Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

CORS Suppport

Since 5.8.2, Tapestry (specifically tapestry-http, a dependency of tapestry-core) provides out-of-the-box CORS (Cross-origin resourse sharing) support. It covers most scenarios with just configuration symbols while also allowing easy customization of almost all its logic. 

...

If you want to exclude some requests from having CORS processing on them, implement a CorsHandler which returns CorsHandlerResult.CONTINUE_REQUEST_PROCESSING (i.e. skip CORS processing) for the these requests and CorsHandlerResult.CONTINUE_CORS_PROCESSING for the ones you want CORS processing to happen. You should also contribute your CorsHandler implementation to the CorsHttpServletRequestFilter.

Configuration

The configuration symbols used by the Tapestry CORS support are defined as TapestryHttpSymbolConstants constants with aliases in SymbolConstants

tapestry.cors-enabled

SymbolConstants.CORS_ENABLED – Defines whether the CORS (Cross-Origing Resource Sharing) support should be enabled or not. Default value is false. If you set this to true,
you should also set at least Symbol.CORS_ALLOWED_ORIGINS too.

Since
since5.8.2

tapestry.cors-allowed-origins

SymbolConstants.CORS_ALLOWED_ORIGINS – Comma-delimited of origins allowed for CORS. The special value * means allowing all origins.  This is used by the default implementation of CorsHandlerHelper.getAllowedOrigin(HttpServletRequest). Default value is the empty string (i.e. no origins allowed and CORS actually disabled).

Since
since5.8.2

tapestry.cors-allow-credentials

SymbolConstants.CORS_ALLOW_CREDENTIALS – Boolean value defining whether the Access-Control-Allow-Credentials HTTP header should be set automatically in the response for CORS requests. Default value is false. This is used by the default implementation of CorsHandlerHelper.configureCredentials(HttpServletResponse).

Since
since5.8.2

tapestry.cors-allow-methods

SymbolConstants.CORS_ALLOW_METHODS – Value to be used in the Access-Control-Allow-Methods in CORS preflight request responses. This is used by the default implementation of CorsHandlerHelper.configureMethods(HttpServletResponse). Default value is GET,HEAD,PUT,PATCH,POST,DELETE.

Since
since5.8.2

tapestry.cors-allowed-headers

SymbolConstants.CORS_ALLOWED_HEADERS – Value to be used in the Access-Control-Allow-Headers in CORS preflight request responses. This is used by the default implementation of CorsHandlerHelper.configureAllowedHeaders(HttpServletResponse), which only sets the header if the value isn't empty. Default value is the empty string.

Since
since5.8.2

tapestry.cors-expose-headers

SymbolConstants.CORS_EXPOSE_HEADERS – Value to be used in the Access-Control-Expose-Headers in CORS preflight request responses. This is used by the default implementation of CorsHandlerHelper.configureExposeHeaders(HttpServletResponse), which only sets the header if the value isn't empty. Default value is the empty string.

Since
since5.8.2

tapestry.cors-max-age

SymbolConstants.CORS_MAX_AGE – Value to be used in the Access-Control-Max-Age in CORS preflight request responses. This is used by the default implementation of CorsHandlerHelper.configureMaxAge(HttpServletResponse), which only sets the header if the value isn't empty. Default value is the empty string.

...