public class CorsConfiguration extends Object
By default a newly created CorsConfiguration
does not permit any
cross-origin requests and must be configured explicitly to indicate what
should be allowed. Use applyPermitDefaultValues()
to flip the
initialization model to start with open defaults that permit all cross-origin
requests for GET, HEAD, and POST requests.
Modifier and Type | Field and Description |
---|---|
static String |
ALL
Wildcard representing all origins, methods, or headers.
|
Constructor and Description |
---|
CorsConfiguration()
Construct a new
CorsConfiguration instance with no cross-origin
requests allowed for any origin by default. |
CorsConfiguration(CorsConfiguration other)
Construct a new
CorsConfiguration instance by copying all
values from the supplied CorsConfiguration . |
Modifier and Type | Method and Description |
---|---|
void |
addAllowedHeader(String allowedHeader)
Add an actual request header to allow.
|
void |
addAllowedMethod(HttpMethod method)
Add an HTTP method to allow.
|
void |
addAllowedMethod(String method)
Add an HTTP method to allow.
|
void |
addAllowedOrigin(String origin)
Add an origin to allow.
|
void |
addExposedHeader(String exposedHeader)
Add a response header to expose.
|
CorsConfiguration |
applyPermitDefaultValues()
By default a newly created
CorsConfiguration does not permit any
cross-origin requests and must be configured explicitly to indicate what
should be allowed. |
List<String> |
checkHeaders(List<String> requestHeaders)
Check the supplied request headers (or the headers listed in the
Access-Control-Request-Headers of a pre-flight request) against
the configured allowed headers. |
List<HttpMethod> |
checkHttpMethod(HttpMethod requestMethod)
Check the HTTP request method (or the method from the
Access-Control-Request-Method header on a pre-flight request)
against the configured allowed methods. |
String |
checkOrigin(String requestOrigin)
Check the origin of the request against the configured allowed origins.
|
CorsConfiguration |
combine(CorsConfiguration other)
Combine the non-null properties of the supplied
CorsConfiguration with this one. |
Boolean |
getAllowCredentials()
Return the configured
allowCredentials flag, or null if none. |
List<String> |
getAllowedHeaders()
Return the allowed actual request headers, or
null if none. |
List<String> |
getAllowedMethods()
Return the allowed HTTP methods, or
null in which case
only "GET" and "HEAD" allowed. |
List<String> |
getAllowedOrigins()
Return the configured origins to allow, or
null if none. |
List<String> |
getExposedHeaders()
Return the configured response headers to expose, or
null if none. |
Long |
getMaxAge()
Return the configured
maxAge value, or null if none. |
void |
setAllowCredentials(Boolean allowCredentials)
Whether user credentials are supported.
|
void |
setAllowedHeaders(List<String> allowedHeaders)
Set the list of headers that a pre-flight request can list as allowed
for use during an actual request.
|
void |
setAllowedMethods(List<String> allowedMethods)
Set the HTTP methods to allow, e.g.
|
void |
setAllowedOrigins(List<String> allowedOrigins)
Set the origins to allow, e.g.
|
void |
setExposedHeaders(List<String> exposedHeaders)
Set the list of response headers other than simple headers (i.e.
|
void |
setMaxAge(Long maxAge)
Configure how long, in seconds, the response from a pre-flight request
can be cached by clients.
|
public static final String ALL
public CorsConfiguration()
CorsConfiguration
instance with no cross-origin
requests allowed for any origin by default.applyPermitDefaultValues()
public CorsConfiguration(CorsConfiguration other)
CorsConfiguration
instance by copying all
values from the supplied CorsConfiguration
.public void setAllowedOrigins(@Nullable List<String> allowedOrigins)
"https://domain1.com"
.
The special value "*"
allows all domains.
By default this is not set.
@Nullable public List<String> getAllowedOrigins()
null
if none.addAllowedOrigin(String)
,
setAllowedOrigins(List)
public void addAllowedOrigin(String origin)
public void setAllowedMethods(@Nullable List<String> allowedMethods)
"GET"
, "POST"
,
"PUT"
, etc.
