CORS in Java EE with CDI and JAX-RS

Preflights, Minimal Filter Use, and Interceptors


Introduction

A warm welcome from the internrocket.com development team! We’ve been developing a network to provide businesses with a means to find great employees and a way for people to find their perfect career. To learn more check us out, it’s free to sign up, browse, and post opportunities!

In this guide we’ll be covering a simple solution to implementation of the strictest CORS requirements on the Java EE platform using CDI interceptors in conjunction with JAX-RS. We’ll be implementing features like Access-Control-Expose-Headers, Access-Control-Allow-Credentials, and more.

CORS (Cross-Origin Resource Sharing)

CORS is a standardized way for browsers to request data from domains other than the origin. Visit the Mozilla Developer Network technical information on CORS.

Overview

internrocket.com developers run a local copy of the client code during development. While some of us also run a local version of the server-side API, others connect to a shared development API. We implemented CORS for local development purposes and API access for external developers. Either version requires cross-domain communication. While the client code may be served from https://localhost:8080, the server-side api could be on https://localhost:8081 or https://api.example.com. Differing ports register as different domains on browsers, so as long as complex requests are used (type application/json, requests with custom headers, or post requests with special body content-types) either CORS will have to be implemented on the server side or the same-origin policy will have to be disabled on the browser (not recommended for security reasons). Some CORS requests require a “preflight” which is a simple OPTIONS request that will expect CORS headers back. The types of headers returned depends on the sorts of data you would like the client to send on the upcoming request.

The Code

Java EE code
  • CrossDomain.java — Annotation declaration for use by the Interceptor
  • CrossDomainFilter.java — Filter that handles OPTIONS preflight requests
  • CrossDomainInterceptor.java — The CDI interceptor for handling CORS
  • ExampleEndpoint.java — A JAX-RS class with an implementation of the interceptor
  • beans.xml — Registration point for your interceptors
  • web.xml — container configuration where you’ll register your filter

CrossDomainFilter

The filter is as simple as possible, handles only the preflight (OPTIONS) request, and will allow any custom headers requested by the client. If you want to only allow certain headers you can modify the “Access-Control-Allow-Headers” header to a specific value. Additionally, you may not want to allow credentials (cookies/custom headers) passed with the request; just remove the “Access-Control-Allow-Credentials” header if this is the case.

CrossDomainInterceptor

The interceptor handles the actual request and can annotate JAX-RS methods or classes with the “Response” return type. Make sure you put your own domain restriction logic in the interceptor when you implement it. If you use custom headers make sure you change the “Access-Control-Expose-Headers” header to contain your header name. You can even inject @SessionScoped beans directly into the interceptor!

JAX-RS Endpoints and @CrossDomain

Check out ExampleEndpoint.java for a preview of how to use the interceptor.

Configuration

Configuration for the filter and interceptor is pretty straightforward and is provided in this example in beans.xml and web.xml.

Results

In conclusion, after implementing the filter-interceptor combo on your JAX-RS endpoints you can request any content-type, transmit custom headers, and even send cookies across domains.

Cheers!

Send us a tweet @internrocket if you have any questions or suggestions! Thanks for reading!

About internrocket.com

internrocket.com uses a mix of micro-projects and internships to intelligently match people with perfect job fits at rocket speed. internrocket.com works with high schools and universities to help give students the experience they need and gives small businesses access to the internship programs that were always just out of their reach, right from their phone.

Students and community members who are looking for a better way to find out what dream job means to them while they build the experience it takes to land their dream job should sign up today for free.

Organizations and small businesses that need help and want to work with people who are engaged in their mission can create a profile and start posting internships for free today.

internrocket.com
Show your support

Clapping shows how much you appreciated internrocket.com’s story.