Package org.springframework.web.cors

Class CorsConfiguration

java.lang.Object
org.springframework.web.cors.CorsConfiguration
public class CorsConfiguration extends Object
A container for CORS configuration along with methods to check against the actual origin, HTTP methods, and headers of a given request.

By default a newly created CorsConfiguration does not permit any cross-origin requests and must be configured explicitly to indicate what should be allowed. Use applyPermitDefaultValues() to flip the initialization model to start with open defaults that permit all cross-origin requests for GET, HEAD, and POST requests.

Since:
4.2
Author:
Sebastien Deleuze, Rossen Stoyanchev, Juergen Hoeller, Sam Brannen, Ruslan Akhundov
See Also:

  • Field Details

  • Constructor Details

    • CorsConfiguration

      public CorsConfiguration()
      Construct a new CorsConfiguration instance with no cross-origin requests allowed for any origin by default.
      See Also:

    • CorsConfiguration

      public CorsConfiguration(CorsConfiguration other)
      Construct a new CorsConfiguration instance by copying all values from the supplied CorsConfiguration.

  • Method Details

    • setAllowedOrigins

      public void setAllowedOrigins(@Nullable List<String> origins)
      A list of origins for which cross-origin requests are allowed. Values may be a specific domain, e.g. "https://domain1.com", or the CORS defined special value "*" for all origins.

      For matched pre-flight and actual requests the Access-Control-Allow-Origin response header is set either to the matched domain value or to "*". Keep in mind however that the CORS spec does not allow "*" when allowCredentials is set to true and as of 5.3 that combination is rejected in favor of using allowedOriginPatterns instead.

      By default this is not set which means that no origins are allowed. However an instance of this class is often initialized further, e.g. for @CrossOrigin, via applyPermitDefaultValues().

    • getAllowedOrigins

      @Nullable public List<String> getAllowedOrigins()
      Return the configured origins to allow, or null if none.

    • addAllowedOrigin

      public void addAllowedOrigin(@Nullable String origin)
      Variant of setAllowedOrigins(java.util.List<java.lang.String>) for adding one origin at a time.

    • setAllowedOriginPatterns

      public CorsConfiguration setAllowedOriginPatterns(@Nullable List<String> allowedOriginPatterns)
      Alternative to setAllowedOrigins(java.util.List<java.lang.String>) that supports more flexible origins patterns with "*" anywhere in the host name in addition to port lists. Examples:
      • https://*.domain1.com -- domains ending with domain1.com
      • https://*.domain1.com:[8080,8081] -- domains ending with domain1.com on port 8080 or port 8081
      • https://*.domain1.com:[*] -- domains ending with domain1.com on any port, including the default port

      In contrast to allowedOrigins which only supports "*" and cannot be used with allowCredentials, when an allowedOriginPattern is matched, the Access-Control-Allow-Origin response header is set to the matched origin and not to "*" nor to the pattern. Therefore allowedOriginPatterns can be used in combination with setAllowCredentials(java.lang.Boolean) set to true.

      By default this is not set.

      Since:
      5.3

    • getAllowedOriginPatterns

      @Nullable public List<String> getAllowedOriginPatterns()
      Return the configured origins patterns to allow, or null if none.
      Since:
      5.3

    • addAllowedOriginPattern

      public void addAllowedOriginPattern(@Nullable String originPattern)
      Variant of setAllowedOriginPatterns(java.util.List<java.lang.String>) for adding one origin at a time.
      Since:
      5.3

    • setAllowedMethods

      public void setAllowedMethods(@Nullable List<String> allowedMethods)
      Set the HTTP methods to allow, e.g. "GET", "POST", "PUT", etc.

      The special value "*" allows all methods.

      If not set, only "GET" and "HEAD" are allowed.

      By default this is not set.

      Note: CORS checks use values from "Forwarded" (RFC 7239), "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers, if present, in order to reflect the client-originated address. Consider using the ForwardedHeaderFilter in order to choose from a central place whether to extract and use, or to discard such headers. See the Spring Framework reference for more on this filter.

    • getAllowedMethods

      @Nullable public List<String> getAllowedMethods()
      Return the allowed HTTP methods, or null in which case only "GET" and "HEAD" allowed.
      See Also:

    • addAllowedMethod

      public void addAllowedMethod(HttpMethod method)
      Add an HTTP method to allow.

    • addAllowedMethod

      public void addAllowedMethod(String method)
      Add an HTTP method to allow.

    • setAllowedHeaders

      public void setAllowedHeaders(@Nullable List<String> allowedHeaders)
      Set the list of headers that a pre-flight request can list as allowed for use during an actual request.

