How do you configure CORS for JAX-RS services?

Table of Contents

• Introduction
• What is CORS?
• Configuring CORS in JAX-RS
  • 1. Creating a CORS Filter in JAX-RS
  • 2. Enabling CORS for Specific Resource Methods
  • 3. Handling Pre-flight Requests
  • 4. Configuring CORS in web.xml (for older JAX-RS setups)
• Best Practices for Configuring CORS in JAX-RS
• Conclusion

Introduction

In modern web applications, especially when using RESTful APIs, it is common for the client and server to be hosted on different domains. To allow web browsers to make cross-origin requests (i.e., requests from one domain to another), Cross-Origin Resource Sharing (CORS) must be enabled. JAX-RS (Java API for RESTful Web Services) provides ways to configure and manage CORS for your RESTful services, allowing you to securely control cross-origin access.

In this guide, we’ll explore how to configure CORS in JAX-RS, enabling your services to handle requests from different origins while keeping security in check.

What is CORS?

CORS is a security feature implemented by web browsers that allows or denies web applications running at one origin (domain) to make requests to resources on a different origin. Without proper configuration, browsers block such cross-origin requests to prevent potential security risks, such as cross-site scripting (XSS) or data theft.

CORS defines a set of headers that specify which domains are allowed to access resources on a server. These headers need to be configured in the JAX-RS service to handle the cross-origin requests properly.

Configuring CORS in JAX-RS

JAX-RS doesn't have built-in support for CORS directly, but you can use a filter to intercept requests and add the necessary CORS headers to the responses. By adding a CORS filter, you can configure which HTTP methods (GET, POST, PUT, etc.) and headers are allowed, and which domains can access your resources.

1. Creating a CORS Filter in JAX-RS

A CORS filter can be implemented by creating a class that extends ContainerResponseFilter. This filter will be responsible for adding CORS headers to each response.

In this filter:

• Access-Control-Allow-Origin: Specifies which origins are allowed to access the resource. Using "*" allows all origins, but you can specify specific domains such as "https://example.com" for better security.
• Access-Control-Allow-Methods: Defines the allowed HTTP methods for cross-origin requests.
• Access-Control-Allow-Headers: Specifies the allowed headers that the client can send with the request.
• Access-Control-Allow-Credentials: Indicates whether the browser should include credentials like cookies and HTTP authentication.

2. Enabling CORS for Specific Resource Methods

You can also use the @CrossOrigin annotation from JAX-RS (if supported by the framework) to allow CORS for specific resource methods or classes.

In this example, the @CrossOrigin annotation allows only requests from https://example.com to access the resource. You can configure multiple domains or allow all domains using *.

3. Handling Pre-flight Requests

When making cross-origin requests, especially with methods like POST, PUT, or custom headers, the browser sends a pre-flight OPTIONS request to the server to check if the actual request is allowed. You need to handle this OPTIONS request by providing the appropriate CORS headers in the response.

To handle pre-flight requests in JAX-RS, you can configure your CORS filter to respond to OPTIONS requests:

In this updated filter:

• The filter method checks if the request method is OPTIONS. If it is, it responds with a 200 OK status and the appropriate CORS headers.

4. Configuring CORS in web.xml (for older JAX-RS setups)

In older JAX-RS setups that don’t support annotations or filters directly, you can configure CORS through web.xml. However, this is not as flexible or recommended as using filters. Here's a basic example:

This configuration binds the CORSFilter to all URLs under /api/*, enabling CORS for these endpoints.

Best Practices for Configuring CORS in JAX-RS

1. Limit Allowed Origins: Always avoid using "*" for production environments. Instead, specify trusted origins (e.g., https://trusted-website.com) to prevent unauthorized access to your resources.
2. Restrict Allowed Methods: Only allow methods that are necessary for your API (e.g., GET, POST). Avoid unnecessarily broad permissions for sensitive data.
3. Use Secure Headers: Ensure that only trusted headers are allowed in cross-origin requests, particularly if the API deals with sensitive data or authentication tokens.
4. Handle Pre-flight Requests: Make sure to correctly handle OPTIONS requests for pre-flight checks, especially when custom headers or non-simple methods are used.
5. Enable Credentials with Caution: When allowing credentials (Access-Control-Allow-Credentials: true), you should be more restrictive about which domains are allowed (Access-Control-Allow-Origin), since allowing all origins with credentials is a security risk.

Conclusion

Configuring CORS for JAX-RS services is essential for enabling secure cross-origin requests between clients and your RESTful API. By using a custom CORS filter, you can control which domains, methods, and headers are allowed, ensuring that your API is accessible to external clients while protecting sensitive resources. With careful configuration and best practices, you can effectively manage cross-origin resource sharing in JAX-RS, making your API more flexible and secure.