Difference between revisions of "Jetty/Feature/Cross Origin Filter"

From Eclipsepedia

< Jetty‎ | Feature
Jump to: navigation, search
(New page: == Cross Origin Filter ==)
 
Line 1: Line 1:
== Cross Origin Filter ==
+
== Introduction ==
 +
HTTP requests made from a script are subject to well known restrictions, the most prominent being the [http://en.wikipedia.org/wiki/Same_origin_policy same domain policy].
 +
 
 +
Firefox 3.5 introduced support for W3C's [http://dev.w3.org/2006/waf/access-control/ Access Control for Cross-Site Requests] specification, which requires a compliant client (for example, Firefox 3.5) and a compliant server (via this servlet filter).
 +
 
 +
This filter implements the required bits to support the server-side contract of the specification, and will allow a compliant client to perform cross-domain requests via the standard XMLHttpRequest object.
 +
 
 +
This is extremely useful in [http://cometd.org Cometd] web applications where it is now possible to perform cross-domain long polling without using script injection (also known as the JSONP transport), and therefore removing all the downsides that the JSONP transport has (it's chattier, does not react quickly to failures, has a message size limit, uses GET instead of POST, etc.).
 +
 
 +
== Configuration ==
 +
This is a regular servlet filter that must be configured in <tt>web.xml</tt>.
 +
 
 +
It supports the following configuration parameters:
 +
<ul>
 +
<li><b>allowedOrigins</b>, a comma separated list of origins that are
 +
allowed to access the resources. Default value is <b>*</b>, meaning all
 +
origins</li>
 +
<li><b>allowedMethods</b>, a comma separated list of HTTP methods that
 +
are allowed to be used when accessing the resources. Default value is
 +
<b>GET,POST</b></li>
 +
<li><b>allowedHeaders</b>, a comma separated list of HTTP headers that
 +
are allowed to be specified when accessing the resources. Default value
 +
is <b>X-Requested-With</b></li>
 +
<li><b>preflightMaxAge</b>, the number of seconds that preflight requests
 +
can be cached by the client. Default value is <b>1800</b> seconds, or 30
 +
minutes</li>
 +
<li><b>allowCredentials</b>, a boolean indicating if the resource allows
 +
requests with credentials. Default value is <b>false</b></li>
 +
</ul></p>
 +
<p>A typical configuration could be:
 +
<pre>
 +
&lt;web-app ...&gt;
 +
    ...
 +
    &lt;filter&gt;
 +
        &lt;filter-name&gt;cross-origin&lt;/filter-name&gt;
 +
        &lt;filter-class&gt;org.eclipse.jetty.servlets.CrossOriginFilter&lt;/filter-class&gt;
 +
    &lt;/filter&gt;
 +
    &lt;filter-mapping&gt;
 +
        &lt;filter-name&gt;cross-origin&lt;/filter-name&gt;
 +
        &lt;url-pattern&gt;/cometd/*&lt;/url-pattern&gt;
 +
    &lt;/filter-mapping&gt;
 +
    ...
 +
&lt;/web-app&gt;
 +
</pre></p>

Revision as of 08:56, 29 July 2009

Introduction

HTTP requests made from a script are subject to well known restrictions, the most prominent being the same domain policy.

Firefox 3.5 introduced support for W3C's Access Control for Cross-Site Requests specification, which requires a compliant client (for example, Firefox 3.5) and a compliant server (via this servlet filter).

This filter implements the required bits to support the server-side contract of the specification, and will allow a compliant client to perform cross-domain requests via the standard XMLHttpRequest object.

This is extremely useful in Cometd web applications where it is now possible to perform cross-domain long polling without using script injection (also known as the JSONP transport), and therefore removing all the downsides that the JSONP transport has (it's chattier, does not react quickly to failures, has a message size limit, uses GET instead of POST, etc.).

Configuration

This is a regular servlet filter that must be configured in web.xml.

It supports the following configuration parameters:

  • allowedOrigins, a comma separated list of origins that are allowed to access the resources. Default value is *, meaning all origins
  • allowedMethods, a comma separated list of HTTP methods that are allowed to be used when accessing the resources. Default value is GET,POST
  • allowedHeaders, a comma separated list of HTTP headers that are allowed to be specified when accessing the resources. Default value is X-Requested-With
  • preflightMaxAge, the number of seconds that preflight requests can be cached by the client. Default value is 1800 seconds, or 30 minutes
  • allowCredentials, a boolean indicating if the resource allows requests with credentials. Default value is false
</p>

A typical configuration could be:

<web-app ...>
    ...
    <filter>
        <filter-name>cross-origin</filter-name>
        <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>cross-origin</filter-name>
        <url-pattern>/cometd/*</url-pattern>
    </filter-mapping>
    ...
</web-app>