Cross-origin resource sharing (CORS) in java and in .net C#

Resource:

1.Cross-origin resource sharing
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#How_CORS_works
2.https://www.w3.org/TR/cors/
3. Example:
 3.1.Servlet - CORS: http://www.logicbig.com/tutorials/java-ee-tutorial/java-servlet/servlet-cors/
 3.2.Spring CORS support: http://www.logicbig.com/tutorials/spring-framework/spring-web-mvc/spring-cors/
3.3.Servlet - Servlet with Tomcat CorsFilter example:http://www.logicbig.com/tutorials/java-ee-tutorial/java-servlet/servlet-with-tomcat-cors-filter/

 //for Preflight
  @Override
  protected void doOptions(HttpServletRequest req, HttpServletResponse resp)
          throws ServletException, IOException {
      setAccessControlHeaders(resp);
      resp.setStatus(HttpServletResponse.SC_OK);
  }

  private void setAccessControlHeaders(HttpServletResponse resp) {
      resp.setHeader("Access-Control-Allow-Origin", "http://localhost:9000");
      resp.setHeader("Access-Control-Allow-Methods", "GET");
  }
 
 
From: https://amodernstory.com/2014/12/27/using-cors-headers-with-java-example/ 
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class CORSFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {}

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) servletRequest;
    System.out.println("Request: " + request.getMethod());

    HttpServletResponse resp = (HttpServletResponse) servletResponse;
    resp.addHeader("Access-Control-Allow-Origin","*");
    resp.addHeader("Access-Control-Allow-Methods","GET,POST");
    resp.addHeader("Access-Control-Allow-Headers","Origin, X-Requested-With, Content-Type, Accept");

    // Just ACCEPT and REPLY OK if OPTIONS
    if ( request.getMethod().equals("OPTIONS") ) {
        resp.setStatus(HttpServletResponse.SC_OK);
        return;
    }
    chain.doFilter(request, servletResponse);
}

 @Override
public void destroy() {}
}
To web.xml just add
<filter> <filter-name>CorsFilter</filter-name> <filter-class>CORSFilter</filter-class> </filter> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>*</url-pattern> </filter-mapping>
 
 
4.My Test Example:
Java SE Version:1.7.0_72
 
package com.jin.util
// to  <filter-class>com.jin.util.CorsResponseFilter</filter-class>
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; 
public class CorsResponseFilter implements Filter { 
 ...


     public void doFilter(ServletRequest request, ServletResponse response,
                FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
//        System.out.println("Request: " + request.getMethod());
        HttpServletResponse resp = (HttpServletResponse) response;
        //resp.addHeader("Access-Control-Allow-Origin", "*"); //"*" cannot work.
        resp.addHeader("Access-Control-Allow-Origin", "http://localhost:3200");
        resp.addHeader("Access-Control-Allow-Methods", "GET,POST");
        resp.addHeader("Access-Control-Allow-Headers",
                       "Origin, X-Requested-With,Content-Type, Accept");

        // Just ACCEPT and REPLY OK if OPTIONS
        if (req.getMethod().equals("OPTIONS")) {
            resp.setStatus(HttpServletResponse.SC_OK);
            return;
        }
        chain.doFilter(req, response);
    }




In web.xml

<filter>

  <filter-name>CorsFilter</filter-name>

  <filter-class>com.jin.util.CorsResponseFilter</filter-class>

</filter>

<filter-mapping>

  <filter-name>CorsFilter</filter-name>

  <url-pattern>/*</url-pattern>

</filter-mapping>



showing the following Error if no CorsResponseFilter: 

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://192.168.10.116:8080/jin3/servlet/LoginBean?action=loginVerify. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).





