domain. To enable it that provider also need to add certain headers to allow the requester domain.

CORS Headers

Below are the required headers to implement the CORS.
  1. Access-Control-Allow-Origin
  2. In this header we specify the domain from which we want to allow the access, for example: example.com.
  3. Access-Control-Allow-Credentials
  4. This header specifies if it can pass authorization details in cross domain request. for example: true/false.
  5. Access-Control-Max-Age
  6. We can use this header to specify how long we want to cache the preflight request details like allowed methods, allowed headers etc. We can specify value in seconds and we can cache them for a long time as such details are not change frequently.
  7. Access-Control-Allow-Methods
  8. Here we specify the methods we want to allow for request, for example: GET, POST, DELETE, OPTIONS, PATCH.
  9. Access-Control-Allow-Headers
  10. Here we specify the header names which are allowed during the request.

Java Filter Implementation

We will use Java filter to implement these CORS headers. We can implement this filter in java web application along with Spring, Struts or JSF frameworks also. However those frameworks have their own mechanism to implement CORS.
We have used a header "referer" here to get the requester domain, so we can allows cross-domain call by putting it in response header. Below is the complete code for Filter class.
public class CorsFilter implements Filter{
    @Override
    public void init(FilterConfig config){}

    @Override
    public void destroy(){}

    @Override
    public void doFilter(ServletRequest req, ServletResponse res,
                          FilterChain chain)throws ServletException, IOException{

        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        String referer = request.getHeader("referer");
        
        if(referer!=null && referer.length()>1){

            if(referer.endsWith("/")){
                referer = referer.substring(0, referer.length()-1);
            }
            response.addHeader("Access-Control-Allow-Origin", referer);
            response.addHeader("Access-Control-Allow-Credentials", "true");
            response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS");
            response.addHeader("Access-Control-Allow-Headers", "x-requested-with,Content-Type,Access-Control-Allow-Methods,Access-Control-Allow-Origin");
            response.addHeader("Access-Control-Max-Age", "86400");//24 hours
        }
        
        chain.doFilter(request, response);
    }
}

Web config changes

We are ready with out filter code and now we need to register it using the web configuration (web.xml). Below is the code for filter registration.
        <filter>
            <filter-name>corsFilter</filter-name>
            <filter-class>com.ttj.web.cors.CorsFilter</filter-class>
        </filter>
        
        <filter-mapping>
            <filter-name>corsFilter</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
Now if you call the configured URLs using java script/Ajax then it will populate the required response headers to allow the cross-domain access. Please note that the code I shown here, is configured to allow any domain. If you want to allow some specific then you can maintain some list of domains to check before setting the headers.

Comments

Post a Comment

Popular Posts

Setting up kerberos in Mac OS X

Kerberos in MAC OS X Kerberos authentication allows the computers in same domain network to authenticate certain services with prompting the user for credentials. MAC OS X comes with Heimdal Kerberos which is an alternate implementation of the kerberos and uses LDAP as identity management database. Here we are going to learn how to setup a kerberos on MAC OS X which we will configure latter in our application. Installing Kerberos In MAC we can use Homebrew for installing any software package. Homebrew makes it very easy to install the kerberos by just executing a simple command as given below. brew install krb5 Once installation is complete, we need to set the below export commands in user's profile which will make the kerberos utility commands and compiler available to execute from anywhere. Open user's bash profile: vi ~/.bash_profile Add below lines: export PATH=/usr/local/opt/krb5/bin:$PATH export PATH=/usr/local/opt/krb5/sbin:$PATH export LDFLAGS=&

Why HashMap key should be immutable in java

HashMap is used to store the data in key, value pair where key is unique and value can be store or retrieve using the key. Any class can be a candidate for the map key if it follows below rules. 1. Overrides hashcode() and equals() method.   Map stores the data using hashcode() and equals() method from key. To store a value against a given key, map first calls key's hashcode() and then uses it to calculate the index position in backed array by applying some hashing function. For each index position it has a bucket which is a LinkedList and changed to Node from java 8. Then it will iterate through all the element and will check the equality with key by calling it's equals() method if a match is found, it will update the value with the new value otherwise it will add the new entry with given key and value. In the same way it check for the existing key when get() is called. If it finds a match for given key in the bucket with given hashcode(), it will return the value other

Entity to DTO conversion in Java using Jackson

It's very common to have the DTO class for a given entity in any application. When persisting data, we use entity objects and when we need to provide the data to end user/application we use DTO class. Due to this we may need to have similar properties on DTO class as we have in our Entity class and to share the data we populate DTO objects using entity objects. To do this we may need to call getter on entity and then setter on DTO for the same data which increases number of code line. Also if number of DTOs are high then we need to write lot of code to just get and set the values or vice-versa. To overcome this problem we are going to use Jackson API and will see how to do it with minimal code only. Maven dependency <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>2.9.9</version> </dependency> Entity class Below is

Multiple data source with Spring boot, batch and cloud task

Here we will see how we can configure different datasource for application and batch. By default, Spring batch stores the job details and execution details in database. If separate data source is not configured for spring batch then it will use the available data source in your application if configured and create batch related tables there. Which may be the unwanted burden on application database and we would like to configure separate database for spring batch. To overcome this situation we will configure the different datasource for spring batch using in-memory database, since we don't want to store batch job details permanently. Other thing is the configuration of  spring cloud task in case of multiple datasource and it must point to the same data source which is pointed by spring batch. In below sections, we will se how to configure application, batch and cloud task related data sources. Application Data Source Define the data source in application properties or yml con