Jetty Cross Origin Filter

Question

I've configured Jetty's cross origin filter, but I continue to get the following error. Does anyone know what is wrong and how to fix it? Below the error message is my override descriptor (i.e. supplemental web.xml)

Error:

Origin http://localhost:8090 is not allowed by Access-Control-Allow-Origin.

Override Descriptor:

<!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd" >

<web-app>
 <filter>
   <filter-name>cross-origin</filter-name>
   <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
   <init-param>
       <param-name>allowedOrigins</param-name>
       <param-value>*</param-value>
   </init-param>
   <init-param>
       <param-name>allowedMethods</param-name>
       <param-value>*</param-value>
   </init-param>
   <init-param>
       <param-name>allowedHeaders</param-name>
       <param-value>*</param-value>
   </init-param>
 </filter>
 <filter-mapping>
     <filter-name>cross-origin</filter-name>
     <filter-pattern>/*</filter-pattern>
 </filter-mapping>
</web-app>

Request Header

Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:Origin, Content-Type, Accept
Access-Control-Request-Method:POST
Connection:keep-alive
Host:localhost:8080
Origin:http://localhost:8090
Referer:http://localhost:8090/home
User-Agent:Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.8 (KHTML, like Gecko) Chrome/17.0.942.0

Response Header

Allow:POST,GET,OPTIONS,HEAD
Content-Length:0
Date:Wed, 30 Nov 2011 02:13:21 GMT
Server:Jetty(7.5.4.v20111024)

Can you use a tool like Wireshark to show the actual request/response headers being exchanged? That will help verify whether the correct CORS headers are being sent. — monsur, Nov 29 '11 at 16:06
@monsur: I've added the request/response header details. The response header does NOT include `access-control-allow-origin: *` — Ari, Nov 30 '11 at 02:22
Hmm, not sure. Can you check the logs to see if the filter is logging anything? The filter has a logger set up: http://download.eclipse.org/jetty/stable-7/xref/org/eclipse/jetty/servlets/CrossOriginFilter.html#77 — monsur, Nov 30 '11 at 02:56
@monsur: The filter doesn't seem to be logging anything. Using the following command: `mvn jetty:run &> ~/mvn-jetty.log`, I redirected stdout & stderr to a log file. I've searched through the log file and there is no mention of the cross origin filter. — Ari, Nov 30 '11 at 18:08

score 25 · Accepted Answer · edited Mar 10 '17 at 18:30

25

Aloha,

I fought this for awhile as well, and found that the final node needs to be:

<filter-mapping>
    <filter-name>cross-origin</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

NOT

<filter-mapping>
     <filter-name>cross-origin</filter-name>
     <filter-pattern>/*</filter-pattern>
</filter-mapping>

Here is the link I found to help me: wiki.eclipse.org/Jetty/Feature/Cross_Origin_Filter

After I updated my web.xml file and restarted the jetty server, I was able to make cross domain request using jQuery ajax calls.

Rob

edited Mar 10 '17 at 18:30

Travis Heeter

13,002
13
87
129

answered Dec 10 '11 at 03:35

Robert Whitton

266
3
2

"filter-pattern" is not recognized by my scheme, any idea where this is defined? It's not in: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0" – Loren_ Oct 21 '15 at 15:45
3

In Jetty 9 `allowedHeaders` and `allowedMethods`, `*` will not work. – ranjeet Jul 17 '16 at 20:57

score 13 · Answer 2 · answered Dec 22 '11 at 06:44

I ran into this when doing crossdomain calls to web apps deployed to GAE. You can add an explicit header to your Servlet(s) responses, like:

public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException 
{
    res.addHeader("Access-Control-Allow-Origin", "*");
    ...
}

and also make sure you have a crossdomain.xml policy file in the root of your WAR, like:

<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*"/>
</cross-domain-policy>

HTH.

score 8 · Answer 3 · answered Nov 26 '13 at 16:36

I had the same Problem with ActiveMQ Ajax within Jetty Web Server. My Problem was, that the allowed headers field is not accepting a wildcard in form of "*".

For getting ActiveMQ Ajax to work, i also have to add the "Options" Method to the allowedMethods.

Cross-Origin Filter from web.xml:

<filter>
   <filter-name>cross-origin</filter-name>
   <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
   <init-param>
       <param-name>allowedOrigins</param-name>
       <param-value>*</param-value>
   </init-param>
   <init-param>
       <param-name>allowedMethods</param-name>
       <param-value>GET,POST,OPTIONS,DELETE,PUT,HEAD</param-value>
   </init-param>
   <init-param>
       <param-name>allowedHeaders</param-name>
       <param-value>origin, content-type, accept, authorization</param-value>
   </init-param>
 </filter>
 <filter-mapping>
     <filter-name>cross-origin</filter-name>
     <url-pattern>*</url-pattern>
 </filter-mapping>

Alexander Lyamin · Answer 4 · 2013-01-23T15:52:34.913

For me ( jetty-version 8.1.5.v20120716 ) only these lines in 'web.xml' helps:

<filter>
    <filter-name>cross-origin</filter-name>
    <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
    <init-param>
        <param-name>allowedOrigins</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>allowedMethods</param-name>
        <param-value>GET,POST,DELETE,PUT,HEAD</param-value>
    </init-param>
    <init-param>
        <param-name>allowedHeaders</param-name>
        <param-value>origin, content-type, accept</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>cross-origin</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>

I've change log level to DEBUG and get information (like 'GET,POST,DELETE,PUT,HEAD' and 'origin, content-type, accept') from jetty console log. E.g.:

DEBUG CrossOriginFilter:359 - Method DELETE is among allowed methods [GET, POST, DELETE, PUT, HEAD] 19:14:28,413

DEBUG CrossOriginFilter:389 - Headers [origin, content-type, accept] are not among allowed headers [*]

Then I checked result with $.ajax({url:'anotherHost', type:'DELETE', ..})

score 2 · Answer 5 · answered Jul 11 '12 at 16:57

2

Just opened a bug report after wasting a lot of my time:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=384847

Also be aware of the fact that wildcards in the parameter values are mostly not supported. (ie. allowed headers)

answered Jul 11 '12 at 16:57

user1050755

11,218
4
45
56

Jetty Cross Origin Filter

5 Answers5

Linked