public class CorsConfiguration extends Object
By default a newly created CorsConfiguration
does not permit any
cross-origin requests and must be configured explicitly to indicate what
should be allowed. Use applyPermitDefaultValues()
to flip the
initialization model to start with open defaults that permit all cross-origin
requests for GET, HEAD, and POST requests.
Modifier and Type | Field and Description |
---|---|
static String |
ALL
Wildcard representing all origins, methods, or headers.
|
Constructor and Description |
---|
CorsConfiguration()
Construct a new
CorsConfiguration instance with no cross-origin
requests allowed for any origin by default. |
CorsConfiguration(CorsConfiguration other)
Construct a new
CorsConfiguration instance by copying all
values from the supplied CorsConfiguration . |
Modifier and Type | Method and Description |
---|---|
void |
addAllowedHeader(String allowedHeader)
Add an actual request header to allow.
|
void |
addAllowedMethod(HttpMethod method)
Add an HTTP method to allow.
|
void |
addAllowedMethod(String method)
Add an HTTP method to allow.
|
void |
addAllowedOrigin(String origin)
Add an origin to allow.
|
void |
addExposedHeader(String exposedHeader)
Add a response header to expose.
|
CorsConfiguration |
applyPermitDefaultValues()
By default a newly created
CorsConfiguration does not permit any
cross-origin requests and must be configured explicitly to indicate what
should be allowed. |
List<String> |
checkHeaders(List<String> requestHeaders)
Check the supplied request headers (or the headers listed in the
Access-Control-Request-Headers of a pre-flight request) against
the configured allowed headers. |
List<HttpMethod> |
checkHttpMethod(HttpMethod requestMethod)
Check the HTTP request method (or the method from the
Access-Control-Request-Method header on a pre-flight request)
against the configured allowed methods. |
String |
checkOrigin(String requestOrigin)
Check the origin of the request against the configured allowed origins.
|
CorsConfiguration |
combine(CorsConfiguration other)
Combine the supplied
CorsConfiguration with this one. |
Boolean |
getAllowCredentials()
Return the configured
allowCredentials flag, or null if none. |
List<String> |
getAllowedHeaders()
Return the allowed actual request headers, or
null if none. |
List<String> |
getAllowedMethods()
Return the allowed HTTP methods, or
null in which case
only "GET" and "HEAD" allowed. |
List<String> |
getAllowedOrigins()
Return the configured origins to allow, or
null if none. |
List<String> |
getExposedHeaders()
Return the configured response headers to expose, or
null if none. |
Long |
getMaxAge()
Return the configured
maxAge value, or null if none. |
void |
setAllowCredentials(Boolean allowCredentials)
Whether user credentials are supported.
|
void |
setAllowedHeaders(List<String> allowedHeaders)
Set the list of headers that a pre-flight request can list as allowed
for use during an actual request.
|
void |
setAllowedMethods(List<String> allowedMethods)
Set the HTTP methods to allow, e.g.
|
void |
setAllowedOrigins(List<String> allowedOrigins)
Set the origins to allow, e.g.
|
void |
setExposedHeaders(List<String> exposedHeaders)
Set the list of response headers other than simple headers (i.e.
|
void |
setMaxAge(Long maxAge)
Configure how long, in seconds, the response from a pre-flight request
can be cached by clients.
|
public static final String ALL
public CorsConfiguration()
CorsConfiguration
instance with no cross-origin
requests allowed for any origin by default.applyPermitDefaultValues()
public CorsConfiguration(CorsConfiguration other)
CorsConfiguration
instance by copying all
values from the supplied CorsConfiguration
.public void setAllowedOrigins(List<String> allowedOrigins)
"https://domain1.com"
.
The special value "*"
allows all domains.
By default this is not set.
Note: CORS checks use values from "Forwarded"
(RFC 7239),
"X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
if present, in order to reflect the client-originated address.
Consider using the ForwardedHeaderFilter
in order to choose from a
central place whether to extract and use, or to discard such headers.
See the Spring Framework reference for more on this filter.
public List<String> getAllowedOrigins()
null
if none.addAllowedOrigin(String)
,
setAllowedOrigins(List)
public void addAllowedOrigin(String origin)
public void setAllowedMethods(List<String> allowedMethods)
"GET"
, "POST"
,
"PUT"
, etc.
The special value "*"
allows all methods.
If not set, only "GET"
and "HEAD"
are allowed.
By default this is not set.
public List<String> getAllowedMethods()
null
in which case
only "GET"
and "HEAD"
allowed.public void addAllowedMethod(HttpMethod method)
public void addAllowedMethod(String method)
public void setAllowedHeaders(List<String> allowedHeaders)
The special value "*"
allows actual requests to send any
header.
A header name is not required to be listed if it is one of:
Cache-Control
, Content-Language
, Expires
,
Last-Modified
, or Pragma
.
By default this is not set.
public List<String> getAllowedHeaders()
null
if none.addAllowedHeader(String)
,
setAllowedHeaders(List)
public void addAllowedHeader(String allowedHeader)
public void setExposedHeaders(List<String> exposedHeaders)
Cache-Control
, Content-Language
, Content-Type
,
Expires
, Last-Modified
, or Pragma
) that an
actual response might have and can be exposed.
Note that "*"
is not a valid exposed header value.
By default this is not set.
public List<String> getExposedHeaders()
null
if none.addExposedHeader(String)
,
setExposedHeaders(List)
public void addExposedHeader(String exposedHeader)
Note that "*"
is not a valid exposed header value.
public void setAllowCredentials(Boolean allowCredentials)
By default this is not set (i.e. user credentials are not supported).
public Boolean getAllowCredentials()
allowCredentials
flag, or null
if none.setAllowCredentials(Boolean)
public void setMaxAge(Long maxAge)
By default this is not set.
public Long getMaxAge()
maxAge
value, or null
if none.setMaxAge(Long)
public CorsConfiguration applyPermitDefaultValues()
CorsConfiguration
does not permit any
cross-origin requests and must be configured explicitly to indicate what
should be allowed.
Use this method to flip the initialization model to start with open defaults that permit all cross-origin requests for GET, HEAD, and POST requests. Note however that this method will not override any existing values already set.
The following defaults are applied if not already set:
GET
, HEAD
and POST
.public CorsConfiguration combine(CorsConfiguration other)
CorsConfiguration
with this one.
Properties of this configuration are overridden by any non-null properties of the supplied one.
CorsConfiguration
or this
configuration if the supplied configuration is null
public String checkOrigin(String requestOrigin)
requestOrigin
- the origin to checknull
which
means the request origin is not allowedpublic List<HttpMethod> checkHttpMethod(HttpMethod requestMethod)
Access-Control-Request-Method
header on a pre-flight request)
against the configured allowed methods.requestMethod
- the HTTP request method to checknull
if the supplied requestMethod
is not allowedpublic List<String> checkHeaders(List<String> requestHeaders)
Access-Control-Request-Headers
of a pre-flight request) against
the configured allowed headers.requestHeaders
- the request headers to checknull
if none of the supplied request headers is allowed