public class CorsConfiguration extends Object
By default a newly created CorsConfiguration
does not permit any
cross-origin requests and must be configured explicitly to indicate what
should be allowed. Use applyPermitDefaultValues()
to flip the
initialization model to start with open defaults that permit all cross-origin
requests for GET, HEAD, and POST requests.
Modifier and Type | Field and Description |
---|---|
static String |
ALL
Wildcard representing all origins, methods, or headers.
|
Constructor and Description |
---|
CorsConfiguration()
Construct a new
CorsConfiguration instance with no cross-origin
requests allowed for any origin by default. |
CorsConfiguration(CorsConfiguration other)
Construct a new
CorsConfiguration instance by copying all
values from the supplied CorsConfiguration . |
Modifier and Type | Method and Description |
---|---|
void |
addAllowedHeader(String allowedHeader)
Add an actual request header to allow.
|
void |
addAllowedMethod(HttpMethod method)
Add an HTTP method to allow.
|
void |
addAllowedMethod(String method)
Add an HTTP method to allow.
|
void |
addAllowedOrigin(String origin)
Variant of
setAllowedOrigins(java.util.List<java.lang.String>) for adding one origin at a time. |
void |
addAllowedOriginPattern(String originPattern)
Variant of
setAllowedOriginPatterns(java.util.List<java.lang.String>) for adding one origin at a time. |
void |
addExposedHeader(String exposedHeader)
Add a response header to expose.
|
CorsConfiguration |
applyPermitDefaultValues()
By default
CorsConfiguration does not permit any cross-origin
requests and must be configured explicitly. |
List<String> |
checkHeaders(List<String> requestHeaders)
Check the supplied request headers (or the headers listed in the
Access-Control-Request-Headers of a pre-flight request) against
the configured allowed headers. |
List<HttpMethod> |
checkHttpMethod(HttpMethod requestMethod)
Check the HTTP request method (or the method from the
Access-Control-Request-Method header on a pre-flight request)
against the configured allowed methods. |
String |
checkOrigin(String origin)
Check the origin of the request against the configured allowed origins.
|
CorsConfiguration |
combine(CorsConfiguration other)
Combine the non-null properties of the supplied
CorsConfiguration with this one. |
Boolean |
getAllowCredentials()
Return the configured
allowCredentials flag, or null if none. |
List<String> |
getAllowedHeaders()
Return the allowed actual request headers, or
null if none. |
List<String> |
getAllowedMethods()
Return the allowed HTTP methods, or
null in which case
only "GET" and "HEAD" allowed. |
List<String> |
getAllowedOriginPatterns()
Return the configured origins patterns to allow, or
null if none. |
List<String> |
getAllowedOrigins()
Return the configured origins to allow, or
null if none. |
List<String> |
getExposedHeaders()
Return the configured response headers to expose, or
null if none. |
Long |
getMaxAge()
Return the configured
maxAge value, or null if none. |
void |
setAllowCredentials(Boolean allowCredentials)
Whether user credentials are supported.
|
void |
setAllowedHeaders(List<String> allowedHeaders)
Set the list of headers that a pre-flight request can list as allowed
for use during an actual request.
|
void |
setAllowedMethods(List<String> allowedMethods)
Set the HTTP methods to allow, e.g.
|
CorsConfiguration |
setAllowedOriginPatterns(List<String> allowedOriginPatterns)
Alternative to
setAllowedOrigins(java.util.List<java.lang.String>) that supports more flexible
origins patterns with "*" anywhere in the host name in addition to port
lists. |
void |
setAllowedOrigins(List<String> origins)
A list of origins for which cross-origin requests are allowed.
|
void |
setExposedHeaders(List<String> exposedHeaders)
Set the list of response headers other than simple headers (i.e.
|
void |
setMaxAge(Duration maxAge)
Configure how long, as a duration, the response from a pre-flight request
can be cached by clients.
|
void |
setMaxAge(Long maxAge)
Configure how long, in seconds, the response from a pre-flight request
can be cached by clients.
|
void |
validateAllowCredentials()
Validate that when
allowCredentials is true,
allowedOrigins does not contain the special
value "*" since in that case the "Access-Control-Allow-Origin"
cannot be set to "*" . |
public static final String ALL
public CorsConfiguration()
CorsConfiguration
instance with no cross-origin
requests allowed for any origin by default.applyPermitDefaultValues()
public CorsConfiguration(CorsConfiguration other)
CorsConfiguration
instance by copying all
values from the supplied CorsConfiguration
.public void setAllowedOrigins(@Nullable List<String> origins)
"https://domain1.com"
, or the CORS
defined special value "*"
for all origins.
For matched pre-flight and actual requests the
Access-Control-Allow-Origin
response header is set either to the
matched domain value or to "*"
. Keep in mind however that the
CORS spec does not allow "*"
when allowCredentials
is set to true
and as of 5.3 that combination
is rejected in favor of using allowedOriginPatterns
instead.
By default this is not set which means that no origins are allowed.
However an instance of this class is often initialized further, e.g. for
@CrossOrigin
, via applyPermitDefaultValues()
.