      The special value "*" allows actual requests to send any header.

      A header name is not required to be listed if it is one of: Cache-Control, Content-Language, Expires, Last-Modified, or Pragma.

      By default this is not set.

    • getAllowedHeaders

      @Nullable public List<String> getAllowedHeaders()
      Return the allowed actual request headers, or null if none.
      See Also:

    • addAllowedHeader

      public void addAllowedHeader(String allowedHeader)
      Add an actual request header to allow.

    • setExposedHeaders

      public void setExposedHeaders(@Nullable List<String> exposedHeaders)
      Set the list of response headers other than simple headers (i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, or Pragma) that an actual response might have and can be exposed.

      The special value "*" allows all headers to be exposed for non-credentialed requests.

      By default this is not set.

    • getExposedHeaders

      @Nullable public List<String> getExposedHeaders()
      Return the configured response headers to expose, or null if none.
      See Also:

    • addExposedHeader

      public void addExposedHeader(String exposedHeader)
      Add a response header to expose.

      The special value "*" allows all headers to be exposed for non-credentialed requests.

    • setAllowCredentials

      public void setAllowCredentials(@Nullable Boolean allowCredentials)
      Whether user credentials are supported.

      By default this is not set (i.e. user credentials are not supported).

    • getAllowCredentials

      @Nullable public Boolean getAllowCredentials()
      Return the configured allowCredentials flag, or null if none.
      See Also:

    • setMaxAge

      public void setMaxAge(Duration maxAge)
      Configure how long, as a duration, the response from a pre-flight request can be cached by clients.
      Since:
      5.2
      See Also:

    • setMaxAge

      public void setMaxAge(@Nullable Long maxAge)
      Configure how long, in seconds, the response from a pre-flight request can be cached by clients.

      By default this is not set.

    • getMaxAge

      @Nullable public Long getMaxAge()
      Return the configured maxAge value, or null if none.
      See Also:

    • applyPermitDefaultValues

      public CorsConfiguration applyPermitDefaultValues()
      By default CorsConfiguration does not permit any cross-origin requests and must be configured explicitly. Use this method to switch to defaults that permit all cross-origin requests for GET, HEAD, and POST, but not overriding any values that have already been set.

      The following defaults are applied for values that are not set:

      • Allow all origins with the special value "*" defined in the CORS spec. This is set only if neither origins nor originPatterns are already set.
      • Allow "simple" methods GET, HEAD and POST.
      • Allow all headers.
      • Set max age to 1800 seconds (30 minutes).

    • validateAllowCredentials

      public void validateAllowCredentials()
      Validate that when allowCredentials is true, allowedOrigins does not contain the special value "*" since in that case the "Access-Control-Allow-Origin" cannot be set to "*".
      Throws:
      IllegalArgumentException - if the validation fails
      Since:
      5.3

    • combine

      public CorsConfiguration combine(@Nullable CorsConfiguration other)
      Combine the non-null properties of the supplied CorsConfiguration with this one.

      When combining single values like allowCredentials or maxAge, this properties are overridden by non-null other properties if any.

      Combining lists like allowedOrigins, allowedMethods, allowedHeaders or exposedHeaders is done in an additive way. For example, combining ["GET", "POST"] with ["PATCH"] results in ["GET", "POST", "PATCH"]. However, combining ["GET", "POST"] with ["*"] results in ["*"]. Note also that default permit values set by applyPermitDefaultValues() are overridden by any explicitly defined values.

      Returns:
      the combined CorsConfiguration, or this configuration if the supplied configuration is null

    • checkOrigin

      @Nullable public String checkOrigin(@Nullable String origin)
      Check the origin of the request against the configured allowed origins.
      Parameters:
      origin - the origin to check
      Returns:
      the origin to use for the response, or null which means the request origin is not allowed

    • checkHttpMethod

      @Nullable public List<HttpMethod> checkHttpMethod(@Nullable HttpMethod requestMethod)
      Check the HTTP request method (or the method from the Access-Control-Request-Method header on a pre-flight request) against the configured allowed methods.
      Parameters:
      requestMethod - the HTTP request method to check
      Returns:
      the list of HTTP methods to list in the response of a pre-flight request, or null if the supplied requestMethod is not allowed

    • checkHeaders

      @Nullable public List<String> checkHeaders(@Nullable List<String> requestHeaders)
      Check the supplied request headers (or the headers listed in the Access-Control-Request-Headers of a pre-flight request) against the configured allowed headers.
      Parameters:
      requestHeaders - the request headers to check
      Returns:
      the list of allowed headers to list in the response of a pre-flight request, or null if none of the supplied request headers is allowed