Module io.inverno.mod.security.http
Package io.inverno.mod.security.http.cors

Class CORSInterceptor<A extends ExchangeContext,B extends Exchange<A>>

java.lang.Object
io.inverno.mod.security.http.cors.CORSInterceptor<A,B>
Type Parameters:
A - the type of the exchange context
B - the type of exchange handled by the handler
All Implemented Interfaces:
ExchangeInterceptor<A,B>
public class CORSInterceptor<A extends ExchangeContext,B extends Exchange<A>> extends Object implements ExchangeInterceptor<A,B>

A security interceptor that implements Cross-origin resource sharing (CORS) as defined by HTTP CORS protocol.

Since:
1.5
Author:
Jeremy Kuhn

  • Field Details

    • allowedOrigins

      protected final Set<CORSInterceptor.Origin> allowedOrigins
      The set of allowed origins.

    • allowedOriginsPattern

      protected final Set<Pattern> allowedOriginsPattern
      The set of allowed origins patterns.

    • allowCredentials

      protected final boolean allowCredentials
      Flag indicating whether credentials must be allowed.

    • allowedHeaders

      protected final String allowedHeaders
      The allowed headers.

    • allowedMethods

      protected final String allowedMethods
      The allowed methods.

    • exposedHeaders

      protected final String exposedHeaders
      The exposed headers.

    • maxAge

      protected final Integer maxAge
      The max age in seconds for CORS information cache.

    • allowPrivateNetwork

      protected final boolean allowPrivateNetwork
      Flag indicating whether private netword must be allowed.

    • isWildcard

      protected final boolean isWildcard
      Flag indicating whether the interceptor is a wildcard interceptor (allow all origins).

    • isStatic

      protected final boolean isStatic
      Flag indicating whether the interceptor is a static interceptor (allow one static origin).

  • Constructor Details

    • CORSInterceptor

      protected CORSInterceptor(Set<CORSInterceptor.Origin> allowedOrigins, Set<Pattern> allowedOriginsPattern, boolean allowCredentials, Set<String> allowedHeaders, Set<Method> allowedMethods, Set<String> exposedHeaders, Integer maxAge, boolean allowPrivateNetwork)

      Creates a CORS interceptor.

      Parameters:
      allowedOrigins - the set of allowed origins
      allowedOriginsPattern - the set of allowed origins patterns
      allowCredentials - true to allow credentials, false otherwise
      allowedHeaders - the set of allowed headers
      allowedMethods - the set of allowed methods
      exposedHeaders - the set of exposed headers
      maxAge - the max age
      allowPrivateNetwork - true to allow private network, false otherwise

  • Method Details

    • builder

      public static CORSInterceptor.Builder builder(String... allowedOrigins)

      Returns a CORS interceptor builder for the specified allowed origins.

      Parameters:
      allowedOrigins - a list of static allowed origins
      Returns:
      a new CORS interceptor builder

    • intercept

      public Mono<? extends B> intercept(B exchange)
      Description copied from interface: ExchangeInterceptor

      Intercepts the exchange before the exchange handler is invoked.

      Specified by:
      intercept in interface ExchangeInterceptor<A extends ExchangeContext,B extends Exchange<A>>
      Parameters:
      exchange - the server exchange to handle
      Returns:
      a Mono emitting the exchange or an instrumented exchange to continue the exchange handling chain or an empty Mono to stop the exchange handling chain

    • isSameOrigin

      protected boolean isSameOrigin(B exchange, CORSInterceptor.Origin origin)

      Determines whether the request was issued from the same origin.

      Parameters:
      exchange - the exchange
      origin - the target origin
      Returns:
      true if the origin is the same, false otherwise or if it could not be determined

    • checkOrigin

      protected void checkOrigin(CORSInterceptor.Origin origin) throws BadRequestException, ForbiddenException

      Determines whether the origin is a valid origin.

      Parameters:
      origin - the origin to check
      Throws:
      ForbiddenException - if the origin is not authorized
      BadRequestException