* Development-time CORS helper. Adds permissive CORS headers to allow front-end
* resources (e.g. JS served from a different origin) to call the API.
* Short-circuits OPTIONS preflight requests.
*
*
Security note: This configuration is intentionally permissive and should be * restricted for production. * * @author JRA * Last reviewed by JRA on Oct 5, 2025. */ @ApplicationScoped @WebFilter(urlPatterns = "/*") public class DevFilter implements Filter { @SuppressWarnings("unused") private static final Logger log = LogManager.getLogger(DevFilter.class); /** * init
* Filter init hook (unused). */ @Override public void init(FilterConfig fc) throws ServletException { } /** * doFilter *
* Add CORS headers and pass through non-OPTIONS methods to the next filter. */ @Override public void doFilter(ServletRequest sreq, ServletResponse sres, FilterChain fc) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) sreq; HttpServletResponse res = (HttpServletResponse) sres; // For dev. using JS in different server res.addHeader("Access-Control-Allow-Origin", "*"); //res.addHeader("Access-Control-Request-Headers", "*"); res.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); res.addHeader("Access-Control-Allow-Headers", "X-SECURIS-TOKEN, Content-Type"); res.addHeader("Access-Control-Expose-Headers", "X-SECURIS-ERROR-MSG, X-SECURIS-ERROR-CODE, Content-Type, Content-Disposition"); // log.info("Added header to: " + res.getHeaderNames()); if (!req.getMethod().equals("OPTIONS")) { fc.doFilter(sreq, sres); } } /** * destroy
* Filter destroy hook (unused). */ @Override public void destroy() { } }