CORS Suppport
Since 5.8.2, Tapestry (specifically tapestry-http, a dependency of tapestry-core) provides out-of-the-box CORS (Cross-origin resourse sharing) support. It covers most scenarios with just configuration symbols while also allowing easy customization of almost all its logic.
...
If you want to exclude some requests from having CORS processing on them, implement a CorsHandler
which returns CorsHandlerResult.CONTINUE_REQUEST_PROCESSING
(i.e. skip CORS processing) for the these requests and CorsHandlerResult.CONTINUE_CORS_PROCESSING
for the ones you want CORS processing to happen. You should also contribute your CorsHandler
implementation to the CorsHttpServletRequestFilter
.
Configuration
The configuration symbols used by the Tapestry CORS support are defined as TapestryHttpSymbolConstants
constants with aliases in SymbolConstants
.
tapestry.cors-enabled
SymbolConstants.CORS_ENABLED – Defines whether the CORS (Cross-Origing Resource Sharing) support should be enabled or not. Default value is false
. If you set this to true
,
you should also set at least Symbol.CORS_ALLOWED_ORIGINS
too.
Since | ||
---|---|---|
| ||
tapestry.cors-allowed-origins
SymbolConstants.CORS_ALLOWED_ORIGINS – Comma-delimited of origins allowed for CORS. The special value * means allowing all origins. This is used by the default implementation of CorsHandlerHelper.getAllowedOrigin(HttpServletRequest)
. Default value is the empty string (i.e. no origins allowed and CORS actually disabled).
Since | ||
---|---|---|
| ||
tapestry.cors-allow-credentials
SymbolConstants.CORS_ALLOW_CREDENTIALS – Boolean value defining whether the Access-Control-Allow-Credentials
HTTP header should be set automatically in the response for CORS requests. Default value is false
. This is used by the default implementation of CorsHandlerHelper.configureCredentials(HttpServletResponse)
.
Since | ||
---|---|---|
| ||
tapestry.cors-allow-methods
SymbolConstants.CORS_ALLOW_METHODS – Value to be used in the Access-Control-Allow-Methods
in CORS preflight request responses. This is used by the default implementation of CorsHandlerHelper.configureMethods(HttpServletResponse)
. Default value is GET,HEAD,PUT,PATCH,POST,DELETE
.
Since | ||
---|---|---|
| ||
tapestry.cors-allowed-headers
SymbolConstants.CORS_ALLOWED_HEADERS – Value to be used in the Access-Control-Allow-Headers
in CORS preflight request responses. This is used by the default implementation of CorsHandlerHelper.configureAllowedHeaders(HttpServletResponse)
, which only sets the header if the value isn't empty. Default value is the empty string.
Since | ||
---|---|---|
| ||
tapestry.cors-expose-headers
SymbolConstants.CORS_EXPOSE_HEADERS – Value to be used in the Access-Control-Expose-Headers
in CORS preflight request responses. This is used by the default implementation of CorsHandlerHelper.configureExposeHeaders(HttpServletResponse)
, which only sets the header if the value isn't empty. Default value is the empty string.
Since | ||
---|---|---|
| ||
tapestry.cors-max-age
SymbolConstants.CORS_MAX_AGE – Value to be used in the Access-Control-Max-Age
in CORS preflight request responses. This is used by the default implementation of CorsHandlerHelper.configureMaxAge(HttpServletResponse)
, which only sets the header if the value isn't empty. Default value is the empty string.
...