Class CorsFilter

java.lang.Object
jakarta.servlet.GenericFilter
org.apache.catalina.filters.CorsFilter
All Implemented Interfaces:
Filter, FilterConfig, Serializable

public class CorsFilter extends GenericFilter

A Filter that enable client-side cross-origin requests by implementing W3C's CORS (Cross-Origin Resource Sharing) specification for resources. Each HttpServletRequest request is inspected as per specification, and appropriate response headers are added to HttpServletResponse.

By default, it also sets following request attributes, that help to determine the nature of the request downstream.

  • cors.isCorsRequest: Flag to determine if the request is a CORS request. Set to true if a CORS request; false otherwise.
  • cors.request.origin: The Origin URL, i.e. the URL of the page from where the request is originated.
  • cors.request.type: Type of request. Possible values:
    • SIMPLE: A request which is not preceded by a pre-flight request.
    • ACTUAL: A request which is preceded by a pre-flight request.
    • PRE_FLIGHT: A pre-flight request.
    • NOT_CORS: A normal same-origin request.
    • INVALID_CORS: A cross-origin request which is invalid.
  • cors.request.headers: Request headers sent as 'Access-Control-Request-Headers' header, for pre-flight request.
If you extend this class and override one or more of the getXxx() methods, consider whether you also need to override doFilter(ServletRequest, ServletResponse, FilterChain) and add appropriate locking so that the doFilter() method executes with a consistent configuration.
See Also: