Access-Control-Allow-Origin

Hi,

Does Jersey (or JAX-RS) provide (or plan on providing) official support for CORS?

Please see

http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing
http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/

for some background.

Thank you,
Gili

Hello Gili,

I don't think so. Do you have some interesting scenario/usecase which
would be possible with Jersey? We do support jsonp, as you most likely
already know..

Regards,
Pavel

On 02/24/2011 04:24 PM, Gili wrote:

Pavel,

CORS is a superset of JSONP's capabilities. It works with any media-type, as well as with any HTTP method. JSONP is limited to JSON and HTTP GET.

JSONP requires you to make modifications on both server and client-side code. CORS only requires minimal changes on the server and absolutely no changes on the client (no more ugly <script> hacks).

What I'm expecting from Jersey: At minimum we'd need to be able to do HTTP OPTIONS "mixing" (there is already an open JAX-RS issue against this). CORS requires us to read the input headers, evaluate the user's authorization and reply with headers that indicate his/her permissions.

Gili

Pavel Bucek-2 wrote

Hello Gili,

I don't think so. Do you have some interesting scenario/usecase which
would be possible with Jersey? We do support jsonp, as you most likely
already know..

Regards,
Pavel

On 02/24/2011 04:24 PM, Gili wrote:
> Hi,
>
> Does Jersey (or JAX-RS) provide (or plan on providing) official support for
> CORS?
>
> Please see
>
> http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing
> http://hacks.mozilla.org/2009/07/cross-site-xmlhttprequest-with-cors/
>
> for some background.
>
> Thank you,
> Gili
>    

Hi,

Can you please explain what you mean by "we'd need to be able to do HTTP OPTIONS "mixing" (there is already an open JAX-RS issue against this)"?


I am trying to set "Access-Control-Allow-Origin" and other headers and return it from OPTIONS method. However, I don't see that this method is invoked. Here is my code:

    @OPTIONS
    @Path("testme")
    public Response testt(@Context HttpServletResponse servlerResponse) {
        servlerResponse.addHeader("Allow-Control-Allow-Methods", "POST,GET,OPTIONS");
        servlerResponse.addHeader("Access-Control-Allow-Credentials", "true");
        servlerResponse.addHeader("Access-Control-Allow-Origin", "*");
        servlerResponse.addHeader("Access-Control-Allow-Headers", "Content-Type,X-Requested-With");
        servlerResponse.addHeader("Access-Control-Max-Age", "60");
        return Response.ok().build();
    }

    @POST
    @Path("testme")
    public String testme(@Context HttpServletResponse servlerResponse) {
        servlerResponse.addHeader("Allow-Control-Allow-Methods", "POST,GET,OPTIONS");
        servlerResponse.addHeader("Access-Control-Allow-Credentials", "true");
        servlerResponse.addHeader("Access-Control-Allow-Origin", "*");
        servlerResponse.addHeader("Access-Control-Allow-Headers", "Content-Type,X-Requested-With");
        servlerResponse.addHeader("Access-Control-Max-Age", "60");
        return "str";
    }


thank you

Hi Rimi,

    You are returning Response.ok().build(). Any headers you set above this line get ignored because you're not applying them to the object you are returning. You should do this instead:

    return Response.ok().header("Allow-Control-Allow-Methods", "POST,GET,OPTIONS").build();

Gili

On 27/03/2011 4:38 AM, Rimi [via Jersey] wrote:

Hi,

Can you please explain what you mean by "we'd need to be able to do HTTP OPTIONS "mixing" (there is already an open JAX-RS issue against this)"?


I am trying to set "Access-Control-Allow-Origin" and other headers and return it from OPTIONS method. However, I don't see that this method is invoked. Here is my code:

    @OPTIONS
    @Path("testme")
    public Response testt(@Context HttpServletResponse servlerResponse) {
        servlerResponse.addHeader("Allow-Control-Allow-Methods", "POST,GET,OPTIONS");
        servlerResponse.addHeader("Access-Control-Allow-Credentials", "true");
        servlerResponse.addHeader("Access-Control-Allow-Origin", "*");
        servlerResponse.addHeader("Access-Control-Allow-Headers", "Content-Type,X-Requested-With");
        servlerResponse.addHeader("Access-Control-Max-Age", "60");
        return Response.ok().build();
    }

    @POST
    @Path("testme")
    public String testme(@Context HttpServletResponse servlerResponse) {
        servlerResponse.addHeader("Allow-Control-Allow-Methods", "POST,GET,OPTIONS");
        servlerResponse.addHeader("Access-Control-Allow-Credentials", "true");
        servlerResponse.addHeader("Access-Control-Allow-Origin", "*");
        servlerResponse.addHeader("Access-Control-Allow-Headers", "Content-Type,X-Requested-With");
        servlerResponse.addHeader("Access-Control-Max-Age", "60");
        return "str";
    }


thank you

---

If you reply to this email, your message will be added to the discussion below:

http://jersey.576304.n2.nabble.com/Access-Control-Allow-Origin-tp6060693p6211931.html

To unsubscribe from Access-Control-Allow-Origin, click here.