HttpServletResponseWrapper not working for setting headers

Question

I'm trying to use a filter to allow cross-origin access to my server methods, so what I'm doing is adding a header in a filter. I read somewhere that I should use HttpServletResponseWrapper so I can add headers before they're sent to the client, but I can't make it work. This is what I've tried:

web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     version="2.5"
     xmlns="http://java.sun.com/xml/ns/javaee"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
  http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" >    

    <filter>
        <filter-name>CorsFilter</filter-name>
        <filter-class>com.novatronic.web.filter.CorsFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>CorsFilter</filter-name>
        <url-pattern>/api/*</url-pattern>
    </filter-mapping>
</web-app>

This is the url: http://localhost:8080/hbo-web/api/public/login

This is my doFilter method:

@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException
{
  HttpServletResponse response = (HttpServletResponse) servletResponse;
  HboResponseWrapper responseWrapper = new HboResponseWrapper(response);
  responseWrapper.addHeader("Access-Control-Allow-Origin", "http://localhost:43040");
  responseWrapper.addHeader("Access-Control-Allow-Methods", "POST, GET, PUT, DELETE");
  responseWrapper.addHeader("Access-Control-Max-Age", "3600");
  responseWrapper.addHeader("Access-Control-Allow-Credentials", "true");

  responseWrapper.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, Accept-Encoding, Cache-Control, Host, Pragma, Referer, User-Agent");
  filterChain.doFilter(servletRequest, responseWrapper);
}

My wrapper:

package com.novatronic.web.util;

import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;

public class HboResponseWrapper extends HttpServletResponseWrapper {

  public HboResponseWrapper(HttpServletResponse httpServletResponse)
  {
    super(httpServletResponse);
  }

}

Yet I get the CORS error:

XMLHttpRequest cannot load http://localhost:8080/hbo-web/api/public/login. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:43040' is therefore not allowed access.

What might be the problem?

Don't know why it's not working, but if all you need is for the filter to set predefined headers, you don't need a wrapper. Just call those `addHeader()` methods on `response`. You use wrappers if you need to *intercept* (filter/monitor) response values. — Andreas, Jul 19 '16 at 00:27
@Andreas should I do that after or before the doFilter call? — Daniel Calderon Mori, Jul 19 '16 at 00:38
You must set values before `doFilter()` call, because response might be committed upon return, so you can't do it after. — Andreas, Jul 19 '16 at 00:41

HttpServletResponseWrapper not working for setting headers

0 Answers0