Apache Tapestry > Documentation > User Guide > CORS (Cross-Origin Resource Sharing) Support (5.8.2+)

CORS (Cross-Origin Resource Sharing) Support (5.8.2+)

CORS Suppport

Since 5.8.2, Tapestry (specifically tapestry-http, a dependency of tapestry-core) provides out-of-the-box CORS (Cross-origin resourse sharing) support. It covers most scenarios with just configuration symbols while also allowing easy customization of almost all its logic. 

CORS support isn't enabled by default.

The implementation is based around 3 services:

  1. CorsHandler defines the overall logic, mostly around deciding whether the current request requires CORS processing and call the appropriate code to handle hit. The delegates almost all of the CORS processing logic to CorsHandlerHelper.
  2. CorsHandlerHelper implements logic for determining whether a CORS request if a pre-flight one, which HTTP headers to set and which values to use. It has a default implementation of this service that uses the configuration symbols described below.
  3. CorsHttpServletRequestFilter is both a service and HttpServletRequestFilter filter which is called on every incoming HTTP request and delegates the CORS processing to CorsHandler instances. The CorsHttpServletRequestFilter service has an ordered configuration of CorsHandler instances. The default CorsHandler implementation, contributed to be the last one, executes the CORS processing for every request.

If you need to have dynamic logic for determining the allowed origins, how to set the HTTP headers in the response or defining whether a CORS request is pre-flight or not, you should advise, decorate or override the CorsHandlerHelper service.

If you want to exclude some requests from having CORS processing on them, implement a CorsHandler which returns CorsHandlerResult.CONTINUE_REQUEST_PROCESSING (i.e. skip CORS processing) for the these requests and CorsHandlerResult.CONTINUE_CORS_PROCESSING for the ones you want CORS processing to happen. You should also contribute your CorsHandler implementation to the CorsHttpServletRequestFilter.

Configuration

The configuration symbols used by the Tapestry CORS support are defined as TapestryHttpSymbolConstants constants with aliases in SymbolConstants

tapestry.cors-enabled

SymbolConstants.CORS_ENABLED – Defines whether the CORS (Cross-Origing Resource Sharing) support should be enabled or not. Default value is false. If you set this to true,you should also set at least Symbol.CORS_ALLOWED_ORIGINS too.

Added in 5.8.2

tapestry.cors-allowed-origins

SymbolConstants.CORS_ALLOWED_ORIGINS – Comma-delimited of origins allowed for CORS. The special value * means allowing all origins.  This is used by the default implementation of CorsHandlerHelper.getAllowedOrigin(HttpServletRequest). Default value is the empty string (i.e. no origins allowed and CORS actually disabled).

Added in 5.8.2

tapestry.cors-allow-credentials

SymbolConstants.CORS_ALLOW_CREDENTIALS – Boolean value defining whether the Access-Control-Allow-Credentials HTTP header should be set automatically in the response for CORS requests. Default value is false. This is used by the default implementation of CorsHandlerHelper.configureCredentials(HttpServletResponse).

Added in 5.8.2

tapestry.cors-allow-methods

SymbolConstants.CORS_ALLOW_METHODS – Value to be used in the Access-Control-Allow-Methods in CORS preflight request responses. This is used by the default implementation of CorsHandlerHelper.configureMethods(HttpServletResponse). Default value is GET,HEAD,PUT,PATCH,POST,DELETE.

Added in 5.8.2

tapestry.cors-allowed-headers

SymbolConstants.CORS_ALLOWED_HEADERS – Value to be used in the Access-Control-Allow-Headers in CORS preflight request responses. This is used by the default implementation of CorsHandlerHelper.configureAllowedHeaders(HttpServletResponse), which only sets the header if the value isn't empty. Default value is the empty string.

Added in 5.8.2

tapestry.cors-expose-headers

SymbolConstants.CORS_EXPOSE_HEADERS – Value to be used in the Access-Control-Expose-Headers in CORS preflight request responses. This is used by the default implementation of CorsHandlerHelper.configureExposeHeaders(HttpServletResponse), which only sets the header if the value isn't empty. Default value is the empty string.

Added in 5.8.2

tapestry.cors-max-age

SymbolConstants.CORS_MAX_AGE – Value to be used in the Access-Control-Max-Age in CORS preflight request responses. This is used by the default implementation of CorsHandlerHelper.configureMaxAge(HttpServletResponse), which only sets the header if the value isn't empty. Default value is the empty string.

Added in 5.8.2