if (supportsCors())
{
String origin = request.getHttpHeaders().getHeaderString(HttpHeaderNames.ORIGIN);
if (corsData.isOriginAllowed(origin))
{
HttpServletResponseHeaders outputHeaders = response.getOutputHeaders();
outputHeaders.putSingle(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN, corsData.isAllOriginsAllowed()?"*":origin);
outputHeaders.add(HttpHeaderNames.VARY, HttpHeaderNames.ORIGIN);// Needed to make proxy caches works
if (corsData.isAllowCredentials())
{
outputHeaders.putSingle(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
}
Iterator<String> exposeHeaders = corsData.getExposeHeaders();
while (exposeHeaders.hasNext())
{
outputHeaders.add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_HEADERS, exposeHeaders.next());
}
if (preflightRequest)
{
Iterator<String> allowMethods = corsData.getAllowMethods();
while (allowMethods.hasNext())
{
outputHeaders.add(HttpHeaderNames.ACCESS_CONTROL_ALLOW_METHODS, allowMethods.next());
}
if (corsData.getMaxAge() >= 0)
{
outputHeaders.putSingle(HttpHeaderNames.ACCESS_CONTROL_MAX_AGE, corsData.getMaxAge());
}
if (!corsData.isAllowMethod(request.getHttpMethod()))
{
allowed = false;
}