CrossOriginFilter.java

/**
 * <p>
 * Copyright (c) frentix GmbH<br>
 * http://www.frentix.com<br>
 */
package org.olat.core.servlets;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.olat.core.helpers.Settings;
import org.olat.core.util.StringHelper;

/**
 * 
 * Allow cross origin for our javascript client
 * 
 * @author srosse, stephane.rosse@frentix.com, http://www.frentix.com
 */
public class CrossOriginFilter implements Filter {

	@Override
	public void init(FilterConfig filterConfig) throws ServletException {
		//
	}
	
	@Override
	public void destroy() {
		//
	}

	@Override
	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
		addHeaders(request, response);
		chain.doFilter(request, response);
		addHeaders(request, response);
	}
	
	private void addHeaders(ServletRequest request, ServletResponse response) {
		if(response instanceof HttpServletResponse) {
			HttpServletRequest httpRequest = (HttpServletRequest)request;
			HttpServletResponse httpResponse = (HttpServletResponse)response;
			String origin = httpRequest.getHeader("origin");
			if(isDomainAllowed(origin)) {
				if(origin != null && !origin.isEmpty()) {
					httpResponse.setHeader("Access-Control-Allow-Origin", origin);
				}
				String headers = httpRequest.getHeader("access-control-request-headers");
				if(headers != null && !headers.isEmpty()) {
					httpResponse.setHeader("Access-Control-Allow-Headers", headers);
				}
				httpResponse.setHeader("Access-Control-Allow-Methods", "POST, PUT, DELETE, GET, OPTIONS");
				httpResponse.setHeader("Access-Control-Max-Age", "1728000");

				String method = httpRequest.getHeader("access-control-request-method");
				if("OPTIONS".equals(method)) {
					httpResponse.setHeader("Access-Control-Allow-Credentials", "true");
				}
			}
		}
	}
	
	private boolean isDomainAllowed(String origin) {
		String allowedDomains = Settings.getCrossOriginFilter();
		if(StringHelper.containsNonWhitespace(allowedDomains) && StringHelper.containsNonWhitespace(origin)) {
			if("*".equals(allowedDomains)) {
				return true;
			}
			String[] domains = allowedDomains.split(",");
			for(String domain:domains) {
				if(domain.equals(origin)) {
					return true;
				}
			}
		}
		return false;
	}
}