Class CorsFilter

java.lang.Object

io.micronaut.http.server.cors.CorsFilter

All Implemented Interfaces:

Ordered, ConditionalFilter

@ServerFilter("/**")
public class CorsFilter
extends Object
implements Ordered, ConditionalFilter

Responsible for handling CORS requests and responses.

Since:

1.0

Author:

James Kleeh, Graeme Rocher

Field Summary

Fields

Modifier and Type	Field	Description
static final int	CORS_FILTER_ORDER
protected final HttpServerConfiguration.CorsConfiguration	corsConfiguration

Fields inherited from interface Ordered

HIGHEST_PRECEDENCE, LOWEST_PRECEDENCE

Constructor Summary

Constructors

Constructor	Description
CorsFilter(HttpServerConfiguration.CorsConfiguration corsConfiguration, @Nullable StaticResourceResolver staticResourceResolver, Router router, @Nullable HttpHostResolver httpHostResolver)

Method Summary

Modifier and Type	Method	Description
final @Nullable HttpResponse<?>	filterPreFlightRequest(HttpRequest<?> request)
final @Nullable HttpResponse<?>	filterRequest(HttpRequest<?> request)
final void	filterResponse(HttpRequest<?> request, MutableHttpResponse<?> response)
int	getOrder()
boolean	isEnabled(HttpRequest<?> request)	The filter condition.
protected void	setAllowCredentials(CorsOriginConfiguration config, MutableHttpResponse<?> response)
protected void	setAllowHeaders(List<?> optionalAllowHeaders, MutableHttpResponse<?> response)
protected void	setAllowMethods(HttpMethod method, MutableHttpResponse<?> response)
protected void	setAllowPrivateNetwork(CorsOriginConfiguration config, MutableHttpResponse<?> response)	Sets the HTTP Header "Access-Control-Allow-Private-Network" in the response to true, if the CorsOriginConfiguration.isAllowPrivateNetwork() is true.
protected void	setExposeHeaders(List<String> exposedHeaders, MutableHttpResponse<?> response)
protected void	setMaxAge(long maxAge, MutableHttpResponse<?> response)
protected void	setOrigin(@Nullable String origin, MutableHttpResponse<?> response)
protected void	setVary(MutableHttpResponse<?> response)
protected boolean	shouldDenyToPreventDriveByLocalhostAttack(CorsOriginConfiguration corsOriginConfiguration, HttpRequest<?> request)
protected boolean	shouldDenyToPreventDriveByLocalhostAttack(String origin, HttpRequest<?> request)

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

CORS_FILTER_ORDER

public static final int CORS_FILTER_ORDER

corsConfiguration

protected final HttpServerConfiguration.CorsConfiguration corsConfiguration

Constructor Details

CorsFilter

@Inject
public CorsFilter(HttpServerConfiguration.CorsConfiguration corsConfiguration,
 @Nullable StaticResourceResolver staticResourceResolver,
 Router router,
 @Nullable HttpHostResolver httpHostResolver)

Parameters:

corsConfiguration - The CorsOriginConfiguration instance

staticResourceResolver - Static Resource Resolver

router - Router

httpHostResolver - HTTP Host resolver

Method Details

isEnabled

public boolean isEnabled(HttpRequest<?> request)

Description copied from interface: ConditionalFilter

The filter condition.

Specified by:

isEnabled in interface ConditionalFilter

Parameters:

request - The request

Returns:

true if the filter is enabled

filterPreFlightRequest

@PreMatching
@RequestFilter
@Internal
public final @Nullable HttpResponse<?> filterPreFlightRequest(HttpRequest<?> request)

filterRequest

@RequestFilter
@Internal
public final @Nullable HttpResponse<?> filterRequest(HttpRequest<?> request)

filterResponse

@ResponseFilter
@Internal
public final void filterResponse(HttpRequest<?> request,
 MutableHttpResponse<?> response)

shouldDenyToPreventDriveByLocalhostAttack

protected boolean shouldDenyToPreventDriveByLocalhostAttack(CorsOriginConfiguration corsOriginConfiguration,
 HttpRequest<?> request)

Parameters:

corsOriginConfiguration - CORS Origin configuration for request's HTTP Header origin.

request - HTTP Request

Returns:

true if the resolved host is localhost or 127.0.0.1 address and the CORS configuration has any for allowed origins.

shouldDenyToPreventDriveByLocalhostAttack

protected boolean shouldDenyToPreventDriveByLocalhostAttack(String origin,
 HttpRequest<?> request)

Parameters:

origin - HTTP Header HttpHeaders.ORIGIN value.

request - HTTP Request

Returns:

true if the resolved host is localhost or 127.0.0.1 and origin is not one of these then deny it.

getOrder

public int getOrder()

Specified by:

getOrder in interface Ordered

Returns:

The order of the object. Defaults to zero (no order).

setAllowCredentials

protected void setAllowCredentials(CorsOriginConfiguration config,
 MutableHttpResponse<?> response)

Parameters:

config - The CorsOriginConfiguration instance

response - The MutableHttpResponse object

setAllowPrivateNetwork

protected void setAllowPrivateNetwork(CorsOriginConfiguration config,
 MutableHttpResponse<?> response)

Sets the HTTP Header "Access-Control-Allow-Private-Network" in the response to true, if the CorsOriginConfiguration.isAllowPrivateNetwork() is true.

Parameters:

config - The CorsOriginConfiguration instance

response - The MutableHttpResponse object

setExposeHeaders

protected void setExposeHeaders(List<String> exposedHeaders,
 MutableHttpResponse<?> response)

Parameters:

exposedHeaders - A list of the exposed headers

response - The MutableHttpResponse object

setVary

protected void setVary(MutableHttpResponse<?> response)

Parameters:

response - The MutableHttpResponse object

setOrigin

protected void setOrigin(@Nullable String origin,
 MutableHttpResponse<?> response)

Parameters:

origin - The origin

response - The MutableHttpResponse object

setAllowMethods

protected void setAllowMethods(HttpMethod method,
 MutableHttpResponse<?> response)

Parameters:

method - The HttpMethod object

response - The MutableHttpResponse object

setAllowHeaders

protected void setAllowHeaders(List<?> optionalAllowHeaders,
 MutableHttpResponse<?> response)

Parameters:

optionalAllowHeaders - A list with optional allow headers

response - The MutableHttpResponse object

setMaxAge

protected void setMaxAge(long maxAge,
 MutableHttpResponse<?> response)

Parameters:

maxAge - The max age

response - The MutableHttpResponse object