Google Git
Sign in
apache / cxf-site / refs/heads/asf-staging / . / content / docs / jax-rs-cors.html
blob: 9bdcb9652c61de133d648e158d2bde7ee4de773e [file] [log] [blame]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<html>
<head>
<link type="text/css" rel="stylesheet" href="/resources/site.css">
<script src='/resources/space.js'></script>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support, integration standards, application integration, middleware, software, solutions, services, CXF, open source">
<meta name="description" content="Apache CXF, Services Framework - JAX-RS CORS">
<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shCoreCXF.css">
<link type="text/css" rel="stylesheet" href="/resources/highlighter/styles/shThemeCXF.css">
<script src='/resources/highlighter/scripts/shCore.js'></script>
<script src='/resources/highlighter/scripts/shBrushXml.js'></script>
<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
<script>
SyntaxHighlighter.defaults['toolbar'] = false;
SyntaxHighlighter.all();
</script>
<title>
Apache CXF -- JAX-RS CORS
</title>
</head>
<body onload="init()">
<table width="100%" cellpadding="0" cellspacing="0">
<tr>
<td id="cell-0-0" colspan="2">&nbsp;</td>
<td id="cell-0-1">&nbsp;</td>
<td id="cell-0-2" colspan="2">&nbsp;</td>
</tr>
<tr>
<td id="cell-1-0">&nbsp;</td>
<td id="cell-1-1">&nbsp;</td>
<td id="cell-1-2">
<!-- Banner -->
<div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap>
<a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a>
</td><td align="right" colspan="1" nowrap>
<a shape="rect" href="http://www.apache.org/" title="The Apache Sofware Foundation"><img border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a>
</td></tr></table></div></div>
<!-- Banner -->
<div id="top-menu">
<table border="0" cellpadding="1" cellspacing="0" width="100%">
<tr>
<td>
<div align="left">
<!-- Breadcrumbs -->
<a href="index.html">Index</a>&nbsp;&gt;&nbsp;<a href="restful-services.html">RESTful Services</a>&nbsp;&gt;&nbsp;<a href="jax-rs.html">JAX-RS</a>&nbsp;&gt;&nbsp;<a href="jax-rs-cors.html">JAX-RS CORS</a>
<!-- Breadcrumbs -->
</div>
</td>
<td>
<div align="right">
<!-- Quicklinks -->
<div id="quicklinks"><p><a shape="rect" href="http://cxf.apache.org/download.html">Download</a> | <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div>
<!-- Quicklinks -->
</div>
</td>
</tr>
</table>
</div>
</td>
<td id="cell-1-3">&nbsp;</td>
<td id="cell-1-4">&nbsp;</td>
</tr>
<tr>
<td id="cell-2-0" colspan="2">&nbsp;</td>
<td id="cell-2-1">
<table>
<tr valign="top">
<td height="100%">
<div id="wrapper-menu-page-right">
<div id="wrapper-menu-page-top">
<div id="wrapper-menu-page-bottom">
<div id="menu-page">
<!-- NavigationBar -->
<div id="navigation"><ul class="alternate"><li><a shape="rect" href="overview.html">Overview</a></li><li><a shape="rect" href="how-tos.html">How-Tos</a></li><li><a shape="rect" href="frontends.html">Frontends</a></li><li><a shape="rect" href="databindings.html">DataBindings</a></li><li><a shape="rect" href="transports.html">Transports</a></li><li><a shape="rect" href="configuration.html">Configuration</a></li><li><a shape="rect" href="debugging-and-logging.html">Debugging and Logging</a></li><li><a shape="rect" href="tools.html">Tools</a></li><li><a shape="rect" href="restful-services.html">RESTful Services</a></li><li><a shape="rect" href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect" href="service-routing.html">Service Routing</a></li><li><a shape="rect" href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect" href="ws-support.html">WS-* Support</a></li><li><a shape="rect" href="advanced-integration.html">Advanced Integration</a></li><li><a shape="rect" href="deployment.html">Deployment</a></li><li><a shape="rect" href="schemas-and-namespaces.html">Use of Schemas and Namespaces</a></li></ul><hr><ul class="alternate"><li><p>Search</p></li></ul><form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse">
<div>
<input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
<input type="hidden" name="ie" value="UTF-8">
<input type="text" name="q" size="21">
<input type="submit" name="sa" value="Search">
</div>
</form>
<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&amp;lang=en"></script><hr><ul class="alternate"><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest/">API 3.2.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/javadoc/latest-3.1.x/">API 3.1.x (Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/">CXF Website</a></li></ul><p>&#160;</p><p><a shape="rect" class="external-link" href="http://www.apache.org/events/current-event.html"><span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-external-resource" src="http://www.apache.org/events/current-event-125x125.png" data-image-src="http://www.apache.org/events/current-event-125x125.png"></span></a></p></div>
<!-- NavigationBar -->
</div>
</div>
</div>
</div>
</td>
<td height="100%">
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold">JAX-RS: CORS</span>
&#160;</p><p><style type="text/css">/*<![CDATA[*/
div.rbtoc1636141719642 {padding: 0px;}
div.rbtoc1636141719642 ul {list-style: disc;margin-left: 0px;}
div.rbtoc1636141719642 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style></p><div class="toc-macro rbtoc1636141719642">
<ul class="toc-indentation"><li><a shape="rect" href="#JAXRSCORS-Introduction">Introduction</a></li><li><a shape="rect" href="#JAXRSCORS-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAXRSCORS-Examples">Examples</a></li></ul>
