tessl/maven-org-elasticsearch-plugin--transport-netty3-client
Netty 3 based transport implementation for Elasticsearch providing TCP and HTTP transport layers
—
Pending
cors-configuration.mddocs/
CORS Configuration
Cross-Origin Resource Sharing support for web-based Elasticsearch clients. Provides comprehensive CORS policy configuration including origins, methods, headers, and credential handling for secure web application integration.
Capabilities
Netty3CorsConfig Class
Immutable configuration object that defines CORS policy settings for the HTTP transport.
/**
* Immutable configuration for Cross-Origin Resource Sharing (CORS) policies
*/
public class Netty3CorsConfig {
/**
* Checks if CORS support is enabled
* @return true if CORS processing is enabled
*/
public boolean isCorsSupportEnabled();
/**
* Checks if wildcard origin (*) is supported
* @return true if any origin is allowed
*/
public boolean isAnyOriginSupported();
/**
* Returns the set of allowed origins
* @return Set<String> containing allowed origin URLs
*/
public Set<String> origins();
/**
* Checks if a specific origin is allowed
* @param origin Origin URL to check
* @return true if the origin is allowed
*/
public boolean isOriginAllowed(String origin);
/**
* Checks if null origin is allowed (for file:// requests)
* @return true if null origin is permitted
*/
public boolean isNullOriginAllowed();
/**
* Checks if credentials (cookies, authorization headers) are allowed
* @return true if credentials are permitted in CORS requests
*/
public boolean isCredentialsAllowed();
/**
* Returns the max age for preflight cache
* @return long maximum age in seconds for preflight response caching
*/
public long maxAge();
/**
* Returns the set of allowed HTTP methods
* @return Set<HttpMethod> containing permitted HTTP methods
*/
public Set<HttpMethod> allowedRequestMethods();
/**
* Returns the set of allowed request headers
* @return Set<String> containing permitted request header names
*/
public Set<String> allowedRequestHeaders();
/**
* Returns headers to include in preflight responses
* @return Map<CharSequence, Callable<?>> of preflight response headers
*/
public Map<CharSequence, Callable<?>> preflightResponseHeaders();
/**
* Checks if invalid CORS requests should be short-circuited
* @return true if invalid requests are immediately rejected
*/
public boolean isShortCircuit();
}Netty3CorsConfigBuilder Class
Builder pattern implementation for creating CORS configurations with fluent API.
/**
* Builder for creating CORS configuration objects with fluent API
*/
public class Netty3CorsConfigBuilder {
/**
* Creates a builder that allows any origin (wildcard)
* @return Netty3CorsConfigBuilder configured for any origin
*/
public static Netty3CorsConfigBuilder forAnyOrigin();
/**
* Creates a builder for a specific origin
* @param origin Specific origin URL to allow
* @return Netty3CorsConfigBuilder configured for the specific origin
*/
public static Netty3CorsConfigBuilder forOrigin(String origin);
/**
* Creates a builder for regex pattern-based origins
* @param pattern Regex pattern for matching allowed origins
* @return Netty3CorsConfigBuilder configured with pattern matching
*/
public static Netty3CorsConfigBuilder forPattern(Pattern pattern);
/**
* Creates a builder for multiple specific origins
* @param origins Variable arguments of origin URLs to allow
* @return Netty3CorsConfigBuilder configured for the specified origins
*/
public static Netty3CorsConfigBuilder forOrigins(String... origins);
/**
* Disables CORS support entirely
* @return Netty3CorsConfigBuilder with CORS disabled
*/
public Netty3CorsConfigBuilder disable();
/**
* Allows credentials (cookies, authorization headers) in CORS requests
* @return Netty3CorsConfigBuilder with credentials enabled
*/
public Netty3CorsConfigBuilder allowCredentials();
/**
* Sets the maximum age for preflight response caching
* @param maxAge Maximum age in seconds
* @return Netty3CorsConfigBuilder with max age configured
*/
public Netty3CorsConfigBuilder maxAge(long maxAge);
/**
* Sets the allowed HTTP methods for CORS requests
* @param methods Set of HttpMethod objects to allow
* @return Netty3CorsConfigBuilder with allowed methods configured
*/
public Netty3CorsConfigBuilder allowedRequestMethods(Set<HttpMethod> methods);
/**
* Sets the allowed request headers for CORS requests
* @param headers Set of header names to allow
* @return Netty3CorsConfigBuilder with allowed headers configured
*/
public Netty3CorsConfigBuilder allowedRequestHeaders(Set<String> headers);
/**
* Adds a static header to preflight responses
* @param name Header name
* @param values Variable arguments of header values
* @return Netty3CorsConfigBuilder with preflight header added
*/
public Netty3CorsConfigBuilder preflightResponseHeader(CharSequence name, Object... values);
