@Target(value={METHOD,TYPE}) @Retention(value=RUNTIME) @Documented public @interface CrossOrigin
By default all origins and headers are permitted, credentials are not allowed,
and the maximum age is set to 1800 seconds (30 minutes). The list of HTTP
methods is set to the methods on the @RequestMapping
if not
explicitly set on @CrossOrigin
.
NOTE: @CrossOrigin
is processed if an appropriate
HandlerMapping
-HandlerAdapter
pair is configured such as the
RequestMappingHandlerMapping
-RequestMappingHandlerAdapter
pair which are the default in the MVC Java config and the MVC namespace.
In particular @CrossOrigin
is not supported with the
DefaultAnnotationHandlerMapping
-AnnotationMethodHandlerAdapter
pair both of which are also deprecated.
Modifier and Type | Fields and Description |
---|---|
static boolean |
DEFAULT_ALLOW_CREDENTIALS
Deprecated.
as of Spring 4.3.4, in favor of using
CorsConfiguration.applyPermitDefaultValues() |
static String[] |
DEFAULT_ALLOWED_HEADERS
Deprecated.
as of Spring 4.3.4, in favor of using
CorsConfiguration.applyPermitDefaultValues() |
static long |
DEFAULT_MAX_AGE
Deprecated.
as of Spring 4.3.4, in favor of using
CorsConfiguration.applyPermitDefaultValues() |
static String[] |
DEFAULT_ORIGINS
Deprecated.
as of Spring 4.3.4, in favor of using
CorsConfiguration.applyPermitDefaultValues() |
Modifier and Type | Optional Element and Description |
---|---|
String |
allowCredentials
Whether the browser should include any cookies associated with the
domain of the request being annotated.
|
String[] |
allowedHeaders
List of request headers that can be used during the actual request.
|
String[] |
exposedHeaders
List of response headers that the user-agent will allow the client to access.
|
long |
maxAge
The maximum age (in seconds) of the cache duration for pre-flight responses.
|
RequestMethod[] |
methods
List of supported HTTP request methods, e.g.
|
String[] |
origins
List of allowed origins, e.g.
|
String[] |
value
Alias for
origins() . |
@Deprecated public static final String[] DEFAULT_ORIGINS
CorsConfiguration.applyPermitDefaultValues()
@Deprecated public static final String[] DEFAULT_ALLOWED_HEADERS
CorsConfiguration.applyPermitDefaultValues()
@Deprecated public static final boolean DEFAULT_ALLOW_CREDENTIALS
CorsConfiguration.applyPermitDefaultValues()
@Deprecated public static final long DEFAULT_MAX_AGE
CorsConfiguration.applyPermitDefaultValues()
@AliasFor(value="value") public abstract String[] origins
"https://domain1.com"
.
These values are placed in the Access-Control-Allow-Origin
header of both the pre-flight response and the actual response.
"*"
means that all origins are allowed.
If undefined, all origins are allowed.
Note: CORS checks use values from "Forwarded"
(RFC 7239),
"X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
if present, in order to reflect the client-originated address.
Consider using the ForwardedHeaderFilter
in order to choose from a
central place whether to extract and use, or to discard such headers.
See the Spring Framework reference for more on this filter.
value()
public abstract String[] allowedHeaders
This property controls the value of the pre-flight response's
Access-Control-Allow-Headers
header.
"*"
means that all headers requested by the client are allowed.
If undefined, all requested headers are allowed.
public abstract String[] exposedHeaders
This property controls the value of actual response's
Access-Control-Expose-Headers
header.
If undefined, an empty exposed header list is used.
public abstract RequestMethod[] methods
"{RequestMethod.GET, RequestMethod.POST}"
.
Methods specified here override those specified via RequestMapping
.
If undefined, methods defined by RequestMapping
annotation
are used.
public abstract String allowCredentials
Set to "false"
if such cookies should not included.
An empty string (""
) means undefined.
"true"
means that the pre-flight response will include the header
Access-Control-Allow-Credentials=true
.
If undefined, this is set to "false"
in which case credentials
are not allowed.
public abstract long maxAge
This property controls the value of the Access-Control-Max-Age
header in the pre-flight response.
Setting this to a reasonable value can reduce the number of pre-flight request/response interactions required by the browser. A negative value means undefined.
If undefined, max age is set to 1800
seconds (i.e., 30 minutes).