Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] How to update a CrossOriginFilter 
Hello Simone,

Thanks for your reply.

Our application embeds a Jetty server which delivers web services that are
provided by a javascript library. The library is embedded by websites. Those
websites are authorized by the CORS header. While the server is running, it
is possible to add a new website. Until now, when doing so, we were stopping
and starting the server again. I would like a better way to do so avoiding
this restart. That's the reason. I would have imagined that changing the
CORS filter's list of authorized origins on the fly would not affect the
running requests working with the "old" list of origins but only the new
ones which would use the new list.

So there is no way to properly "restart" a Filter while the server is
running ?

Bruno

> -----Message d'origine-----
> De : jetty-users [mailto:jetty-users-bounces@xxxxxxxxxxx] De la part de
Simone
> Bordet
> Envoyé : mercredi 24 février 2021 17:56
> À : JETTY user mailing list <jetty-users@xxxxxxxxxxx>
> Objet : Re: [jetty-users] How to update a CrossOriginFilter
> 
> Hi,
> 
> On Wed, Feb 24, 2021 at 4:49 PM Bruno Konik <bruno.konik@xxxxxxxxxxx>
> wrote:
> >
> > Hello,
> >
> > I am using embedded Jetty 9.4.35.
> >
> > Having a ServletContextHandler with a CORS filter :
> >
> > FilterHolder cors = context.addFilter(CrossOriginFilter.class,
> > "/*",EnumSet.of(DispatcherType.REQUEST)));
> >
> > cors.setInitParameter(CrossOriginFilter.ALLOWED_ORIGINS_PARAM,
> > authorizedOrigins4AllowOriginHeader);
> >
> > cors.setInitParameter(CrossOriginFilter.ALLOWED_METHODS_PARAM,
> > "GET,POST,HEAD,OPTIONS");
> >
> > cors.setInitParameter(CrossOriginFilter.ALLOWED_HEADERS_PARAM,
> > "X-Requested-With,Content-Type,Accept,Origin,Cache-Control");
> >
> > cors.setInitParameter(CrossOriginFilter.CHAIN_PREFLIGHT_PARAM,
> > "false");
> >
> >
> >
> > I would like to update my list of authorized origins
> (authorizedOrigins4AllowOriginHeader) while the server is running without
> stopping and restarting anything. What is the best way to do that with
embedded
> Jetty ?
> 
> Why do you want to do that? I ask because it goes against the security
features
> that the CORS filter provides, and also I don't see how you can atomically
update
> the value while other requests are flowing through the filter?
> 
> Consider also that the "Access-Control-Allow-Origin" is an HTTP response
header
> like others, so applications that have access to the response object may
modify it
> or even remove it.
> 
> --
> Simone Bordet
> ----
> http://cometd.org
> http://webtide.com
> Developer advice, training, services and support from the Jetty & CometD
> experts.
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-
> users

Back to the top