CrossOriginFilter with Jersey and embedded Jetty

Question

I know this question and that on however they were not answered and asked 4 years ago. Further, non of the answers worked for me. I am unable to add a crossOriginFilter to my embedded jetty server.

My pom

    <!-- Jetty -->
    <dependency>
        <groupId>org.eclipse.jetty</groupId>
        <artifactId>jetty-server</artifactId>
        <version>9.2.11.v20150529</version>
    </dependency>
   <dependency>
        <groupId>org.eclipse.jetty</groupId>
        <artifactId>jetty-servlet</artifactId>
        <version>9.2.11.v20150529</version>
    </dependency>   
   <dependency>
        <groupId>org.eclipse.jetty</groupId>
        <artifactId>jetty-servlets</artifactId>
        <version>9.2.11.v20150529</version>
    </dependency> 

My code - unfortunatly I do not get any Header field in the responses!

        ServletContextHandler dynamicResourceContext = new ServletContextHandler();
        dynamicResourceContext.setContextPath("/rest");

        FilterHolder holder = new FilterHolder(CrossOriginFilter.class);
        holder.setInitParameter(CrossOriginFilter.ALLOWED_ORIGINS_PARAM, "*");
        holder.setInitParameter(CrossOriginFilter.ACCESS_CONTROL_ALLOW_ORIGIN_HEADER, "*");
        holder.setInitParameter(CrossOriginFilter.ALLOWED_METHODS_PARAM, "GET,POST,HEAD");
        holder.setInitParameter(CrossOriginFilter.ALLOWED_HEADERS_PARAM, "X-Requested-With,Content-Type,Accept,Origin");
        dynamicResourceContext.addFilter(holder, "/*", EnumSet.of(DispatcherType.REQUEST));

        ServletContextHandler staticResourceContext = new ServletContextHandler();
        staticResourceContext.setContextPath("/resources");
        DefaultServlet defaultServlet = new DefaultServlet();
        ServletHolder holderPwd = new ServletHolder("default", defaultServlet);
        holderPwd.setInitParameter("resourceBase", "./src/webapp/");


        staticResourceContext.addServlet(holderPwd, "/*");

        HandlerList handlers = new HandlerList();
        handlers.addHandler(dynamicResourceContext);
        handlers.addHandler(staticResourceContext);

        server = new Server(port);
        server.setHandler(handlers);
        // set logging to console
        StdErrLog logger = new StdErrLog();
        logger.setDebugEnabled(webserverLogging);
        Log.setLog(logger);

        ServletHolder jerseyServlet = dynamicResourceContext
                .addServlet(org.glassfish.jersey.servlet.ServletContainer.class, "/*");

        jerseyServlet.setInitOrder(0);


        // Tells the Jersey Servlet which REST service/class to load.
        jerseyServlet.setInitParameter("jersey.config.server.provider.classnames", getMyClasses());


        try {
            server.start();
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            // server.destroy();
        }    

What do I wrong? I do not get any error message!

EDIT

Also the following tutorial is not working. Neither with Postman nor with chrome I see an additional response head entry. The response looks like the following:

HTTP/1.1 200 OK
Date: Tue, 26 Mar 2019 19:41:36 GMT
Content-Length: 0
Server: Jetty(9.4.15.v20190215)

EDIT I was able to create the header fields using a Resource Configuration but I am still unable to create them with the CrossOriginFilter.

ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS);

context.setContextPath("/"); 
Server jettyServer = new Server(9998);

jettyServer.setHandler(context);


ResourceConfig webapiResourceConfig = new ResourceConfig();
webapiResourceConfig.register(CorsFilter.class);


ServletHolder jerseyServlet  = new ServletHolder(new ServletContainer(webapiResourceConfig));
context.addServlet(jerseyServlet, "/*");
        //context.addServlet(org.glassfish.jersey.servlet.ServletContainer.class, "/*");

jerseyServlet.setInitOrder(0);

jerseyServlet.setInitParameter( "jersey.config.server.provider.classnames",MyServerConfig.class.getCanonicalName());

Answer 1

You shouldn't see the headers in Postman, as Postman doesn't require CORS support. And in Chrome (or any browser), you should only see them if you are actually making a cross origin request. If the filter is implemented correctly, it should only spit out CORS response headers if there is an Origin request header. And that should only happen on cross origin requests made from a browser.

The reason your Jersey filter worked is probably because it is not implemented correctly, according to the CORS protocol; it is probably just a lazy version where headers are added for all requests. In this answer, I originally also implemented the same "lazy" CORS support, but if you look at the UPDATE, I explain how it should be implemented. If you want to learn more about CORS, that UPDATE is a good read.