Summary Table
Categories |
Total Count |
PII |
0 |
URL |
0 |
DNS |
1 |
EKL |
0 |
IP |
0 |
PORT |
0 |
VsID |
0 |
CF |
0 |
AI |
0 |
VPD |
0 |
PL |
0 |
Other |
0 |
File Content
/**
*
*/
package gov.va.med.ars.filter;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.util.Strings;
import org.springframework.web.filter.OncePerRequestFilter;
/**
* @author
DNS
*
*/
public class CORSFilter extends OncePerRequestFilter {
// This is a lot of mechanism, just to allow me to add a comment on the line containing "Content-Disposition"
// But it's something I saw in "What's new in Java 8", so I wanted to try it out.
// Technically, it is more efficient than using string concatenation. ("a" + "b")
// As a static, it doesn't add overhead to the class instantiations.
static private final String accessControlAllowHeaders =
String.join(", ", // separator
"X-PINGOTHER",
"Content-Type",
// "Content-Disposition", // no longer used by /ars/v1/api/{file,exportAsPDF} to convey filename
// besides, Vamsi G. says that accessControlAllowHeaders is for rest calls, not /ars/v1/api/{file,exportAsPDF}
"X-Requested-With",
"accept",
"Origin",
"Access-Control-Request-Method",
"Access-Control-Request-Headers",
"Authorization");
/*
* (non-Javadoc)
*
* @see
* org.springframework.web.filter.OncePerRequestFilter#doFilterInternal(
* javax.servlet.http.HttpServletRequest,
* javax.servlet.http.HttpServletResponse, javax.servlet.FilterChain)
*/
protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain chain)
throws ServletException, IOException {
res.setHeader("Access-Control-Allow-Origin", "*");
res.setHeader("Access-Control-Allow-Methods", "GET,POST");
res.setHeader("Access-Control-Max-Age", "3600");
res.setHeader("Access-Control-Allow-Headers", accessControlAllowHeaders);
// Replaced by the previous line. Kept, for now, for code reviewer to see.
// res.setHeader("Access-Control-Allow-Headers",
// "X-PINGOTHER, " +
// "Content-Type, " +
// "Content-Disposition, " + // used by /ars/v1/api/{file,exportAsPDF} to convey filename
// "X-Requested-With, " +
// "accept, " +
// "Origin, " +
// "Access-Control-Request-Method, " +
// "Access-Control-Request-Headers, " +
// "Authorization");
res.addHeader("Access-Control-Expose-Headers", "xsrf-token");
if ("OPTIONS".equals(req.getMethod())) {
res.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(req, res);
}
}
}