@Nullable public List<String> getAllowedOrigins()
null
if none.public void addAllowedOrigin(@Nullable String origin)
setAllowedOrigins(java.util.List<java.lang.String>)
for adding one origin at a time.public CorsConfiguration setAllowedOriginPatterns(@Nullable List<String> allowedOriginPatterns)
setAllowedOrigins(java.util.List<java.lang.String>)
that supports more flexible
origins patterns with "*" anywhere in the host name in addition to port
lists. Examples:
In contrast to allowedOrigins
which
only supports "*" and cannot be used with allowCredentials
, when
an allowedOriginPattern is matched, the Access-Control-Allow-Origin
response header is set to the matched origin and not to "*"
nor
to the pattern. Therefore allowedOriginPatterns can be used in combination
with setAllowCredentials(java.lang.Boolean)
set to true
.
By default this is not set.
@Nullable public List<String> getAllowedOriginPatterns()
null
if none.public void addAllowedOriginPattern(@Nullable String originPattern)
setAllowedOriginPatterns(java.util.List<java.lang.String>)
for adding one origin at a time.public void setAllowedMethods(@Nullable List<String> allowedMethods)
"GET"
, "POST"
,
"PUT"
, etc.
The special value "*"
allows all methods.
If not set, only "GET"
and "HEAD"
are allowed.
By default this is not set.
Note: CORS checks use values from "Forwarded"
(RFC 7239),
"X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
if present, in order to reflect the client-originated address.
Consider using the ForwardedHeaderFilter
in order to choose from a
central place whether to extract and use, or to discard such headers.
See the Spring Framework reference for more on this filter.
@Nullable public List<String> getAllowedMethods()
null
in which case
only "GET"
and "HEAD"
allowed.public void addAllowedMethod(HttpMethod method)
public void addAllowedMethod(String method)
public void setAllowedHeaders(@Nullable List<String> allowedHeaders)
The special value "*"
allows actual requests to send any
header.
A header name is not required to be listed if it is one of:
Cache-Control
, Content-Language
, Expires
,
Last-Modified
, or Pragma
.
By default this is not set.
@Nullable public List<String> getAllowedHeaders()
null
if none.addAllowedHeader(String)
,
setAllowedHeaders(List)
public void addAllowedHeader(String allowedHeader)
public void setExposedHeaders(@Nullable List<String> exposedHeaders)
Cache-Control
, Content-Language
, Content-Type
,
Expires
, Last-Modified
, or Pragma
) that an
actual response might have and can be exposed.
The special value "*"
allows all headers to be exposed for
non-credentialed requests.
By default this is not set.
@Nullable public List<String> getExposedHeaders()
null
if none.addExposedHeader(String)
,
setExposedHeaders(List)
public void addExposedHeader(String exposedHeader)
The special value "*"
allows all headers to be exposed for
non-credentialed requests.
public void setAllowCredentials(@Nullable Boolean allowCredentials)
By default this is not set (i.e. user credentials are not supported).
@Nullable public Boolean getAllowCredentials()
allowCredentials
flag, or null
if none.setAllowCredentials(Boolean)
public void setMaxAge(Duration maxAge)
setMaxAge(Long)
public void setMaxAge(@Nullable Long maxAge)
By default this is not set.
@Nullable public Long getMaxAge()
maxAge
value, or null
if none.setMaxAge(Long)
public CorsConfiguration applyPermitDefaultValues()
CorsConfiguration
does not permit any cross-origin
requests and must be configured explicitly. Use this method to switch to
defaults that permit all cross-origin requests for GET, HEAD, and POST,
but not overriding any values that have already been set.
The following defaults are applied for values that are not set:
"*"
defined in the
CORS spec. This is set only if neither origins
nor originPatterns
are already set.GET
, HEAD
and POST
.public void validateAllowCredentials()
allowCredentials
is true,
allowedOrigins
does not contain the special
value "*"
since in that case the "Access-Control-Allow-Origin"
cannot be set to "*"
.IllegalArgumentException
- if the validation failspublic CorsConfiguration combine(@Nullable CorsConfiguration other)
CorsConfiguration
with this one.
When combining single values like allowCredentials
or
maxAge
, this
properties are overridden by non-null
other
properties if any.
Combining lists like allowedOrigins
, allowedMethods
,
allowedHeaders
or exposedHeaders
is done in an additive
way. For example, combining ["GET", "POST"]
with
["PATCH"]
results in ["GET", "POST", "PATCH"]
. However,
combining ["GET", "POST"]
with ["*"]
results in
["*"]
. Note also that default permit values set by
applyPermitDefaultValues()
are overridden by
any explicitly defined values.
CorsConfiguration
, or this
configuration if the supplied configuration is null
@Nullable public String checkOrigin(@Nullable String origin)
origin
- the origin to checknull
which
means the request origin is not allowed@Nullable public List<HttpMethod> checkHttpMethod(@Nullable HttpMethod requestMethod)
Access-Control-Request-Method
header on a pre-flight request)
against the configured allowed methods.requestMethod
- the HTTP request method to checknull
if the supplied requestMethod
is not allowed@Nullable public List<String> checkHeaders(@Nullable List<String> requestHeaders)
Access-Control-Request-Headers
of a pre-flight request) against
the configured allowed headers.requestHeaders
- the request headers to checknull
if none of the supplied request headers is allowed