public enum CrossOriginSharingPolicy extends Enum<CrossOriginSharingPolicy>
Web Browser User Agents (Chrome, FireFox et al.) prevent web-pages from accessing resources located on hosts other than the host that served the web-page. This is called the 'Same Origin' policy and is a critical part of the browser security model. It helps prevents a malicious site stealing data or taking unauthorized actions on another site, via the browser user-agent.
An 'Origin' is a DNS server name, plus it's protocol, plus the port that the server is listening on, the examples below each reside in a different origin:
https://example.com
http://example.com
- different protocolhttps://www.example.com
- different DNS namehttps://example.com:8080
- different portFor many applications, unilaterally preventing this access is prohibitive, especially when there is a trust relationship between two different origins. The Cross Origin Resource Sharing Specification (CORS) defines a protocol for web-browsers and web-servers to safely permit Cross Origin requests between origins that have reason to trust each other.
A public resource is any resource served by a servlet that is NOT protected by a Privilege
Because public resources are just that: public, they are enabled for CORS requests by default. In some cases it may be undesirable to make a public resource available for CORS requests, for example the resources associated with a sign-on form, this default can be overriden. Or if a servlet performs it's own authentication and authorization, it may wish to disable the automatic CORS support.
You can disable access for the entire servlet using the CORS
annotation or disable specific paths served by the servlet by using the PathTemplate.cors()
property.
@Dispatches(@PathTemplate("/logon")) @CORS(CrossOriginSharingPolicy.DENY) @Provides class LogonServlet extends HttpServlet { ... }
@Dispatches(@PathTemplate(value="/logon",cors=CrossOriginSharingPolicy.DENY)) @Provides class LogonServlet extends HttpServlet { ... }
A protected resource is any resource served by a servlet that is protected by a Privilege
Protected resources are also CORS enabled by default, but access to protected resources is restricted to callers providing the necessary credentials and having the required Privilege.roles()
.
This means that a pre-flight request against a protected resource may succeed, but the actual operation will fail because the caller lacks the required credentials or roles.
Protected resources can deny CORS access in the same manner shown above for public resources.
It is worth noting that any cookie based authentication mechanism cannot work safely with CORS enabled resources, because browsers always send cookies, which provides a means for Cross Site Request Forgery (CSRF) attacks. By contrast token based authorization (e.g. OAuth 2.0 ) can work safely with CORS resources, because possession of the token proves that the server can trust the caller (unless the token has been inadvertently disclosed/compromised).
ORDS built in cookie based authentication mechanisms explicitly do not authenticate cross origin requests, however if a servlet is implementing it's own authentication/authorization mechanisms, it is crucial to remember the above point, and check for and validate any Origin
header present in the request.
A servlet can constrain which origins are permitted to access a resource by emitting the Access-Control-Allow-Origin
header. If the value of the header is *
or a character for character match of the origin that made the request, the request will be CORS enabled. If the value is null
or empty, or not a match for the request origin, the request will not be CORS enabled. If this header is present in the response, then the above behaviour overrides the behaviour prescribed by the servlet's CrossOriginSharingPolicy
. If the header is not present in the response then the CrossOriginSharingPolicy
takes precedent.
If a servlet is CORS enabled, then preflight OPTIONS
requests will be handled by ORDS, and will always succeed for any origin. If a servlet wishes to take finer control over pre-flight requests, then it should advertise via the PathTemplate.methods()
property that it will handle the OPTIONS
request itself. Note if a servlet does handle OPTIONS
itself then the automatic CORS support is disabled, and the servlet is completely responsible for supporting (or not supporting) the CORS protocol correctly.
If a servlet indicates via the ALLOW
setting that it supports CORS then, ORDS will automatically:
OPTIONS
requestsAccess-Control-Allow-Credentials
header with a value of true
to the response.Access-Control-Expose-Headers
header enumerating all the headers in the response.Enum Constant and Description |
---|
ALLOW
The resource can be accessed via
CORS . |
DENY
The resource may not be accessed via
CORS |
INHERIT
Inherit the
CrossOriginSharingPolicy from the containing object |
Modifier and Type | Method and Description |
---|---|
static CrossOriginSharingPolicy |
value(String text)
Determine the
CrossOriginSharingPolicy for the specified textual representation |
static CrossOriginSharingPolicy |
valueOf(String name)
Returns the enum constant of this type with the specified name.
|
static CrossOriginSharingPolicy[] |
values()
Returns an array containing the constants of this enum type, in the order they are declared.
|
public static final CrossOriginSharingPolicy ALLOW
CORS
.public static final CrossOriginSharingPolicy DENY
CORS
public static final CrossOriginSharingPolicy INHERIT
CrossOriginSharingPolicy
from the containing objectpublic static CrossOriginSharingPolicy[] values()
for (CrossOriginSharingPolicy c : CrossOriginSharingPolicy.values()) System.out.println(c);
public static CrossOriginSharingPolicy valueOf(String name)
name
- the name of the enum constant to be returned.IllegalArgumentException
- if this enum type has no constant with the specified nameNullPointerException
- if the argument is nullpublic static CrossOriginSharingPolicy value(String text)
CrossOriginSharingPolicy
for the specified textual representationtext
- The textual representation of the CrossOriginSharingPolicy
DENY
if the textual value equals (case insensitive) DENY
, ALLOW
otherwise