CORS Filter


The CORS Filter can run in any Java Servlet 2.5+ compatible web container, such as the popular open source Apache Tomcat server. Installation is a straightforward 3-step process.

1. Place the CORS JAR and its dependency in the CLASSPATH

Download the cors-filter-<version>.jar file and its java-property-utils-<version>.jar dependency, and put them into the CLASSPATH of your web server.

cors-filter-1.8.jar java-property-utils-1.9.jar

If you have Apache Tomcat there are two CLASSPATH choices: If you intend to use CORS with a single web application put the JAR file in


To make CORS available globally, to all web applications, place the JAR in


2. Add CORS configuration to web.xml

Open the WEB-INF/web.xml file of the web application where you intend to enable CORS and add a CORS Filter declaration and mapping.

The XML declaration to load the CORS filter:


Then declare a filter mapping to tell the web server which servlets or URLs should be cross-domain-request enabled.

Example of applying the CORS filter to a single servlet:


And how to apply the CORS filter to all web app URLs:


Have a look at the web.xml of the demo CORS application included with the download package to see a complete CORS filter declaration and mapping example.

Finally, remember to restart your web server for the installation to take effect.

Important note: By default the CORS Filter will apply a "public access" CORS policy, allowing all cross-site requests through (including credentials/cookies). Leaving the CORS Filter at this setting would actually be fine for most situations as CORS is not about adding server security; its primary intent is to protect the browser - the legitimate JavaScript apps running in it and the user's confidential data, such as cookies.

If you want to modify the default CORS Filter behaviour, proceed to the configuration instructions.