@Target(value={METHOD,TYPE}) @Retention(value=RUNTIME) @Documented public @interface CrossOrigin
HandlerMapping
is configured.
Both Spring Web MVC and Spring WebFlux support this annotation through the
RequestMappingHandlerMapping
in their respective modules. The values
from each type and method level pair of annotations are added to a
CorsConfiguration
and then default values are applied via
CorsConfiguration.applyPermitDefaultValues()
.
The rules for combining global and local configuration are generally
additive -- e.g. all global and all local origins. For those attributes
where only a single value can be accepted such as allowCredentials
and maxAge
, the local overrides the global value.
See CorsConfiguration.combine(CorsConfiguration)
for more details.
Modifier and Type | Fields and Description |
---|---|
static boolean |
DEFAULT_ALLOW_CREDENTIALS
Deprecated.
as of Spring 5.0, in favor of
CorsConfiguration.applyPermitDefaultValues() |
static String[] |
DEFAULT_ALLOWED_HEADERS
Deprecated.
as of Spring 5.0, in favor of
CorsConfiguration.applyPermitDefaultValues() |
static long |
DEFAULT_MAX_AGE
Deprecated.
as of Spring 5.0, in favor of
CorsConfiguration.applyPermitDefaultValues() |
static String[] |
DEFAULT_ORIGINS
Deprecated.
as of Spring 5.0, in favor of
CorsConfiguration.applyPermitDefaultValues() |
Modifier and Type | Optional Element and Description |
---|---|
String |
allowCredentials
Whether the browser should send credentials, such as cookies along with
cross domain requests, to the annotated endpoint.
|
String[] |
allowedHeaders
The list of request headers that are permitted in actual requests,
possibly
"*" to allow all headers. |
String[] |
exposedHeaders
The List of response headers that the user-agent will allow the client
to access on an actual response, other than "simple" headers, i.e.
|
long |
maxAge
The maximum age (in seconds) of the cache duration for preflight responses.
|
RequestMethod[] |
methods
The list of supported HTTP request methods.
|
String[] |
origins
The list of allowed origins that be specific origins, e.g.
|
String[] |
value
Alias for
origins() . |
@Deprecated public static final String[] DEFAULT_ORIGINS
CorsConfiguration.applyPermitDefaultValues()
@Deprecated public static final String[] DEFAULT_ALLOWED_HEADERS
CorsConfiguration.applyPermitDefaultValues()
@Deprecated public static final boolean DEFAULT_ALLOW_CREDENTIALS
CorsConfiguration.applyPermitDefaultValues()
@Deprecated public static final long DEFAULT_MAX_AGE
CorsConfiguration.applyPermitDefaultValues()
@AliasFor(value="value") public abstract String[] origins
"https://domain1.com"
, or "*"
for all origins.
A matched origin is listed in the Access-Control-Allow-Origin
response header of preflight actual CORS requests.
By default all origins are allowed.
Note: CORS checks use values from "Forwarded"
(RFC 7239),
"X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
if present, in order to reflect the client-originated address.
Consider using the ForwardedHeaderFilter
in order to choose from a
central place whether to extract and use, or to discard such headers.
See the Spring Framework reference for more on this filter.
value()
public abstract String[] allowedHeaders
"*"
to allow all headers.
Allowed headers are listed in the Access-Control-Allow-Headers
response header of preflight requests.
A header name is not required to be listed if it is one of:
Cache-Control
, Content-Language
, Expires
,
Last-Modified
, or Pragma
as per the CORS spec.
By default all requested headers are allowed.
public abstract String[] exposedHeaders
Cache-Control
, Content-Language
, Content-Type
,
Expires
, Last-Modified
, or Pragma
,
Exposed headers are listed in the Access-Control-Expose-Headers
response header of actual CORS requests.
By default no headers are listed as exposed.
public abstract RequestMethod[] methods
By default the supported methods are the same as the ones to which a controller method is mapped.
public abstract String allowCredentials
Access-Control-Allow-Credentials
response header of
preflight requests.
NOTE: Be aware that this option establishes a high level of trust with the configured domains and also increases the surface attack of the web application by exposing sensitive user-specific information such as cookies and CSRF tokens.
By default this is not set in which case the
Access-Control-Allow-Credentials
header is also not set and
credentials are therefore not allowed.
public abstract long maxAge
This property controls the value of the Access-Control-Max-Age
response header of preflight requests.
Setting this to a reasonable value can reduce the number of preflight request/response interactions required by the browser. A negative value means undefined.
By default this is set to 1800
seconds (30 minutes).