CORS Filter for J2EE Application

CORS (Cross-origin resource sharing) helps in making Javascript based AJAX request from one domain to another, requesting domain is different from the domain where the request is made. This type of request is by default forbidden at the browser level and if this type of requet is made without proper settings, they will result in some origin security policy error.

CORS allow us to make such type of requests from different domains.

How CORS Filter Work?

CORS adds some HTTP headers, which tells the browser that the request made from different domain to the specific domain is allowed. This can be specific to one domain (requesting) to all, through wildcard(*).
We can also allow some specific HTTP methods (GET/PUT/POST/DELETE etc) for those domains request.

CORS specific HTTP headers

Request Headers

  • Origin : indicates where the cross-origin request originates from.
  • Access-Control-Request-Method : used when issuing a preflight request to let the server know what HTTP method will be used in actual request.
  • Access-Control-Request-Headers : used when issuing a preflight request to let the server know what HTTP headers will be used in actual request.

Response Headers

  • Access-Control-Allow-Origin : specifies the authorised domains to make cross-domain request. Use domain name for specific domain or “*” as value if there is no restrictions.
  • Access-Control-Allow-Credentials : specifies if cross-domain requests can have authorization credentials or not.
  • Access-Control-Expose-Headers : indicates which headers are safe to expose.
  • Access-Control-Max-Age : indicates how long the results of a preflight request can be cached.
  • Access-Control-Allow-Methods : indicates the methods allowed when accessing the resource.

  • Access-Control-Allow-Headers : indicates which header field names can be used during the actual request.
package com.jkoder.cors;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class CORSFilter implements Filter {

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
            FilterChain filterChain) throws IOException, ServletException {

        HttpServletRequest  request   = (HttpServletRequest)servletRequest;
        HttpServletResponse response  = (HttpServletResponse)servletResponse;

        response.addHeader("Access-Control-Allow-Origin", "*");
        response.addHeader("Access-Control-Allow-Methods", "GET,PUT,POST,DELETE,PATCH,OPTIONS");
        response.addHeader("Access-Control-Allow-Headers", request.getHeader("Access-Control-Request-Headers"));     
        // For HTTP OPTIONS verb reply with ACCEPTED status code, for CORS handshake
        if (request.getMethod().equals("OPTIONS")) {

        filterChain.doFilter(servletRequest, servletResponse);

    public void destroy() {
        // TODO Auto-generated method stub

    public void init(FilterConfig arg0) throws ServletException {
        // TODO Auto-generated method stub       

Now register CORSFilter in web.xml