The following code sample adds a doOptions method within a servlet and sends the appropriate headers in response to a CORS preflight request.
A CORS preflight request is a HTTP OPTIONS request that most browsers send prior to making an AJAX-JSONP call. The browser expects a series of access control headers stating if the server allows cross-domain information sharing. The settings in the code below will fit the needs of the vast majority of AJAX-JSONP applications.
public void doOptions(HttpServletRequest req, HttpServletResponse resp)
throws IOException {
//The following are CORS headers. Max age informs the
//browser to keep the results of this call for 1 day.
resp.setHeader("Access-Control-Allow-Origin", "*");
resp.setHeader("Access-Control-Allow-Methods", "GET, POST");
resp.setHeader("Access-Control-Allow-Headers", "Content-Type");
resp.setHeader("Access-Control-Max-Age", "86400");
//Tell the browser what requests we allow.
resp.setHeader("Allow", "GET, HEAD, POST, TRACE, OPTIONS");
}