Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Span
style

font-size:2em;font-weight:bold

...

JAX-RS:

...

CORS
 

Table of Contents

Introduction

CXF 2.5.1

...

introduces

...

the

...

initial

...

support

...

for

...

the

...

Cross-Origin

...

Resource

...

Sharing

...

specification

...

that

...

"defines

...

a

...

mechanism

...

to

...

enable

...

client-side

...

cross-origin

...

requests".

This Mozilla.org page provides a very good explanation of CORS.

Please see the package.html for a good introduction to CORS and the way it is supported in CXF JAX-RS.

Note that the CORS filter uses the JAX-RS selection algorithm to ensure that the JAX-RS resource method capable of handling the request does exist.

Maven dependencies

Code Block
xml
xml
<dependency>
  <groupId>org.apache.cxf</groupId>
  <artifactId>cxf-rt-rs-security-cors</artifactId>
  <version>2.6.1</version>
</dependency>

Examples

Here is the test code showing how CrossOriginResourceSharing annotations can be applied at the resource and individual method levels.

Note that an origin is restricted to "http://area51.mil:31415" by the 'allowOrigins' property, which may contain multiple URI values. A boolean 'allowAllOrigins' property can be used instead (to simplify the testing or when it is deemed it is secure enough within a given environment to allow for all the origins).

Code Block
java
java


Please see the [package.html|http://svn.apache.org/repos/asf/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/package.html] for a good introduction of CORS and the way it is supported in CXF JAX-RS.

Note that the [CORS filter|http://svn.apache.org/repos/asf/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharingFilter.java] uses the JAX-RS selection algorithm to ensure that the JAX-RS resource method capable of handling the  request does exist.

h1. Examples

Here is the test code showing how [CrossOriginResourceSharing|http://svn.apache.org/repos/asf/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/cors/CrossOriginResourceSharing.java] annotations can be applied at the resource and individual method levels:

{code:java}
@CrossOriginResourceSharing(
        allowOrigins = {
           "http://area51.mil:31415"
        }, 
        allowCredentials = true, 
        maxAge = 1, 
        allowHeaders = {
           "X-custom-1", "X-custom-2"
        }, 
        exposeHeaders = {
           "X-custom-3", "X-custom-4"
        }
)
public class AnnotatedCorsServer {
    @Context
    private HttpHeaders headers;

    @GET
    @Produces("text/plain")
    @Path("/simpleGet/{echo}")
    public String simpleGet(@PathParam("echo") String echo) {
        return echo;
    }
    
    @POST
    @Produces("application/json")
    @Consumes("application/json")
    @Path("/unannotatedPost")
    public Response postSomething() {
        return Response.ok().build();
    }

    @DELETE
    @Path("/delete")
    public Response deleteSomething() {
        return Response.ok().build();
    }

    // This method will do a preflight check itself, see a localPreflight property
    @OPTIONS
    @Path("/delete")
    @CrossOriginResourceSharing(
       localPreflight = true
 @LocalPreflight
   )
    public Response deleteOptionsoptions() {
        String origin = headers.getRequestHeader("Origin").get(0);
        if ("http://area51.mil:3333".equals(origin)) {
            return Response.ok()
                           .header(CorsHeaderConstants.HEADER_AC_ALLOW_METHODS, "DELETE PUT")
                           .header(CorsHeaderConstants.HEADER_AC_ALLOW_CREDENTIALS, "false")
                           .header(CorsHeaderConstants.HEADER_AC_ALLOW_ORIGIN, "http://area51.mil:3333")
                           .build();
        } else {
            return Response.ok().build();
        }
    }

    @GET
    @CrossOriginResourceSharing(
         allowOrigins = { "http://area51.mil:31415" }, 
         allowCredentials = true, 
         exposeHeaders = { "X-custom-3", "X-custom-4" }
    )
    @Produces("text/plain")
    @Path("/annotatedGet/{echo}")
    public String annotatedGet(@PathParam("echo") String echo) {
        return echo;
    }

    /**
     * A method annotated to test preflight.
     * 
     * @param input
     * @return
     */
    @PUT
    @Consumes("text/plain")
    @Produces("text/plain")
    @Path("/annotatedPut")
    public String annotatedPut(String input) {
        return input;
    }
}

{code}

The

...

server

...

configuration

...

fragment:

Code Block
xml
xml
<beans>


{code:xml}

<beans>
        <bean id="cors-filter" class="org.apache.cxf.rs.jaxrssecurity.cors.CrossOriginResourceSharingFilter"/>

	<jaxrs:server id="service" address="/rest">
		<jaxrs:serviceBeans>
			<ref bean="cors-server" />
		</jaxrs:serviceBeans>
		<jaxrs:providers>
			<ref bean="cors-filter" />
		</jaxrs:providers>
	</jaxrs:server>

        <bean id="cors-server" scope="prototype" 
	      class="org.apache.cxf.systest.jaxrs.cors.AnnotatedCorsServer" /> 

</beans>

{code}