Package io.micronaut.http.server.cors

Class CorsFilter

java.lang.Object

io.micronaut.http.server.cors.CorsFilter

All Implemented Interfaces:

Ordered, ConditionalFilter

@ServerFilter("/**")
public class CorsFilter
extends Object
implements Ordered, ConditionalFilter

Responsible for handling CORS requests and responses.

Since:

1.0

Author:

James Kleeh, Graeme Rocher

Field Summary

Fields

Modifier and Type	Field	Description
static final int	CORS_FILTER_ORDER
protected final HttpServerConfiguration.CorsConfiguration	corsConfiguration

Fields inherited from interface io.micronaut.core.order.Ordered

HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE

Constructor Summary

Constructors

Constructor	Description
CorsFilter(HttpServerConfiguration.CorsConfiguration corsConfiguration, @Nullable HttpHostResolver httpHostResolver)	Deprecated, for removal: This API element is subject to removal in a future version. use CorsFilter(io.micronaut.http.server.HttpServerConfiguration.CorsConfiguration,@io.micronaut.core.annotation.Nullable io.micronaut.http.server.util.HttpHostResolver,io.micronaut.web.router.Router) instead.
CorsFilter(HttpServerConfiguration.CorsConfiguration corsConfiguration, @Nullable HttpHostResolver httpHostResolver, Router router)

Method Summary

Modifier and Type	Method	Description
final @Nullable HttpResponse<?>	filterPreFlightRequest(HttpRequest<?> request)
final @Nullable HttpResponse<?>	filterRequest(HttpRequest<?> request)
final void	filterResponse(HttpRequest<?> request, MutableHttpResponse<?> response)
int	getOrder()
boolean	isEnabled(HttpRequest<?> request)	The filter condition.
protected void	setAllowCredentials(CorsOriginConfiguration config, MutableHttpResponse<?> response)
protected void	setAllowHeaders(List<?> optionalAllowHeaders, MutableHttpResponse<?> response)
protected void	setAllowMethods(HttpMethod method, MutableHttpResponse<?> response)
protected void	setAllowPrivateNetwork(CorsOriginConfiguration config, MutableHttpResponse<?> response)	Sets the HTTP Header "Access-Control-Allow-Private-Network" in the response to true, if the CorsOriginConfiguration.isAllowPrivateNetwork() is true.
protected void	setExposeHeaders(List<String> exposedHeaders, MutableHttpResponse<?> response)
protected void	setMaxAge(long maxAge, MutableHttpResponse<?> response)
protected void	setOrigin(@Nullable String origin, @NonNull MutableHttpResponse<?> response)
protected void	setVary(MutableHttpResponse<?> response)
protected boolean	shouldDenyToPreventDriveByLocalhostAttack(@NonNull CorsOriginConfiguration corsOriginConfiguration, @NonNull HttpRequest<?> request)
protected boolean	shouldDenyToPreventDriveByLocalhostAttack(@NonNull String origin, @NonNull HttpRequest<?> request)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

CORS_FILTER_ORDER

public static final int CORS_FILTER_ORDER

corsConfiguration

protected final HttpServerConfiguration.CorsConfiguration corsConfiguration

Constructor Details

CorsFilter

@Deprecated(since="4.7",
            forRemoval=true)
public CorsFilter(HttpServerConfiguration.CorsConfiguration corsConfiguration,
 @Nullable
 @Nullable HttpHostResolver httpHostResolver)

Deprecated, for removal: This API element is subject to removal in a future version.

use CorsFilter(io.micronaut.http.server.HttpServerConfiguration.CorsConfiguration,@io.micronaut.core.annotation.Nullable io.micronaut.http.server.util.HttpHostResolver,io.micronaut.web.router.Router) instead.

