Making our JavaEE application CORS-aware
So far, we’ve built a JavaEE REST application that works for the most part. The only thing left is to add “Access Control” headers. Adding these headers will allow our server to communicate with a CORS-aware front-end living on another domain.
We’ll add these headers to every response. To do this, we need to add a Provider class.
Create a new file, AccessControlResponseFilter.java, with the following contents:
@Provider public class AccessControlResponseFilter implements ContainerResponseFilter { public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) throws IOException { containerResponseContext.getHeaders().add("Access-Control-Allow-Origin", "http://localhost:3000"); containerResponseContext.getHeaders().add("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE"); containerResponseContext.getHeaders().add("Access-Control-Allow-Headers", "Content-Type"); containerResponseContext.getHeaders().add("Access-Control-Max-Age", "10"); // # of seconds } }
The @Provider annotation will tell the JavaEE container that this class is an “extension” of the application’s response/request lifecycle. The kind of extension is determined by the interface the class implements.
The four headers we are adding to our responses are Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, and Access-Control-Max-Age.
The “Allow-Origin” header will tell the CORS-aware front-end which domains are allowed to communicate with the endpoint. For instance, if the JavaEE back-end were made public and a browser pointing to my.com tried to make a request to our back-end, the browser would not allow it. The reason is that my.com is not listed in the “Allow-Origin” header.
The “Allow-Methods” header simply means that we’re allowing browsers pointing to http://localhost:3000 to use any of the listed HTTP methods to communicate with our server.
The “Allow-Headers” header allows any requests to our server to provide a non-standard header or, in this case, a non-standard Content-Type. Standard content types are “text/plain”, “application/x-www-form-urlencoded”, and “multipart/form-data”. We’re sending JSON in various requests so adding “Content-Type” to the allowed headers is required.
The final one, “Max-Age” isn’t required, but it’s a good habit to add it. By specifying this, we’re telling the front-end to cache the results of the pre-flight request when it tries to figure out if it is allowed to make AJAX requests to the backend. If we don’t have it cache, then every CORS AJAX request that sends an OPTIONS request will result in two HTTP requests. Depending on how many users are using the system and how the application is architectured, this has the potential to become a performance bottleneck fairly quick.
After you’ve made these changes, build it up, deploy it, then test out the GET endpoint. You should now see those four headers returned as part of the request.

That’s it for this Introduction to JavaEE series of posts. If you learned something from it, please share it with your friends.
Look for another series soon where we’ll build a front-end using AngularJS and material design!
Source code to the entire series is available here: