public class CorsRegistration extends Object
CorsConfiguration
instance for a given
URL path pattern.CorsConfiguration
,
CorsRegistry
Constructor and Description |
---|
CorsRegistration(String pathPattern) |
Modifier and Type | Method and Description |
---|---|
CorsRegistration |
allowCredentials(boolean allowCredentials)
Whether the browser should send credentials, such as cookies along with
cross domain requests, to the annotated endpoint.
|
CorsRegistration |
allowedHeaders(String... headers)
Set the list of headers that a pre-flight request can list as allowed
for use during an actual request.
|
CorsRegistration |
allowedMethods(String... methods)
Set the HTTP methods to allow, e.g.
|
CorsRegistration |
allowedOriginPatterns(String... patterns)
Alternative to
allowCredentials(boolean) that supports origins declared
via wildcard patterns. |
CorsRegistration |
allowedOrigins(String... origins)
A list of origins for which cross-origin requests are allowed.
|
CorsRegistration |
combine(CorsConfiguration other)
Apply the given
CorsConfiguration to the one being configured via
CorsConfiguration.combine(CorsConfiguration) which in turn has been
initialized with CorsConfiguration.applyPermitDefaultValues() . |
CorsRegistration |
exposedHeaders(String... headers)
Set the list of response headers other than "simple" headers, i.e.
|
protected CorsConfiguration |
getCorsConfiguration() |
protected String |
getPathPattern() |
CorsRegistration |
maxAge(long maxAge)
Configure how long in seconds the response from a pre-flight request
can be cached by clients.
|
public CorsRegistration(String pathPattern)
public CorsRegistration allowedOrigins(String... origins)
CorsConfiguration.setAllowedOrigins(List)
for details.
By default all origins are allowed unless originPatterns
is
also set in which case originPatterns
is used instead.
public CorsRegistration allowedOriginPatterns(String... patterns)
allowCredentials(boolean)
that supports origins declared
via wildcard patterns. Please, seepublic CorsRegistration allowedMethods(String... methods)
"GET"
, "POST"
, etc.
The special value "*"
allows all methods.
By default "simple" methods GET
, HEAD
, and POST
are allowed.
public CorsRegistration allowedHeaders(String... headers)
The special value "*"
may be used to allow all headers.
A header name is not required to be listed if it is one of:
Cache-Control
, Content-Language
, Expires
,
Last-Modified
, or Pragma
as per the CORS spec.
By default all headers are allowed.
public CorsRegistration exposedHeaders(String... headers)
Cache-Control
, Content-Language
, Content-Type
,
Expires
, Last-Modified
, or Pragma
, that an
actual response might have and can be exposed.
The special value "*"
allows all headers to be exposed for
non-credentialed requests.
By default this is not set.
public CorsRegistration allowCredentials(boolean allowCredentials)
Access-Control-Allow-Credentials
response header of
preflight requests.
NOTE: Be aware that this option establishes a high level of trust with the configured domains and also increases the surface attack of the web application by exposing sensitive user-specific information such as cookies and CSRF tokens.
By default this is not set in which case the
Access-Control-Allow-Credentials
header is also not set and
credentials are therefore not allowed.
public CorsRegistration maxAge(long maxAge)
By default this is set to 1800 seconds (30 minutes).
public CorsRegistration combine(CorsConfiguration other)
CorsConfiguration
to the one being configured via
CorsConfiguration.combine(CorsConfiguration)
which in turn has been
initialized with CorsConfiguration.applyPermitDefaultValues()
.other
- the configuration to applyprotected String getPathPattern()
protected CorsConfiguration getCorsConfiguration()