</div><h1 id="JAXRSCORS-Introduction">Introduction</h1><p>CXF 2.5.1 introduces the <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/">initial support</a> for the <a shape="rect" class="external-link" href="http://www.w3.org/TR/cors/" rel="nofollow">Cross-Origin Resource Sharing</a> specification that "defines a mechanism to enable client-side cross-origin requests".</p><p>This <a shape="rect" class="external-link" href="https://developer.mozilla.org/en/http_access_control" rel="nofollow">Mozilla.org page</a> provides a very good explanation of CORS.</p><p>Please see the <a shape="rect" class="external-link" href="http://htmlpreview.github.io/?https://github.com/apache/cxf/blob/master/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/package.html" rel="nofollow">package.html</a> for a good introduction to CORS and the way it is supported in CXF JAX-RS.</p><p>Note that the <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharingFilter.java">CORS filter</a> uses the JAX-RS selection algorithm to ensure that the JAX-RS resource method capable of handling the request does exist.</p><h1 id="JAXRSCORS-Mavendependencies">Maven dependencies</h1><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">&lt;dependency&gt;
&lt;groupId&gt;org.apache.cxf&lt;/groupId&gt;
&lt;artifactId&gt;cxf-rt-rs-security-cors&lt;/artifactId&gt;
&lt;version&gt;2.6.1&lt;/version&gt;
&lt;/dependency&gt;
</pre>
</div></div><h1 id="JAXRSCORS-Examples">Examples</h1><p>Here is the test code showing how <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/cors/src/main/java/org/apache/cxf/rs/security/cors/CrossOriginResourceSharing.java" rel="nofollow">CrossOriginResourceSharing</a> annotations can be applied at the resource and individual method levels.</p><p>Note that an origin is restricted to "http://area51.mil:31415" by the 'allowOrigins' property, which may contain multiple URI values. A boolean 'allowAllOrigins' property can be used instead (to simplify the testing or when it is deemed it is secure enough within a given environment to allow for all the origins).</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">@CrossOriginResourceSharing(
allowOrigins = {
"http://area51.mil:31415"
},
allowCredentials = true,
maxAge = 1,
allowHeaders = {
"X-custom-1", "X-custom-2"
},
exposeHeaders = {
"X-custom-3", "X-custom-4"
}
)
public class AnnotatedCorsServer {
@Context
private HttpHeaders headers;
@GET
@Produces("text/plain")
@Path("/simpleGet/{echo}")
public String simpleGet(@PathParam("echo") String echo) {
return echo;
}
@POST
@Produces("application/json")
@Consumes("application/json")
@Path("/unannotatedPost")
public Response postSomething() {
return Response.ok().build();
}
@DELETE
@Path("/delete")
public Response deleteSomething() {
return Response.ok().build();
}
// This method will do a preflight check itself
@OPTIONS
@Path("/")
@LocalPreflight
public Response options() {
String origin = headers.getRequestHeader("Origin").get(0);
if ("http://area51.mil:3333".equals(origin)) {
return Response.ok()
.header(CorsHeaderConstants.HEADER_AC_ALLOW_METHODS, "DELETE PUT")
.header(CorsHeaderConstants.HEADER_AC_ALLOW_CREDENTIALS, "false")
.header(CorsHeaderConstants.HEADER_AC_ALLOW_ORIGIN, "http://area51.mil:3333")
.build();
} else {
return Response.ok().build();
}
}
@GET
@CrossOriginResourceSharing(
allowOrigins = { "http://area51.mil:31415" },
allowCredentials = true,
exposeHeaders = { "X-custom-3", "X-custom-4" }
)
@Produces("text/plain")
@Path("/annotatedGet/{echo}")
public String annotatedGet(@PathParam("echo") String echo) {
return echo;
}
/**
* A method annotated to test preflight.
*
* @param input
* @return
*/
@PUT
@Consumes("text/plain")
@Produces("text/plain")
@Path("/annotatedPut")
public String annotatedPut(String input) {
return input;
}
}
</pre>
</div></div><p>The server configuration fragment:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default">&lt;beans&gt;
&lt;bean id="cors-filter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter"/&gt;
&lt;jaxrs:server id="service" address="/rest"&gt;
&lt;jaxrs:serviceBeans&gt;
&lt;ref bean="cors-server" /&gt;
&lt;/jaxrs:serviceBeans&gt;
&lt;jaxrs:providers&gt;
&lt;ref bean="cors-filter" /&gt;
&lt;/jaxrs:providers&gt;
&lt;/jaxrs:server&gt;
&lt;bean id="cors-server" scope="prototype"
class="org.apache.cxf.systest.jaxrs.cors.AnnotatedCorsServer" /&gt;
&lt;/beans&gt;
</pre>
</div></div></div>
</div>
<!-- Content -->
</td>
</tr>
</table>
</td>
<td id="cell-2-2" colspan="2">&nbsp;</td>
</tr>
<tr>
<td id="cell-3-0">&nbsp;</td>
<td id="cell-3-1">&nbsp;</td>
<td id="cell-3-2">
<div id="footer">
<!-- Footer -->
<div id="site-footer">
<a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a> -
(<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=27835071">edit page</a>)
(<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=27835071&amp;showComments=true&amp;showCommentArea=true#addcomment">add comment</a>)<br>
Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
All other marks mentioned may be trademarks or registered trademarks of their respective owners.
</div>
<!-- Footer -->
</div>
</td>
<td id="cell-3-3">&nbsp;</td>
<td id="cell-3-4">&nbsp;</td>
</tr>
<tr>
<td id="cell-4-0" colspan="2">&nbsp;</td>
<td id="cell-4-1">&nbsp;</td>
<td id="cell-4-2" colspan="2">&nbsp;</td>
</tr>
</table>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-4458903-1");
pageTracker._trackPageview();
} catch(err) {}</script>
</body>
</html>