Class CorsRegistration
CorsConfiguration
instance for a given
URL path pattern.- Since:
- 4.2
- Author:
- Sebastien Deleuze, Rossen Stoyanchev, Sam Brannen
- See Also:
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionallowCredentials
(boolean allowCredentials) Whether the browser should send credentials, such as cookies along with cross domain requests, to the annotated endpoint.allowedHeaders
(String... headers) Set the list of headers that a pre-flight request can list as allowed for use during an actual request.allowedMethods
(String... methods) Set the HTTP methods to allow, e.g.allowedOriginPatterns
(String... patterns) Alternative toallowedOrigins(String...)
that supports more flexible patterns for specifying the origins for which cross-origin requests are allowed from a browser.allowedOrigins
(String... origins) Set the origins for which cross-origin requests are allowed from a browser.allowPrivateNetwork
(boolean allowPrivateNetwork) Whether private network access is supported.combine
(CorsConfiguration other) Apply the givenCorsConfiguration
to the one being configured viaCorsConfiguration.combine(CorsConfiguration)
which in turn has been initialized withCorsConfiguration.applyPermitDefaultValues()
.exposedHeaders
(String... headers) Set the list of response headers that an actual response might have and can be exposed.protected CorsConfiguration
protected String
maxAge
(long maxAge) Configure how long in seconds the response from a pre-flight request can be cached by clients.
-
Constructor Details
-
CorsRegistration
-
-
Method Details
-
allowedOrigins
Set the origins for which cross-origin requests are allowed from a browser. Please, refer toCorsConfiguration.setAllowedOrigins(List)
for format details and other considerations.By default, all origins are allowed, but if
allowedOriginPatterns
is also set, then that takes precedence.- See Also:
-
allowedOriginPatterns
Alternative toallowedOrigins(String...)
that supports more flexible patterns for specifying the origins for which cross-origin requests are allowed from a browser. Please, refer toCorsConfiguration.setAllowedOriginPatterns(List)
for format details and other considerations.By default this is not set.
- Since:
- 5.3
-
allowedMethods
Set the HTTP methods to allow, e.g."GET"
,"POST"
, etc. The special value"*"
allows all methods. By default, "simple" methodsGET
,HEAD
, andPOST
are allowed.Please, see
CorsConfiguration.setAllowedMethods(List)
for details. -
allowedHeaders
Set the list of headers that a pre-flight request can list as allowed for use during an actual request. The special value"*"
may be used to allow all headers.Please, see
CorsConfiguration.setAllowedHeaders(List)
for details.By default all headers are allowed.
-
exposedHeaders
Set the list of response headers that an actual response might have and can be exposed. The special value"*"
allows all headers to be exposed.Please, see
CorsConfiguration.setExposedHeaders(List)
for details.By default this is not set.
-
allowCredentials
Whether the browser should send credentials, such as cookies along with cross domain requests, to the annotated endpoint. The configured value is set on theAccess-Control-Allow-Credentials
response header of preflight requests.NOTE: Be aware that this option establishes a high level of trust with the configured domains and also increases the surface attack of the web application by exposing sensitive user-specific information such as cookies and CSRF tokens.
By default this is not set in which case the
Access-Control-Allow-Credentials
header is also not set and credentials are therefore not allowed. -
allowPrivateNetwork
Whether private network access is supported.By default this is not set (i.e. private network access is not supported).
- Since:
- 5.3.32
- See Also:
-
maxAge
Configure how long in seconds the response from a pre-flight request can be cached by clients.By default this is set to 1800 seconds (30 minutes).
-
combine
Apply the givenCorsConfiguration
to the one being configured viaCorsConfiguration.combine(CorsConfiguration)
which in turn has been initialized withCorsConfiguration.applyPermitDefaultValues()
.- Parameters:
other
- the configuration to apply- Since:
- 5.3
-
getPathPattern
-
getCorsConfiguration
-