enkan-core package has middlewares as follows:
AuthenticationMiddleware enables to authenticate a request using some backends.
| Name | Description |
|---|---|
| backends | The list of authentication backends. |
app.use(new AuthenticationMiddleware(backends));
app.use(new ServiceUnavailableMiddleware(serviceUnavailableEndpoint));
| Name | Type | Description |
|---|---|---|
| endpoint | Endpoint | Returns the response when service is unavailable. |
enkan-web package has middlewares as follows:
AbsoluteRedirectsMiddleware rewrites the URL contains Location http response header to the absolute URL.
Location: /abc/123
↓
Location: http://myhost/abc/123
app.use(new AbsoluteRedirectsMiddleware());
AbsoluteRedirectsMiddleware has no properties.
AntiForgeryMiddleware appends the token check for protecting from the CSRF attack.
When the request method isn’t GET/HEAD/OPTIONS, AntiForgeryMiddleware validates the given token.
If the token is invalid, it returns the forbidden response.
Because AntiForgeryMiddleware requires Session, We recommend using Conversation instead of this.
app.use(new AntiForgeryMiddleware());
AntiForgeryMiddleware has no properties.
Parses the Accept header and sets the value to a request.
app.use(new ContentNegotiationMiddleware());
Adds the Content-Type header if the response does not contains a Content-Type header yet.
app.use(new ContentTypeMiddleware());
Creates a conversation and save states related with its conversation to the conversation store.
app.use(new ConversationMiddleware());
Parses Cookie header and sets the Set-Cookie header to the response.
app.use(new CookiesMiddleware());
Adds the default charset to the response.
app.use(new DefaultCharsetMiddleware());
Serializes and deserializes a flash value.
app.use(new FlashMiddleware());
Enkan Session has no expires in default. This middleware append the feature of timeout to the session.
app.use(new IdleSessionTimeoutMiddleware());
Override a request method.
app.use(new MethodOverrideMiddleware());
Parses the multipart request.
app.use(new MultipartParamsMiddleware());
NestedParamsMiddleware enables to parse nested parameters like foo[][bar]. It requires ParamMiddleware.
app.use(new NestedParamsMiddleware());
Normalize the parameter values. It’s for trimming spaces or converting letter case.
app.use(new NormalizationMiddleware());
ParamMiddleware enables to parse urlencoded query string and post body and set to a request object.
app.use(new ParamsMiddleware());
Returns the asset file that is searched from classpath.
app.use(new ResourceMiddleware());
| Name | Description |
|---|---|
| rootPath | The path prefix. Default value is public |
SessionMiddleware enables to store/load session objects to/from in-memory stores.
app.use(new SessionMiddleware());
| Name | Description |
|---|---|
| cookieName | A name of cookie for session id. Default value is enkan-session |
| store | A storage for session. |
Adds the response header for tracing using middlewares.
app.use(new TraceMiddleware());
Applies a suite of security-related HTTP response headers in a single middleware (similar to Helmet.js for Express).
All headers are enabled by default with safe values. Pass null to any setter to disable a specific header.
| Header | Default value |
|---|---|
Content-Security-Policy | default-src 'self' |
Strict-Transport-Security | max-age=15552000; includeSubDomains |
X-Content-Type-Options | nosniff |
X-Frame-Options | SAMEORIGIN |
X-XSS-Protection | 0 (disabled — use CSP instead) |
Referrer-Policy | strict-origin-when-cross-origin |
Cross-Origin-Opener-Policy | same-origin |
Cross-Origin-Resource-Policy | same-origin |
// All defaults
app.use(new SecurityHeadersMiddleware());
// Custom CSP, disable HSTS for local development
SecurityHeadersMiddleware sec = new SecurityHeadersMiddleware();
sec.setContentSecurityPolicy("default-src 'self'; img-src *");
sec.setStrictTransportSecurity(null); // disable
app.use(sec);
| Name | Description |
|---|---|
contentSecurityPolicy | Content-Security-Policy value. null disables the header. |
strictTransportSecurity | Strict-Transport-Security value. null disables the header. |
contentTypeOptions | X-Content-Type-Options value. Default: nosniff. |
frameOptions | X-Frame-Options value. Default: SAMEORIGIN. |
xssProtection | X-XSS-Protection value. Default: 0. |
referrerPolicy | Referrer-Policy value. |
crossOriginOpenerPolicy | Cross-Origin-Opener-Policy value. |
crossOriginResourcePolicy | Cross-Origin-Resource-Policy value. |
Invoke a controller method.
app.use(new ControllerInvokerMiddleware());
Populate the request body to a Java bean object.
app.use(new FormMiddleware());
FormMiddleware has no properties.
Render HTML using a template. When a controller returns TemplatedHttpResponse, it has yet to be rendered.
app.use(new RenderTemplateMiddleware());
RenderTemplateMiddleware has no properties.
Routes the request to a controller method.
app.use(new RoutingMiddleware(routes));
| Name | Description |
|---|---|
| routes | Defined routes |
Deserialize the request body and serializes the response body.
app.use(new SerDesMiddleware());
| Name | Description |
|---|---|
| bodyReaders | |
| bodyWriters | |
Manages database transactions around controller invocation.
// requires enkan-component-doma2 dependency
app.use(new DomaTransactionMiddleware<>(config));
Validates the body object. If body object implements the Validatable interface, the error messages are set to it.
app.use(new ValidateBodyMiddleware());
ValidateBodyMiddleware has no properties.
CorsMiddleware handles Cross-Origin Resource Sharing (CORS) headers.
app.use(new CorsMiddleware());
ForwardedSchemeMiddleware detects the original request scheme from X-Forwarded-Proto header and sets it on the request.
app.use(new ForwardedSchemeMiddleware());
Sets Cache-Control response headers based on configurable rules.
A staticPattern regex distinguishes static assets from dynamic responses.
URIs matching the pattern receive the staticDirective; all others receive the dynamicDirective.
If a downstream handler already set Cache-Control, this middleware leaves it unchanged.
CacheControlMiddleware cache = new CacheControlMiddleware();
cache.setStaticPattern(Pattern.compile("^/assets/"));
cache.setStaticMaxAge(Duration.ofDays(365));
cache.setDynamicDirective("no-cache");
app.use(cache);
| Name | Type | Description | Default |
|---|---|---|---|
staticPattern | Pattern | Regex to identify static asset URIs | null (disabled) |
staticMaxAge | Duration | Convenience setter: produces public, max-age=N, immutable | — |
staticDirective | String | Full directive for static assets | "public, max-age=31536000, immutable" |
dynamicDirective | String | Directive for non-static responses; null to omit | "no-cache" |
Stores a non-transactional DSLContext in the request extensions under the key jooqDslContext.
Stack JooqTransactionMiddleware after this when transactional support is needed.
Requires JooqProvider component.
// requires enkan-component-jooq dependency
app.use(new JooqDslContextMiddleware());
Wraps the downstream handler in a jOOQ transaction when the matched controller class or method is annotated with @Transactional.
Method-level annotation overrides class-level. Only REQUIRED propagation is supported.
Requires JooqDslContextMiddleware to be stacked before this middleware.
app.use(new JooqDslContextMiddleware());
app.use(new JooqTransactionMiddleware());
Creates an OpenTelemetry SERVER span for each HTTP request.
Extracts W3C Trace Context (traceparent/tracestate) from incoming headers.
Records HTTP semantic convention attributes: method, URL path, query string, status code, server address/port, client address, and network protocol version.
Requires OpenTelemetryComponent.
// requires enkan-component-opentelemetry dependency
app.use(new TracingMiddleware());