Hello Simone, Thanks for your reply.
Our application embeds a Jetty server which delivers web services that are provided by a javascript library. The library is embedded by websites. Those websites are authorized by the CORS header. While the server is running, it is possible to add a new website. Until now, when doing so, we were stopping and starting the server again. I would like a better way to do so avoiding this restart. That's the reason. I would have imagined that changing the CORS filter's list of authorized origins on the fly would not affect the running requests working with the "old" list of origins but only the new ones which would use the new list. So there is no way to properly "restart" a Filter while the server is running ? Bruno > -----Message d'origine----- > De : jetty-users [mailto:[email protected]] De la part de Simone > Bordet > Envoyé : mercredi 24 février 2021 17:56 > À : JETTY user mailing list <[email protected]> > Objet : Re: [jetty-users] How to update a CrossOriginFilter > > Hi, > > On Wed, Feb 24, 2021 at 4:49 PM Bruno Konik <[email protected]> > wrote: > > > > Hello, > > > > I am using embedded Jetty 9.4.35. > > > > Having a ServletContextHandler with a CORS filter : > > > > FilterHolder cors = context.addFilter(CrossOriginFilter.class, > > "/*",EnumSet.of(DispatcherType.REQUEST))); > > > > cors.setInitParameter(CrossOriginFilter.ALLOWED_ORIGINS_PARAM, > > authorizedOrigins4AllowOriginHeader); > > > > cors.setInitParameter(CrossOriginFilter.ALLOWED_METHODS_PARAM, > > "GET,POST,HEAD,OPTIONS"); > > > > cors.setInitParameter(CrossOriginFilter.ALLOWED_HEADERS_PARAM, > > "X-Requested-With,Content-Type,Accept,Origin,Cache-Control"); > > > > cors.setInitParameter(CrossOriginFilter.CHAIN_PREFLIGHT_PARAM, > > "false"); > > > > > > > > I would like to update my list of authorized origins > (authorizedOrigins4AllowOriginHeader) while the server is running without > stopping and restarting anything. What is the best way to do that with embedded > Jetty ? > > Why do you want to do that? I ask because it goes against the security features > that the CORS filter provides, and also I don't see how you can atomically update > the value while other requests are flowing through the filter? > > Consider also that the "Access-Control-Allow-Origin" is an HTTP response header > like others, so applications that have access to the response object may modify it > or even remove it. > > -- > Simone Bordet > ---- > http://cometd.org > http://webtide.com > Developer advice, training, services and support from the Jetty & CometD > experts. > _______________________________________________ > jetty-users mailing list > [email protected] > To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty- > users _______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