The special value "*"
allows all methods.
If not set, only "GET"
and "HEAD"
are allowed.
By default this is not set.
Note: CORS checks use values from "Forwarded"
(RFC 7239),
"X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
if present, in order to reflect the client-originated address.
Consider using the ForwardedHeaderFilter
in order to choose from a
central place whether to extract and use, or to discard such headers.
See the Spring Framework reference for more on this filter.
@Nullable public List<String> getAllowedMethods()
null
in which case
only "GET"
and "HEAD"
allowed.public void addAllowedMethod(HttpMethod method)
public void addAllowedMethod(String method)
public void setAllowedHeaders(@Nullable List<String> allowedHeaders)
The special value "*"
allows actual requests to send any
header.
A header name is not required to be listed if it is one of:
Cache-Control
, Content-Language
, Expires
,
Last-Modified
, or Pragma
.
By default this is not set.
@Nullable public List<String> getAllowedHeaders()
null
if none.addAllowedHeader(String)
,
setAllowedHeaders(List)
public void addAllowedHeader(String allowedHeader)
public void setExposedHeaders(@Nullable List<String> exposedHeaders)
Cache-Control
, Content-Language
, Content-Type
,
Expires
, Last-Modified
, or Pragma
) that an
actual response might have and can be exposed.
Note that "*"
is not a valid exposed header value.
By default this is not set.
@Nullable public List<String> getExposedHeaders()
null
if none.addExposedHeader(String)
,
setExposedHeaders(List)
public void addExposedHeader(String exposedHeader)
Note that "*"
is not a valid exposed header value.
public void setAllowCredentials(@Nullable Boolean allowCredentials)
By default this is not set (i.e. user credentials are not supported).
@Nullable public Boolean getAllowCredentials()
allowCredentials
flag, or null
if none.setAllowCredentials(Boolean)
public void setMaxAge(@Nullable Long maxAge)
By default this is not set.
@Nullable public Long getMaxAge()
maxAge
value, or null
if none.setMaxAge(Long)
public CorsConfiguration applyPermitDefaultValues()
CorsConfiguration
does not permit any
cross-origin requests and must be configured explicitly to indicate what
should be allowed.
Use this method to flip the initialization model to start with open defaults that permit all cross-origin requests for GET, HEAD, and POST requests. Note however that this method will not override any existing values already set.
The following defaults are applied if not already set:
GET
, HEAD
and POST
.@Nullable public CorsConfiguration combine(@Nullable CorsConfiguration other)
CorsConfiguration
with this one.
When combining single values like allowCredentials
or
maxAge
, this
properties are overridden by non-null
other
properties if any.
Combining lists like allowedOrigins
, allowedMethods
,
allowedHeaders
or exposedHeaders
is done in an additive
way. For example, combining ["GET", "POST"]
with
["PATCH"]
results in ["GET", "POST", "PATCH"]
, but keep
in mind that combining ["GET", "POST"]
with ["*"]
results in ["*"]
.
Notice that default permit values set by
applyPermitDefaultValues()
are overridden by
any value explicitly defined.
CorsConfiguration
, or this
configuration if the supplied configuration is null
@Nullable public String checkOrigin(@Nullable String requestOrigin)
requestOrigin
- the origin to checknull
which
means the request origin is not allowed@Nullable public List<HttpMethod> checkHttpMethod(@Nullable HttpMethod requestMethod)
Access-Control-Request-Method
header on a pre-flight request)
against the configured allowed methods.requestMethod
- the HTTP request method to checknull
if the supplied requestMethod
is not allowed@Nullable public List<String> checkHeaders(@Nullable List<String> requestHeaders)
Access-Control-Request-Headers
of a pre-flight request) against
the configured allowed headers.requestHeaders
- the request headers to checknull
if none of the supplied request headers is allowed