public class CorsRegistration extends Object
CorsConfiguration
instance for a given
URL path pattern.CorsConfiguration
,
CorsRegistry
Constructor and Description |
---|
CorsRegistration(String pathPattern) |
Modifier and Type | Method and Description |
---|---|
CorsRegistration |
allowCredentials(boolean allowCredentials)
Whether the browser should send credentials, such as cookies along with
cross domain requests, to the annotated endpoint.
|
CorsRegistration |
allowedHeaders(String... headers)
Set the list of headers that a pre-flight request can list as allowed
for use during an actual request.
|
CorsRegistration |
allowedMethods(String... methods)
Set the HTTP methods to allow, e.g.
|
CorsRegistration |
allowedOriginPatterns(String... patterns)
Alternative to
allowedOrigins(String...) that supports more
flexible patterns for specifying the origins for which cross-origin
requests are allowed from a browser. |
CorsRegistration |
allowedOrigins(String... origins)
Set the origins for which cross-origin requests are allowed from a browser.
|
CorsRegistration |
combine(CorsConfiguration other)
Apply the given
CorsConfiguration to the one being configured via
CorsConfiguration.combine(CorsConfiguration) which in turn has been
initialized with CorsConfiguration.applyPermitDefaultValues() . |
CorsRegistration |
exposedHeaders(String... headers)
Set the list of response headers other than "simple" headers, i.e.
|
protected CorsConfiguration |
getCorsConfiguration() |
protected String |
getPathPattern() |
CorsRegistration |
maxAge(long maxAge)
Configure how long in seconds the response from a pre-flight request
can be cached by clients.
|
public CorsRegistration(String pathPattern)
public CorsRegistration allowedOrigins(String... origins)
CorsConfiguration.setAllowedOrigins(List)
for
format details and other considerations.
By default, all origins are allowed, but if
allowedOriginPatterns
is also
set, then that takes precedence.
allowedOriginPatterns(String...)
public CorsRegistration allowedOriginPatterns(String... patterns)
allowedOrigins(String...)
that supports more
flexible patterns for specifying the origins for which cross-origin
requests are allowed from a browser. Please, refer to
CorsConfiguration.setAllowedOriginPatterns(List)
for format
details and other considerations.
By default this is not set.
public CorsRegistration allowedMethods(String... methods)
"GET"
, "POST"
, etc.
The special value "*"
allows all methods.
By default "simple" methods GET
, HEAD
, and POST
are allowed.
public CorsRegistration allowedHeaders(String... headers)
The special value "*"
may be used to allow all headers.
A header name is not required to be listed if it is one of:
Cache-Control
, Content-Language
, Expires
,
Last-Modified
, or Pragma
as per the CORS spec.
By default all headers are allowed.
public CorsRegistration exposedHeaders(String... headers)
Cache-Control
, Content-Language
, Content-Type
,
Expires
, Last-Modified
, or Pragma
, that an
actual response might have and can be exposed.
The special value "*"
allows all headers to be exposed for
non-credentialed requests.
By default this is not set.
public CorsRegistration allowCredentials(boolean allowCredentials)
Access-Control-Allow-Credentials
response header of
preflight requests.
NOTE: Be aware that this option establishes a high level of trust with the configured domains and also increases the surface attack of the web application by exposing sensitive user-specific information such as cookies and CSRF tokens.
By default this is not set in which case the
Access-Control-Allow-Credentials
header is also not set and
credentials are therefore not allowed.
public CorsRegistration maxAge(long maxAge)
By default this is set to 1800 seconds (30 minutes).
public CorsRegistration combine(CorsConfiguration other)
CorsConfiguration
to the one being configured via
CorsConfiguration.combine(CorsConfiguration)
which in turn has been
initialized with CorsConfiguration.applyPermitDefaultValues()
.other
- the configuration to applyprotected String getPathPattern()
protected CorsConfiguration getCorsConfiguration()