public class CorsRegistration extends Object
CorsConfiguration
instance for a given
URL path pattern.CorsConfiguration
,
CorsRegistry
Constructor and Description |
---|
CorsRegistration(String pathPattern) |
Modifier and Type | Method and Description |
---|---|
CorsRegistration |
allowCredentials(boolean allowCredentials)
Whether the browser should send credentials, such as cookies along with
cross domain requests, to the annotated endpoint.
|
CorsRegistration |
allowedHeaders(String... headers)
Set the list of headers that a preflight request can list as allowed
for use during an actual request.
|
CorsRegistration |
allowedMethods(String... methods)
Set the HTTP methods to allow, e.g.
|
CorsRegistration |
allowedOrigins(String... origins)
The list of allowed origins that be specific origins, e.g.
|
CorsRegistration |
exposedHeaders(String... headers)
Set the list of response headers other than "simple" headers, i.e.
|
protected CorsConfiguration |
getCorsConfiguration() |
protected String |
getPathPattern() |
CorsRegistration |
maxAge(long maxAge)
Configure how long in seconds the response from a pre-flight request
can be cached by clients.
|
public CorsRegistration(String pathPattern)
public CorsRegistration allowedOrigins(String... origins)
"https://domain1.com"
, or "*"
for all origins.
A matched origin is listed in the Access-Control-Allow-Origin
response header of preflight actual CORS requests.
By default, all origins are allowed.
Note: CORS checks use values from "Forwarded"
(RFC 7239),
"X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
if present, in order to reflect the client-originated address.
Consider using the ForwardedHeaderFilter
in order to choose from a
central place whether to extract and use, or to discard such headers.
See the Spring Framework reference for more on this filter.
public CorsRegistration allowedMethods(String... methods)
"GET"
, "POST"
, etc.
The special value "*"
allows all methods.
By default "simple" methods, i.e. GET
, HEAD
, and
POST
are allowed.
public CorsRegistration allowedHeaders(String... headers)
"*"
may be
used to allow all headers.
A header name is not required to be listed if it is one of:
Cache-Control
, Content-Language
, Expires
,
Last-Modified
, or Pragma
as per the CORS spec.
By default all headers are allowed.
public CorsRegistration exposedHeaders(String... headers)
Cache-Control
, Content-Language
, Content-Type
,
Expires
, Last-Modified
, or Pragma
, that an
actual response might have and can be exposed.
Note that "*"
is not supported on this property.
By default this is not set.
public CorsRegistration allowCredentials(boolean allowCredentials)
Access-Control-Allow-Credentials
response header of
preflight requests.
NOTE: Be aware that this option establishes a high level of trust with the configured domains and also increases the surface attack of the web application by exposing sensitive user-specific information such as cookies and CSRF tokens.
By default this is not set in which case the
Access-Control-Allow-Credentials
header is also not set and
credentials are therefore not allowed.
public CorsRegistration maxAge(long maxAge)
By default this is set to 1800 seconds (30 minutes).
protected String getPathPattern()
protected CorsConfiguration getCorsConfiguration()