spring-framework / org.springframework.web.bind.annotation / CrossOrigin

CrossOrigin

@Target([AnnotationTarget.FUNCTION, AnnotationTarget.PROPERTY_GETTER, AnnotationTarget.PROPERTY_SETTER, AnnotationTarget.CLASS, AnnotationTarget.FILE]) class CrossOrigin

Marks the annotated method or type as permitting cross origin requests.

By default all origins and headers are permitted, credentials are not allowed, and the maximum age is set to 1800 seconds (30 minutes). The list of HTTP methods is set to the methods on the @RequestMapping if not explicitly set on @CrossOrigin.

NOTE: @CrossOrigin is processed if an appropriate HandlerMapping-HandlerAdapter pair is configured such as the RequestMappingHandlerMapping-RequestMappingHandlerAdapter pair which are the default in the MVC Java config and the MVC namespace.

Author
Russell Allen

Author
Sebastien Deleuze

Author
Sam Brannen

Since
4.2

Constructors

<init>

CrossOrigin(vararg value: String, origins: Array<String>, allowedHeaders: Array<String>, exposedHeaders: Array<String>, methods: Array<RequestMethod>, allowCredentials: String, maxAge: Long)

Marks the annotated method or type as permitting cross origin requests.

Properties

DEFAULT_ALLOWED_HEADERS	`static val DEFAULT_ALLOWED_HEADERS: Array<String>`
DEFAULT_ALLOW_CREDENTIALS	`static val DEFAULT_ALLOW_CREDENTIALS: Boolean`
DEFAULT_MAX_AGE	`static val DEFAULT_MAX_AGE: Long`
DEFAULT_ORIGINS	`static val DEFAULT_ORIGINS: Array<String>`
allowCredentials	`val allowCredentials: String` Whether the browser should include any cookies associated with the domain of the request being annotated. Be aware that enabling this option could increase the surface attack of the web application (for example via exposing sensitive user-specific information like CSRF tokens). Set to `"true"` means that the pre-flight response will include the header `Access-Control-Allow-Credentials=true` so such cookies should be included. If undefined or set to `"false"`, such header is not included and credentials are not allowed.
allowedHeaders	`val allowedHeaders: Array<String>` List of request headers that can be used during the actual request. This property controls the value of the pre-flight response's `Access-Control-Allow-Headers` header. `"*"` means that all headers requested by the client are allowed. If undefined, all requested headers are allowed.
exposedHeaders	`val exposedHeaders: Array<String>` List of response headers that the user-agent will allow the client to access. This property controls the value of actual response's `Access-Control-Expose-Headers` header. If undefined, an empty exposed header list is used.
maxAge	`val maxAge: Long` The maximum age (in seconds) of the cache duration for pre-flight responses. This property controls the value of the `Access-Control-Max-Age` header in the pre-flight response. Setting this to a reasonable value can reduce the number of pre-flight request/response interactions required by the browser. A negative value means undefined. If undefined, max age is set to `1800` seconds (i.e., 30 minutes).
methods	`val methods: Array<RequestMethod>` List of supported HTTP request methods, e.g. `"{RequestMethod.GET, RequestMethod.POST}"`. Methods specified here override those specified via `RequestMapping`. If undefined, methods defined by RequestMapping annotation are used.
origins	`val origins: Array<String>` List of allowed origins, e.g. `"http://domain1.com"`. These values are placed in the `Access-Control-Allow-Origin` header of both the pre-flight response and the actual response. `"*"` means that all origins are allowed. If undefined, all origins are allowed.
value	`val value: Array<String>` Alias for `#origins`.