Other Example:

 From: http://stackoverflow.com/questions/18264334/cross-origin-resource-sharing-with-spring-security


public void doFilter(ServletRequest request, ServletResponse res, FilterChain chain)
        throws IOException, ServletException {

    LOGGER.info("Start API::CORSFilter");
    HttpServletRequest oRequest = (HttpServletRequest) request;
    HttpServletResponse response = (HttpServletResponse) res;
    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Methods", "POST,PUT, GET, OPTIONS, DELETE");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers",
            " Origin, X-Requested-With, Content-Type, Accept,AUTH-TOKEN");
    if (oRequest.getMethod().equals("OPTIONS")) {
        response.flushBuffer();
    } else {
        chain.doFilter(request, response);
    }
}


Ref:


http://stackoverflow.com/questions/40053767/angularjs-springsecurity-cors-issue 


http://restlet.com/company/blog/2015/12/15/understanding-and-using-cors/ 






.Net WEB API C#


In class WebApiApplication : System.Web.HttpApplication


protected void Application_BeginRequest()
{
if (Request.Headers.AllKeys.Contains("Origin") && Request.HttpMethod == "OPTIONS")
{
Response.AddHeader("Access-Control-Allow-Headers", "Authorization, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");
Response.Flush();
}
//Response.AddHeader("Access-Control-Allow-Origin", "*");//Response.AddHeader("X-Frame-Options", "ALLOW-FROM *");
//if (Request.HttpMethod == "OPTIONS")//{//    Response.AddHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, PATCH, PUT, OPTONS");
//    Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept, Authorization, Origin");
//    Response.AddHeader("Access-Control-Max-Age", "1000000");//Response.AddHeader("Access-Control-Allow-Credentials", "true");
//    Response.End();}
//if ((Request.Headers.AllKeys.Contains("Origin") || Request.Headers.AllKeys.Contains("origin")) && Request.HttpMethod == "OPTIONS")
//{//    Response.Flush();//}
}






































评论











发表评论






























此博客中的热门博文









XML, XSL, HTML





















 The code in this section is that an XSLT transform is used to translate XML input data to HTML output.  Ref: https://docs.oracle.com/javase/tutorial/jaxp/xslt/transformingXML.html  Note -  The article1a.xsl , which is from in XSLT examples . The following code is for joy.    import java.awt.Desktop;  import java.io.*;  import java.net.URISyntaxException;  import javax.xml.parsers.DocumentBuilder;  import javax.xml.parsers.DocumentBuilderFactory;  import javax.xml.parsers.ParserConfigurationException;  import javax.xml.transform.Transformer;  import javax.xml.transform.TransformerConfigurationException;  import javax.xml.transform.TransformerException;  import javax.xml.transform.TransformerFactory;  import javax.xml.transform.dom.DOMSource;  import javax.xml.transform.stream.StreamResult;  import javax.xml.transform.stream.StreamSource;   // For write operation  import org.w3c.dom.Document;  import org.w3c.dom.Element;  import org.xml.sax.SAXException;     public class Stylizer { ...








阅读全文










Input in element.eleme.io





















 Input  Input data using mouse or keyboard.   Input is a controlled component, it always shows Vue binding value .  Under normal circumstances, input  event should be handled. Its handler should update component's binding value (or use v-model ). Otherwise, input box's value will not change.  Do not support v-model  modifiers.   ¶  Basic usage         < el-input  placeholder = "Please input"  v-model = "input" > </ el-input >   < script >  export  default  {   data() {     return  {       input : ''      }   } } </ script >      Hide    ¶  Disabled         Disable the Input with the disabled  attribute.   < el-input    placeholder = "Please input"    v-model = "input"    :disabled = "true" >  </ el-input >   < script >  export  default  {   data() {     return  {       input : ''      }   } } </ script >         ¶  Clearable         Make the Input clearable with the...








阅读全文










Data URI是由RFC 2397  ACE





















https://www.rfc-editor.org/rfc/rfc2397 http://codingpy.com/article/how-to-turn-your-browser-into-code-editor/  https://ace.c9.io/build/kitchen-sink.html  https://c9.io/  https://angular-ui.github.io/                           The "data" URL scheme   Status of this Memo     This document specifies an Internet standards track protocol for the    Internet community, and requests discussion and suggestions for    improvements.  Please refer to the current edition of the "Internet    Official Protocol Standards" (STD 1) for the standardization state    and status of this protocol.  Distribution of this memo is unlimited.  Copyright Notice     Copyright (C) The Internet Society (1998).  All Rights Reserved.  1 . Abstract      A new URL scheme, "data", is defined. It allows inclusion of small    data items as "immediate" data, as if it had been included    externally.  2 . Description      Some applications that use URLs also have a need to embed (small...








阅读全文