/**
* Adds a header with iterable values to preflight responses
* @param name Header name
* @param values Iterable of header values
* @return Netty3CorsConfigBuilder with preflight header added
*/
public <T> Netty3CorsConfigBuilder preflightResponseHeader(CharSequence name, Iterable<T> values);
/**
* Adds a header with callable value to preflight responses
* @param name Header name
* @param valueGenerator Callable that generates header value
* @return Netty3CorsConfigBuilder with preflight header added
*/
public <T> Netty3CorsConfigBuilder preflightResponseHeader(CharSequence name, Callable<T> valueGenerator);
/**
* Disables preflight response headers
* @return Netty3CorsConfigBuilder with preflight headers disabled
*/
public Netty3CorsConfigBuilder noPreflightResponseHeaders();
/**
* Enables short-circuiting of invalid CORS requests
* @return Netty3CorsConfigBuilder with short-circuiting enabled
*/
public Netty3CorsConfigBuilder shortCircuit();
/**
* Builds the final CORS configuration
* @return Netty3CorsConfig immutable configuration object
*/
public Netty3CorsConfig build();
}Usage Examples:
import org.elasticsearch.http.netty3.cors.Netty3CorsConfigBuilder;
import org.elasticsearch.http.netty3.cors.Netty3CorsConfig;
import org.jboss.netty.handler.codec.http.HttpMethod;
// Allow any origin with credentials
Netty3CorsConfig corsConfig = Netty3CorsConfigBuilder
.forAnyOrigin()
.allowCredentials()
.maxAge(3600)
.build();
// Allow specific origins with custom methods and headers
Netty3CorsConfig specificConfig = Netty3CorsConfigBuilder
.forOrigins("https://example.com", "https://app.example.com")
.allowedRequestMethods(Set.of(HttpMethod.GET, HttpMethod.POST, HttpMethod.PUT))
.allowedRequestHeaders(Set.of("Authorization", "Content-Type", "X-Custom-Header"))
.preflightResponseHeader("X-Server", "Elasticsearch")
.maxAge(86400)
.build();
// Disable CORS entirely
Netty3CorsConfig disabledConfig = Netty3CorsConfigBuilder
.forAnyOrigin()
.disable()
.build();
// Use regex pattern for origins
Pattern domainPattern = Pattern.compile("https://.*\\.example\\.com");
Netty3CorsConfig patternConfig = Netty3CorsConfigBuilder
.forPattern(domainPattern)
.allowCredentials()
.shortCircuit()
.build();Netty3CorsHandler Class
Netty channel handler that processes CORS requests according to the configured policy.
/**
* Netty channel handler for processing CORS requests
*/
public class Netty3CorsHandler extends SimpleChannelUpstreamHandler {
/**
* Constant for wildcard origin header value
*/
public static final String ANY_ORIGIN = "*";
/**
* Constructor for CORS handler
* @param config CORS configuration to apply
*/
public Netty3CorsHandler(Netty3CorsConfig config);
/**
* Handles upstream channel events and processes CORS headers
* @param ctx Channel handler context
* @param e Channel event to process
*/
@Override
public void handleUpstream(ChannelHandlerContext ctx, ChannelEvent e);
}CORS Processing Flow
The CORS handler processes requests according to the following flow:
- Origin Validation: Checks if the request origin is allowed according to the configuration
- Preflight Handling: Processes OPTIONS requests for CORS preflight validation
- Header Addition: Adds appropriate CORS headers to responses
- Credential Handling: Manages cookie and authorization header permissions
- Error Handling: Short-circuits invalid requests if configured
Integration with Elasticsearch Settings
CORS configuration integrates with Elasticsearch's standard HTTP settings:
// Standard Elasticsearch CORS settings that map to Netty3CorsConfig
// http.cors.enabled - Enables/disables CORS support
// http.cors.allow-origin - Sets allowed origins (supports patterns)
// http.cors.max-age - Sets preflight cache max age
// http.cors.allow-methods - Sets allowed HTTP methods
// http.cors.allow-headers - Sets allowed request headers
// http.cors.allow-credentials - Enables credential supportConfiguration Example:
# elasticsearch.yml configuration
http.cors.enabled: true
http.cors.allow-origin: "https://*.example.com"
http.cors.max-age: 86400
http.cors.allow-methods: "GET,POST,PUT,DELETE,OPTIONS,HEAD"
http.cors.allow-headers: "Authorization,Content-Type,X-Requested-With"
http.cors.allow-credentials: trueSecurity Considerations
When configuring CORS, consider these security implications:
- Origin Validation: Use specific origins instead of wildcards when possible
- Credential Handling: Only enable credentials for trusted origins
- Method Restrictions: Limit allowed methods to those actually needed
- Header Restrictions: Only allow necessary request headers
- Preflight Caching: Set appropriate max-age to balance performance and security
Install with Tessl CLI
npx tessl i tessl/maven-org-elasticsearch-plugin--transport-netty3-client