org.springframework.web.bind.annotation

Annotation Type CrossOrigin

@Target(value={TYPE,METHOD})
 @Retention(value=RUNTIME)
 @Documented
public @interface CrossOrigin

Annotation for permitting cross-origin requests on specific handler classes and/or handler methods. Processed if an appropriate HandlerMapping is configured.

Both Spring Web MVC and Spring WebFlux support this annotation through the RequestMappingHandlerMapping in their respective modules. The values from each type and method level pair of annotations are added to a CorsConfiguration and then default values are applied via CorsConfiguration.applyPermitDefaultValues().

The rules for combining global and local configuration are generally additive -- e.g. all global and all local origins. For those attributes where only a single value can be accepted such as allowCredentials and maxAge, the local overrides the global value. See CorsConfiguration.combine(CorsConfiguration) for more details.

Since:

4.2

Author:

Russell Allen, Sebastien Deleuze, Sam Brannen

Field Summary

Fields

Modifier and Type	Fields and Description
static boolean	DEFAULT_ALLOW_CREDENTIALS Deprecated. as of Spring 5.0, in favor of CorsConfiguration.applyPermitDefaultValues()
static String[]	DEFAULT_ALLOWED_HEADERS Deprecated. as of Spring 5.0, in favor of CorsConfiguration.applyPermitDefaultValues()
static long	DEFAULT_MAX_AGE Deprecated. as of Spring 5.0, in favor of CorsConfiguration.applyPermitDefaultValues()
static String[]	DEFAULT_ORIGINS Deprecated. as of Spring 5.0, in favor of CorsConfiguration.applyPermitDefaultValues()

Optional Element Summary

Optional Elements

Modifier and Type	Optional Element and Description
String	allowCredentials Whether the browser should send credentials, such as cookies along with cross domain requests, to the annotated endpoint.
String[]	allowedHeaders The list of request headers that are permitted in actual requests, possibly "*" to allow all headers.
String[]	exposedHeaders The List of response headers that the user-agent will allow the client to access on an actual response, other than "simple" headers, i.e.
long	maxAge The maximum age (in seconds) of the cache duration for preflight responses.
RequestMethod[]	methods The list of supported HTTP request methods.
String[]	origins The list of allowed origins that be specific origins, e.g.
String[]	value Alias for origins().

Field Detail

DEFAULT_ORIGINS

@Deprecated
public static final String[] DEFAULT_ORIGINS

Deprecated. as of Spring 5.0, in favor of CorsConfiguration.applyPermitDefaultValues()

DEFAULT_ALLOWED_HEADERS

@Deprecated
public static final String[] DEFAULT_ALLOWED_HEADERS

Deprecated. as of Spring 5.0, in favor of CorsConfiguration.applyPermitDefaultValues()

DEFAULT_ALLOW_CREDENTIALS

@Deprecated
public static final boolean DEFAULT_ALLOW_CREDENTIALS

Deprecated. as of Spring 5.0, in favor of CorsConfiguration.applyPermitDefaultValues()

DEFAULT_MAX_AGE

@Deprecated
public static final long DEFAULT_MAX_AGE

Deprecated. as of Spring 5.0, in favor of CorsConfiguration.applyPermitDefaultValues()

Element Detail

value

@AliasFor(value="origins")
public abstract String[] value

Alias for origins().

Default:

{}

origins

@AliasFor(value="value")
public abstract String[] origins

The list of allowed origins that be specific origins, e.g. "https://domain1.com", or "*" for all origins.

A matched origin is listed in the Access-Control-Allow-Origin response header of preflight actual CORS requests.

By default all origins are allowed.

Note: CORS checks use values from "Forwarded" (RFC 7239), "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers, if present, in order to reflect the client-originated address. Consider using the ForwardedHeaderFilter in order to choose from a central place whether to extract and use, or to discard such headers. See the Spring Framework reference for more on this filter.

See Also:

value()

Default:

{}

allowedHeaders

public abstract String[] allowedHeaders

The list of request headers that are permitted in actual requests, possibly "*" to allow all headers.

Allowed headers are listed in the Access-Control-Allow-Headers response header of preflight requests.

A header name is not required to be listed if it is one of: Cache-Control, Content-Language, Expires, Last-Modified, or Pragma as per the CORS spec.

By default all requested headers are allowed.

Default:

{}

exposedHeaders

public abstract String[] exposedHeaders

The List of response headers that the user-agent will allow the client to access on an actual response, other than "simple" headers, i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, or Pragma,

Exposed headers are listed in the Access-Control-Expose-Headers response header of actual CORS requests.

By default no headers are listed as exposed.

Default:

{}

methods

public abstract RequestMethod[] methods

The list of supported HTTP request methods.

By default the supported methods are the same as the ones to which a controller method is mapped.

Default:

{}

allowCredentials

public abstract String allowCredentials

Whether the browser should send credentials, such as cookies along with cross domain requests, to the annotated endpoint. The configured value is set on the Access-Control-Allow-Credentials response header of preflight requests.

NOTE: Be aware that this option establishes a high level of trust with the configured domains and also increases the surface attack of the web application by exposing sensitive user-specific information such as cookies and CSRF tokens.

By default this is not set in which case the Access-Control-Allow-Credentials header is also not set and credentials are therefore not allowed.

Default:

""

maxAge

public abstract long maxAge

The maximum age (in seconds) of the cache duration for preflight responses.

This property controls the value of the Access-Control-Max-Age response header of preflight requests.

Setting this to a reasonable value can reduce the number of preflight request/response interactions required by the browser. A negative value means undefined.

By default this is set to 1800 seconds (30 minutes).

Default:

-1L