org.springframework.web.cors

Class CorsConfiguration

java.lang.Object

org.springframework.web.cors.CorsConfiguration

public class CorsConfiguration
extends Object

A container for CORS configuration also providing methods to check actual or or requested origin, HTTP method, and headers.

Since:

4.2

Author:

Sebastien Deleuze, Rossen Stoyanchev

See Also:

CORS W3C recommandation

Constructor Summary

Constructors

Constructor and Description
CorsConfiguration() Default constructor.
CorsConfiguration(CorsConfiguration other) Copy constructor.

Method Summary

Modifier and Type	Method and Description
void	addAllowedHeader(String allowedHeader) Add one actual request header to allow.
void	addAllowedMethod(String method) Add an HTTP method to allow.
void	addAllowedOrigin(String origin) Add an origin to allow.
void	addExposedHeader(String exposedHeader) Add a single response header to expose.
List<String>	checkHeaders(List<String> requestHeaders) Check the request headers (or the headers listed in the Access-Control-Request-Headers of a pre-flight request) against the configured allowed headers.
List<HttpMethod>	checkHttpMethod(HttpMethod requestMethod) Check the request HTTP method (or the method from the Access-Control-Request-Method header on a pre-flight request) against the configured allowed methods.
String	checkOrigin(String requestOrigin) Check the origin of the request against the configured allowed origins.
CorsConfiguration	combine(CorsConfiguration other) Combine the specified CorsConfiguration with this one.
Boolean	getAllowCredentials() Return the configured allowCredentials, possibly null.
List<String>	getAllowedHeaders() Return the allowed actual request headers, possibly null.
List<String>	getAllowedMethods() Return the allowed HTTP methods, possibly null in which case only HTTP GET is allowed.
List<String>	getAllowedOrigins() Return the configured origins to allow, possibly null.
List<String>	getExposedHeaders() Return the configured response headers to expose, possibly null.
Long	getMaxAge() Return the configure maxAge value, possibly null.
void	setAllowCredentials(Boolean allowCredentials) Whether user credentials are supported.
void	setAllowedHeaders(List<String> allowedHeaders) Configure the list of headers that a pre-flight request can list as allowed for use during an actual request.
void	setAllowedMethods(List<String> methods) Configure HTTP methods to allow, e.g.
void	setAllowedOrigins(List<String> origins) Configure origins to allow, e.g.
void	setExposedHeaders(List<String> exposedHeaders) Configure the list of response headers other than simple headers (i.e.
void	setMaxAge(Long maxAge) Configure how long, in seconds, the response from a pre-flight request can be cached by clients.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CorsConfiguration

public CorsConfiguration()

Default constructor.

CorsConfiguration

public CorsConfiguration(CorsConfiguration other)

Copy constructor.

Method Detail

combine

public CorsConfiguration combine(CorsConfiguration other)

Combine the specified CorsConfiguration with this one. Properties of this configuration are overridden only by non-null properties of the provided one.

Returns:

the combined CorsConfiguration

setAllowedOrigins

public void setAllowedOrigins(List<String> origins)

Configure origins to allow, e.g. "http://domain1.com". The special value "*" allows all domains.

By default this is not set.

addAllowedOrigin

public void addAllowedOrigin(String origin)

Add an origin to allow.

getAllowedOrigins

public List<String> getAllowedOrigins()

Return the configured origins to allow, possibly null.

setAllowedMethods

public void setAllowedMethods(List<String> methods)

Configure HTTP methods to allow, e.g. "GET", "POST", "PUT". The special value "*" allows all method. When not set only "GET is allowed.

By default this is not set.

addAllowedMethod

public void addAllowedMethod(String method)

Add an HTTP method to allow.

getAllowedMethods

public List<String> getAllowedMethods()

Return the allowed HTTP methods, possibly null in which case only HTTP GET is allowed.

setAllowedHeaders

public void setAllowedHeaders(List<String> allowedHeaders)

Configure the list of headers that a pre-flight request can list as allowed for use during an actual request. The special value of "*" allows actual requests to send any header. A header name is not required to be listed if it is one of: Cache-Control, Content-Language, Expires, Last-Modified, Pragma.

By default this is not set.

addAllowedHeader

public void addAllowedHeader(String allowedHeader)

Add one actual request header to allow.

getAllowedHeaders

public List<String> getAllowedHeaders()

Return the allowed actual request headers, possibly null.

setExposedHeaders

public void setExposedHeaders(List<String> exposedHeaders)

Configure the list of response headers other than simple headers (i.e. Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma) that an actual response might have and can be exposed.

By default this is not set.

addExposedHeader

public void addExposedHeader(String exposedHeader)

Add a single response header to expose.

getExposedHeaders

public List<String> getExposedHeaders()

Return the configured response headers to expose, possibly null.

setAllowCredentials

public void setAllowCredentials(Boolean allowCredentials)

Whether user credentials are supported.

By default this is not set (i.e. user credentials not supported).

getAllowCredentials

public Boolean getAllowCredentials()

Return the configured allowCredentials, possibly null.

setMaxAge

public void setMaxAge(Long maxAge)

Configure how long, in seconds, the response from a pre-flight request can be cached by clients.

By default this is not set.

getMaxAge

public Long getMaxAge()

Return the configure maxAge value, possibly null.

checkOrigin

public String checkOrigin(String requestOrigin)

Check the origin of the request against the configured allowed origins.

Parameters:

requestOrigin - the origin to check.

Returns:

the origin to use for the response, possibly null which means the request origin is not allowed.

checkHttpMethod

public List<HttpMethod> checkHttpMethod(HttpMethod requestMethod)

Check the request HTTP method (or the method from the Access-Control-Request-Method header on a pre-flight request) against the configured allowed methods.

Parameters:

requestMethod - the HTTP method to check.

Returns:

the list of HTTP methods to list in the response of a pre-flight request, or null if the requestMethod is not allowed.

checkHeaders

public List<String> checkHeaders(List<String> requestHeaders)

Check the request headers (or the headers listed in the Access-Control-Request-Headers of a pre-flight request) against the configured allowed headers.

Parameters:

requestHeaders - the headers to check.

Returns:

the list of allowed headers to list in the response of a pre-flight request, or null if a requestHeader is not allowed.