Last active
June 19, 2018 06:42
-
-
Save samie/9dcf26a6fbc034294e40 to your computer and use it in GitHub Desktop.
Using CORS with Vaadin
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <meta charset="UTF-8"> | |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> | |
| <head> | |
| <!-- Add withCredentials to Vaadin requests to allow session cookies. Note: this affects to all XHRs on this page. --> | |
| <script> | |
| XMLHttpRequest.prototype._originalSend = XMLHttpRequest.prototype.send; | |
| var sendWithCredentials = function(data) { | |
| this.withCredentials = true; | |
| this._originalSend(data); | |
| }; | |
| XMLHttpRequest.prototype.send = sendWithCredentials; | |
| </script> | |
| <style> | |
| /* Set size and styles for the application DIV */ | |
| #myapp { | |
| width: 300px; | |
| height: 300px; | |
| border:1px solid #aaa; | |
| box-shadow: 2px 2px 20px gray; | |
| } | |
| </style> | |
| </head> | |
| <body> | |
| <!-- Load the Vaadin bootstrap --> | |
| <script type="text/javascript" src="http://myvaadinappdomain.com/VAADIN/vaadinBootstrap.js"></script> | |
| <!-- Placeholder for the vaadin application--> | |
| <div id="myapp" class="v-app embedded"> | |
| <div class="v-app-loading"></div> | |
| </div> | |
| <!-- Start the Vaadin application from myvaadinappdomain.com --> | |
| <script type="text/javascript"> | |
| window.onload= function() { | |
| if (!window.vaadin) alert("Failed to load the Vaadin bootstrap"); | |
| vaadin.initApplication("myapp", { | |
| "browserDetailsUrl": "http://myvaadinappdomain.com/", | |
| "serviceUrl": "http://myvaadinappdomain.com/", | |
| "widgetset": "com.vaadin.DefaultWidgetSet", | |
| "theme": "reindeer", | |
| "versionInfo": {"vaadinVersion": null}, | |
| "vaadinDir": "http://myvaadinappdomain.com/VAADIN/", | |
| "heartbeatInterval": 300, | |
| "debug": true, | |
| }); | |
| } | |
| </script> | |
| </body> | |
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @WebServlet(value = "/*", asyncSupported = true) | |
| @VaadinServletConfiguration(productionMode = false, ui = MyVaadinUI.class) | |
| public static class MyCORSServlet extends VaadinServlet { | |
| /** | |
| * Override to handle the CORS requests. | |
| */ | |
| @Override | |
| protected void service(HttpServletRequest request, | |
| HttpServletResponse response) throws ServletException, | |
| IOException { | |
| // Origin is needed for all CORS requests | |
| String origin = request.getHeader("Origin"); | |
| if (origin != null && isAllowedRequestOrigin(origin)) { | |
| // Handle a preflight "option" requests | |
| if ("options".equalsIgnoreCase(request.getMethod())) { | |
| response.addHeader("Access-Control-Allow-Origin", origin); | |
| response.setHeader("Allow", | |
| "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS"); | |
| // allow the requested method | |
| String method = request | |
| .getHeader("Access-Control-Request-Method"); | |
| response.addHeader("Access-Control-Allow-Methods", method); | |
| // allow the requested headers | |
| String headers = request | |
| .getHeader("Access-Control-Request-Headers"); | |
| response.addHeader("Access-Control-Allow-Headers", headers); | |
| response.addHeader("Access-Control-Allow-Credentials", | |
| "true"); | |
| response.setContentType("text/plain"); | |
| response.setCharacterEncoding("utf-8"); | |
| response.getWriter().flush(); | |
| return; | |
| } // Handle UIDL post requests | |
| else if ("post".equalsIgnoreCase(request.getMethod())) { | |
| response.addHeader("Access-Control-Allow-Origin", origin); | |
| response.addHeader("Access-Control-Allow-Credentials", | |
| "true"); | |
| super.service(request, response); | |
| return; | |
| } | |
| } | |
| // All the other requests nothing to do with CORS | |
| super.service(request, response); | |
| } | |
| /** | |
| * Check that the page Origin header is allowed. | |
| */ | |
| private boolean isAllowedRequestOrigin(String origin) { | |
| // TODO: Remember to limit the origins. | |
| return origin.matches(".*"); | |
| } | |
| } |
The filter based gist link is now broken :-/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Optionally, instead of extending the Servlet to provide the necessary header, you can also use ServletFilter. See this code: https://gist.github.com/el-mot/ade1c6b31206e04184a5