Parameters:

corsConfiguration - The CorsOriginConfiguration instance

httpHostResolver - HTTP Host resolver

CorsFilter

@Inject
public CorsFilter(HttpServerConfiguration.CorsConfiguration corsConfiguration,
 @Nullable
 @Nullable HttpHostResolver httpHostResolver,
 Router router)

Parameters:

corsConfiguration - The CorsOriginConfiguration instance

httpHostResolver - HTTP Host resolver

router - Router

Method Details

isEnabled

public boolean isEnabled(HttpRequest<?> request)

Description copied from interface: ConditionalFilter

The filter condition.

Specified by:

isEnabled in interface ConditionalFilter

Parameters:

request - The request

Returns:

true if the filter is enabled

filterPreFlightRequest

@PreMatching
@RequestFilter
@Nullable
@Internal
public final @Nullable HttpResponse<?> filterPreFlightRequest(HttpRequest<?> request)

filterRequest

@RequestFilter
@Nullable
@Internal
public final @Nullable HttpResponse<?> filterRequest(HttpRequest<?> request)

filterResponse

@ResponseFilter
@Internal
public final void filterResponse(HttpRequest<?> request,
 MutableHttpResponse<?> response)

shouldDenyToPreventDriveByLocalhostAttack

protected boolean shouldDenyToPreventDriveByLocalhostAttack(@NonNull
 @NonNull CorsOriginConfiguration corsOriginConfiguration,
 @NonNull
 @NonNull HttpRequest<?> request)

Parameters:

corsOriginConfiguration - CORS Origin configuration for request's HTTP Header origin.

request - HTTP Request

Returns:

true if the resolved host is localhost or 127.0.0.1 address and the CORS configuration has any for allowed origins.

shouldDenyToPreventDriveByLocalhostAttack

protected boolean shouldDenyToPreventDriveByLocalhostAttack(@NonNull
 @NonNull String origin,
 @NonNull
 @NonNull HttpRequest<?> request)

Parameters:

origin - HTTP Header HttpHeaders.ORIGIN value.

request - HTTP Request

Returns:

true if the resolved host is localhost or 127.0.0.1 and origin is not one of these then deny it.

getOrder

public int getOrder()

Specified by:

getOrder in interface Ordered

Returns:

The order of the object. Defaults to zero (no order).

setAllowCredentials

protected void setAllowCredentials(CorsOriginConfiguration config,
 MutableHttpResponse<?> response)

Parameters:

config - The CorsOriginConfiguration instance

response - The MutableHttpResponse object

setAllowPrivateNetwork

protected void setAllowPrivateNetwork(CorsOriginConfiguration config,
 MutableHttpResponse<?> response)

Sets the HTTP Header "Access-Control-Allow-Private-Network" in the response to true, if the CorsOriginConfiguration.isAllowPrivateNetwork() is true.

Parameters:

config - The CorsOriginConfiguration instance

response - The MutableHttpResponse object

setExposeHeaders

protected void setExposeHeaders(List<String> exposedHeaders,
 MutableHttpResponse<?> response)

Parameters:

exposedHeaders - A list of the exposed headers

response - The MutableHttpResponse object

setVary

protected void setVary(MutableHttpResponse<?> response)

Parameters:

response - The MutableHttpResponse object

setOrigin

protected void setOrigin(@Nullable
 @Nullable String origin,
 @NonNull
 @NonNull MutableHttpResponse<?> response)

Parameters:

origin - The origin

response - The MutableHttpResponse object

setAllowMethods

protected void setAllowMethods(HttpMethod method,
 MutableHttpResponse<?> response)

Parameters:

method - The HttpMethod object

response - The MutableHttpResponse object

setAllowHeaders

protected void setAllowHeaders(List<?> optionalAllowHeaders,
 MutableHttpResponse<?> response)

Parameters:

optionalAllowHeaders - A list with optional allow headers

response - The MutableHttpResponse object

setMaxAge

protected void setMaxAge(long maxAge,
 MutableHttpResponse<?> response)

Parameters:

maxAge - The max age

response - The MutableHttpResponse object