CORS Filter


The CORS Filter can run in any Java Servlet 3.0+ compatible web container, such as the popular open source Apache Tomcat server. Installation is a straightforward 3-step process.

1. Place the CORS JAR and its dependency in the CLASSPATH

Download the cors-filter-<version>.jar file and its java-property-utils-<version>.jar dependency, and put them into the CLASSPATH of your web server.

cors-filter-2.4.jar java-property-utils-1.9.1.jar

If you have Apache Tomcat there are two CLASSPATH choices: If you intend to use CORS with a single web application put the JAR file in


To make CORS available globally, to all web applications, place the JAR in


Alternatively, if you use Maven to build your project WAR file, add the following dependency to your pom.xml

	<version>[ version ]</version>

where version should be the latest stable release of the CORS Filter.

2. Add CORS configuration to web.xml

Open the WEB-INF/web.xml file of the web application where you intend to enable CORS and add a CORS Filter declaration and mapping.

The XML declaration to load the CORS filter:


To use a variant of the CORS Filter that can automatically detect changes to the configuration file and reconfigure itself use the following declaration instead:


Then declare a filter mapping to tell the web server which servlets or URLs should be cross-domain-request enabled.

Example of applying the CORS filter to a single servlet:


And how to apply the CORS filter to all web app URLs:


Have a look at the web.xml of the demo CORS application included with the download package to see a complete CORS filter declaration and mapping example.

Finally, remember to restart your web server for the installation to take effect.

Important note: By default the CORS Filter will apply a "public access" CORS policy, allowing all cross-site requests through (including credentials/cookies). Leaving the CORS Filter at this setting would actually be fine for most situations as CORS is not about adding server security; its primary intent is to protect the browser - the legitimate JavaScript apps running in it and the user's confidential data, such as cookies.

If you want to modify the default CORS Filter behaviour, proceed to the configuration instructions.