Class CorsRegistration

java.lang.Object
org.springframework.web.servlet.config.annotation.CorsRegistration

public class CorsRegistration extends Object
Assists with the creation of a CorsConfiguration instance for a given URL path pattern.
Since:
4.2
Author:
Sebastien Deleuze, Rossen Stoyanchev, Sam Brannen
See Also:
  • Constructor Details

    • CorsRegistration

      public CorsRegistration(String pathPattern)
  • Method Details

    • allowedOrigins

      public CorsRegistration allowedOrigins(String... origins)
      Set the origins for which cross-origin requests are allowed from a browser. Please, refer to CorsConfiguration.setAllowedOrigins(List) for format details and other considerations.

      By default, all origins are allowed, but if allowedOriginPatterns is also set, then that takes precedence.

      See Also:
    • allowedOriginPatterns

      public CorsRegistration allowedOriginPatterns(String... patterns)
      Alternative to allowedOrigins(String...) that supports more flexible patterns for specifying the origins for which cross-origin requests are allowed from a browser. Please, refer to CorsConfiguration.setAllowedOriginPatterns(List) for format details and other considerations.

      By default this is not set.

      Since:
      5.3
    • allowedMethods

      public CorsRegistration allowedMethods(String... methods)
      Set the HTTP methods to allow, e.g. "GET", "POST", etc. The special value "*" allows all methods. By default, "simple" methods GET, HEAD, and POST are allowed.

      Please, see CorsConfiguration.setAllowedMethods(List) for details.

    • allowedHeaders

      public CorsRegistration allowedHeaders(String... headers)
      Set the list of headers that a pre-flight request can list as allowed for use during an actual request. The special value "*" may be used to allow all headers.

      Please, see CorsConfiguration.setAllowedHeaders(List) for details.

      By default all headers are allowed.

    • exposedHeaders

      public CorsRegistration exposedHeaders(String... headers)
      Set the list of response headers that an actual response might have and can be exposed. The special value "*" allows all headers to be exposed.

      Please, see CorsConfiguration.setExposedHeaders(List) for details.

      By default this is not set.

    • allowCredentials

      public CorsRegistration allowCredentials(boolean allowCredentials)
      Whether the browser should send credentials, such as cookies along with cross domain requests, to the annotated endpoint. The configured value is set on the Access-Control-Allow-Credentials response header of preflight requests.

      NOTE: Be aware that this option establishes a high level of trust with the configured domains and also increases the surface attack of the web application by exposing sensitive user-specific information such as cookies and CSRF tokens.

      By default this is not set in which case the Access-Control-Allow-Credentials header is also not set and credentials are therefore not allowed.

    • allowPrivateNetwork

      public CorsRegistration allowPrivateNetwork(boolean allowPrivateNetwork)
      Whether private network access is supported.

      By default this is not set (i.e. private network access is not supported).

      Since:
      5.3.32
      See Also:
    • maxAge

      public CorsRegistration maxAge(long maxAge)
      Configure how long in seconds the response from a pre-flight request can be cached by clients.

      By default this is set to 1800 seconds (30 minutes).

    • combine

      public CorsRegistration combine(CorsConfiguration other)
      Apply the given CorsConfiguration to the one being configured via CorsConfiguration.combine(CorsConfiguration) which in turn has been initialized with CorsConfiguration.applyPermitDefaultValues().
      Parameters:
      other - the configuration to apply
      Since:
      5.3
    • getPathPattern

      protected String getPathPattern()
    • getCorsConfiguration

      protected CorsConfiguration getCorsConfiguration()