注释类型 CrossOrigin
@Target({METHOD,TYPE}) @Retention(RUNTIME) @Documented public @interface CrossOrigin
Marks the annotated method or type as permitting cross origin requests.By default all origins and headers are permitted, credentials are not allowed, and the maximum age is set to 1800 seconds (30 minutes). The list of HTTP methods is set to the methods on the
@RequestMapping
if not explicitly set on@CrossOrigin
.NOTE:
@CrossOrigin
is processed if an appropriateHandlerMapping
-HandlerAdapter
pair is configured such as theRequestMappingHandlerMapping
-RequestMappingHandlerAdapter
pair which are the default in the MVC Java config and the MVC namespace. In particular@CrossOrigin
is not supported with theDefaultAnnotationHandlerMapping
-AnnotationMethodHandlerAdapter
pair both of which are also deprecated.- 从以下版本开始:
- 4.2
- 作者:
- Russell Allen, Sebastien Deleuze, Sam Brannen
字段概要
字段 修饰符和类型 字段 说明 static boolean
DEFAULT_ALLOW_CREDENTIALS
已过时。as of Spring 4.3.4, in favor of usingCorsConfiguration.applyPermitDefaultValues()
static String[]
DEFAULT_ALLOWED_HEADERS
已过时。as of Spring 4.3.4, in favor of usingCorsConfiguration.applyPermitDefaultValues()
static long
DEFAULT_MAX_AGE
已过时。as of Spring 4.3.4, in favor of usingCorsConfiguration.applyPermitDefaultValues()
static String[]
DEFAULT_ORIGINS
已过时。as of Spring 4.3.4, in favor of usingCorsConfiguration.applyPermitDefaultValues()
可选元素概要
可选元素 修饰符和类型 可选元素 说明 String
allowCredentials
Whether the browser should include any cookies associated with the domain of the request being annotated.String[]
allowedHeaders
List of request headers that can be used during the actual request.String[]
exposedHeaders
List of response headers that the user-agent will allow the client to access.long
maxAge
The maximum age (in seconds) of the cache duration for pre-flight responses.RequestMethod[]
methods
List of supported HTTP request methods, e.g.String[]
origins
List of allowed origins, e.g.String[]
value
Alias fororigins()
.
字段详细资料
DEFAULT_ORIGINS
@Deprecated static final String[] DEFAULT_ORIGINS
已过时。as of Spring 4.3.4, in favor of usingCorsConfiguration.applyPermitDefaultValues()
DEFAULT_ALLOWED_HEADERS
@Deprecated static final String[] DEFAULT_ALLOWED_HEADERS
已过时。as of Spring 4.3.4, in favor of usingCorsConfiguration.applyPermitDefaultValues()
DEFAULT_ALLOW_CREDENTIALS
@Deprecated static final boolean DEFAULT_ALLOW_CREDENTIALS
已过时。as of Spring 4.3.4, in favor of usingCorsConfiguration.applyPermitDefaultValues()
DEFAULT_MAX_AGE
@Deprecated static final long DEFAULT_MAX_AGE
已过时。as of Spring 4.3.4, in favor of usingCorsConfiguration.applyPermitDefaultValues()
origins
@AliasFor("value") String[] origins
List of allowed origins, e.g."https://domain1.com"
.These values are placed in the
Access-Control-Allow-Origin
header of both the pre-flight response and the actual response."*"
means that all origins are allowed.If undefined, all origins are allowed.
Note: CORS checks use values from "Forwarded" (RFC 7239), "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers, if present, in order to reflect the client-originated address. Consider using the
ForwardedHeaderFilter
in order to choose from a central place whether to extract and use, or to discard such headers. See the Spring Framework reference for more on this filter.- 另请参阅:
value()
- 默认值:
- {}
allowedHeaders
String[] allowedHeaders
List of request headers that can be used during the actual request.This property controls the value of the pre-flight response's
Access-Control-Allow-Headers
header."*"
means that all headers requested by the client are allowed.If undefined, all requested headers are allowed.
- 默认值:
- {}
exposedHeaders
String[] exposedHeaders
List of response headers that the user-agent will allow the client to access.This property controls the value of actual response's
Access-Control-Expose-Headers
header.If undefined, an empty exposed header list is used.
- 默认值:
- {}
methods
RequestMethod[] methods
List of supported HTTP request methods, e.g."{RequestMethod.GET, RequestMethod.POST}"
.Methods specified here override those specified via
RequestMapping
.If undefined, methods defined by
RequestMapping
annotation are used.- 默认值:
- {}
allowCredentials
String allowCredentials
Whether the browser should include any cookies associated with the domain of the request being annotated.Set to
"false"
if such cookies should not included. An empty string (""
) means undefined."true"
means that the pre-flight response will include the headerAccess-Control-Allow-Credentials=true
.If undefined, this is set to
"false"
in which case credentials are not allowed.- 默认值:
- ""
maxAge
long maxAge
The maximum age (in seconds) of the cache duration for pre-flight responses.This property controls the value of the
Access-Control-Max-Age
header in the pre-flight response.Setting this to a reasonable value can reduce the number of pre-flight request/response interactions required by the browser. A negative value means undefined.
If undefined, max age is set to
1800
seconds (i.e., 30 minutes).- 默认值:
- -1L