public class CorsRegistration extends Object
CorsConfiguration
instance mapped to
a path pattern. By default all origins, headers, and credentials for
GET
, HEAD
, and POST
requests are allowed while the
max age is set to 30 minutes.CorsConfiguration
,
CorsRegistry
Constructor and Description |
---|
CorsRegistration(String pathPattern)
Create a new
CorsRegistration that allows all origins, headers, and
credentials for GET , HEAD , and POST requests with
max age set to 1800 seconds (30 minutes) for the specified path. |
Modifier and Type | Method and Description |
---|---|
CorsRegistration |
allowCredentials(boolean allowCredentials)
Whether user credentials are supported in which case the browser should
include any cookies associated with the domain of the request being
annotated.
|
CorsRegistration |
allowedHeaders(String... headers)
Set the list of headers that a pre-flight request can list as allowed
for use during an actual request.
|
CorsRegistration |
allowedMethods(String... methods)
Set the HTTP methods to allow, e.g.
|
CorsRegistration |
allowedOrigins(String... origins)
Set the origins to allow, e.g.
|
CorsRegistration |
exposedHeaders(String... headers)
Set the list of response headers other than "simple" headers, i.e.
|
protected CorsConfiguration |
getCorsConfiguration() |
protected String |
getPathPattern() |
CorsRegistration |
maxAge(long maxAge)
Configure how long in seconds the response from a pre-flight request
can be cached by clients.
|
public CorsRegistration(String pathPattern)
CorsRegistration
that allows all origins, headers, and
credentials for GET
, HEAD
, and POST
requests with
max age set to 1800 seconds (30 minutes) for the specified path.pathPattern
- the path that the CORS configuration should apply to;
exact path mapping URIs (such as "/admin"
) are supported as well
as Ant-style path patterns (such as "/admin/**"
).public CorsRegistration allowedOrigins(String... origins)
"https://domain1.com"
.
The special value "*"
allows all domains.
By default, all origins are allowed.
Note: CORS checks use values from "Forwarded"
(RFC 7239),
"X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
if present, in order to reflect the client-originated address.
Consider using the ForwardedHeaderFilter
in order to choose from a
central place whether to extract and use, or to discard such headers.
See the Spring Framework reference for more on this filter.
public CorsRegistration allowedMethods(String... methods)
"GET"
, "POST"
, etc.
The special value "*"
allows all methods.
By default "simple" methods GET
, HEAD
, and POST
are allowed.
public CorsRegistration allowedHeaders(String... headers)
The special value "*"
may be used to allow all headers.
A header name is not required to be listed if it is one of:
Cache-Control
, Content-Language
, Expires
,
Last-Modified
, or Pragma
as per the CORS spec.
By default all headers are allowed.
public CorsRegistration exposedHeaders(String... headers)
Cache-Control
, Content-Language
, Content-Type
,
Expires
, Last-Modified
, or Pragma
, that an
actual response might have and can be exposed.
Note that "*"
is not supported on this property.
By default this is not set.
public CorsRegistration maxAge(long maxAge)
By default this is set to 1800 seconds (30 minutes).
public CorsRegistration allowCredentials(boolean allowCredentials)
By default this is false
and user credentials are not allowed.
protected String getPathPattern()
protected CorsConfiguration getCorsConfiguration()