org.springframework.web.bind.annotation

Annotation Type CrossOrigin

@Target(value={METHOD,TYPE})
 @Retention(value=RUNTIME)
 @Documented
public @interface CrossOrigin

Marks the annotated method or type as permitting cross origin requests.

By default, all origins and headers are permitted.

Since:

4.2

Author:

Russell Allen, Sebastien Deleuze, Sam Brannen

Field Summary

Fields

Modifier and Type	Fields and Description
static boolean	DEFAULT_ALLOW_CREDENTIALS
static String[]	DEFAULT_ALLOWED_HEADERS
static long	DEFAULT_MAX_AGE
static String[]	DEFAULT_ORIGINS

Optional Element Summary

Optional Elements

Modifier and Type	Optional Element and Description
String	allowCredentials Whether the browser should include any cookies associated with the domain of the request being annotated.
String[]	allowedHeaders List of request headers that can be used during the actual request.
String[]	exposedHeaders List of response headers that the user-agent will allow the client to access.
long	maxAge The maximum age (in seconds) of the cache duration for pre-flight responses.
RequestMethod[]	methods List of supported HTTP request methods, e.g.
String[]	origins List of allowed origins, e.g.
String[]	value Alias for origins().

Field Detail

DEFAULT_ORIGINS

public static final String[] DEFAULT_ORIGINS

DEFAULT_ALLOWED_HEADERS

public static final String[] DEFAULT_ALLOWED_HEADERS

DEFAULT_ALLOW_CREDENTIALS

public static final boolean DEFAULT_ALLOW_CREDENTIALS

DEFAULT_MAX_AGE

public static final long DEFAULT_MAX_AGE

Element Detail

value

@AliasFor(value="origins")
public abstract String[] value

Alias for origins().

Default:

{}

origins

@AliasFor(value="value")
public abstract String[] origins

List of allowed origins, e.g. "http://domain1.com".

These values are placed in the Access-Control-Allow-Origin header of both the pre-flight response and the actual response. "*" means that all origins are allowed.

If undefined, all origins are allowed.

See Also:

value()

Default:

{}

allowedHeaders

public abstract String[] allowedHeaders

List of request headers that can be used during the actual request.

This property controls the value of the pre-flight response's Access-Control-Allow-Headers header. "*" means that all headers requested by the client are allowed.

If undefined, all requested headers are allowed.

Default:

{}

exposedHeaders

public abstract String[] exposedHeaders

List of response headers that the user-agent will allow the client to access.

This property controls the value of actual response's Access-Control-Expose-Headers header.

If undefined, an empty exposed header list is used.

Default:

{}

methods

public abstract RequestMethod[] methods

List of supported HTTP request methods, e.g. "{RequestMethod.GET, RequestMethod.POST}".

Methods specified here override those specified via RequestMapping.

If undefined, methods defined by RequestMapping annotation are used.

Default:

{}

allowCredentials

public abstract String allowCredentials

Whether the browser should include any cookies associated with the domain of the request being annotated.

Set to "false" if such cookies should not included. An empty string ("") means undefined. "true" means that the pre-flight response will include the header Access-Control-Allow-Credentials=true.

If undefined, credentials are allowed.

Default:

""

maxAge

public abstract long maxAge

The maximum age (in seconds) of the cache duration for pre-flight responses.

This property controls the value of the Access-Control-Max-Age header in the pre-flight response.

Setting this to a reasonable value can reduce the number of pre-flight request/response interactions required by the browser. A negative value means undefined.

If undefined, max age is set to 1800 seconds (i.e., 30 minutes).

Default:

-1L