类 CorsConfiguration
- java.lang.Object
- org.springframework.web.cors.CorsConfiguration
public class CorsConfiguration extends Object
A container for CORS configuration along with methods to check against the actual origin, HTTP methods, and headers of a given request.By default a newly created
CorsConfiguration
does not permit any cross-origin requests and must be configured explicitly to indicate what should be allowed. UseapplyPermitDefaultValues()
to flip the initialization model to start with open defaults that permit all cross-origin requests for GET, HEAD, and POST requests.- 从以下版本开始:
- 4.2
- 作者:
- Sebastien Deleuze, Rossen Stoyanchev, Juergen Hoeller, Sam Brannen
- 另请参阅:
- CORS spec
构造器概要
构造器 构造器 说明 CorsConfiguration()
Construct a newCorsConfiguration
instance with no cross-origin requests allowed for any origin by default.CorsConfiguration(CorsConfiguration other)
Construct a newCorsConfiguration
instance by copying all values from the suppliedCorsConfiguration
.
方法概要
所有方法 实例方法 具体方法 修饰符和类型 方法 说明 void
addAllowedHeader(String allowedHeader)
Add an actual request header to allow.void
addAllowedMethod(String method)
Add an HTTP method to allow.void
addAllowedMethod(HttpMethod method)
Add an HTTP method to allow.void
addAllowedOrigin(String origin)
Add an origin to allow.void
addExposedHeader(String exposedHeader)
Add a response header to expose.CorsConfiguration
applyPermitDefaultValues()
By default a newly createdCorsConfiguration
does not permit any cross-origin requests and must be configured explicitly to indicate what should be allowed.List<String>
checkHeaders(List<String> requestHeaders)
Check the supplied request headers (or the headers listed in theAccess-Control-Request-Headers
of a pre-flight request) against the configured allowed headers.List<HttpMethod>
checkHttpMethod(HttpMethod requestMethod)
Check the HTTP request method (or the method from theAccess-Control-Request-Method
header on a pre-flight request) against the configured allowed methods.String
checkOrigin(String requestOrigin)
Check the origin of the request against the configured allowed origins.CorsConfiguration
combine(CorsConfiguration other)
Combine the suppliedCorsConfiguration
with this one.Boolean
getAllowCredentials()
Return the configuredallowCredentials
flag, ornull
if none.List<String>
getAllowedHeaders()
Return the allowed actual request headers, ornull
if none.List<String>
getAllowedMethods()
Return the allowed HTTP methods, ornull
in which case only"GET"
and"HEAD"
allowed.List<String>
getAllowedOrigins()
Return the configured origins to allow, ornull
if none.List<String>
getExposedHeaders()
Return the configured response headers to expose, ornull
if none.Long
getMaxAge()
Return the configuredmaxAge
value, ornull
if none.void
setAllowCredentials(Boolean allowCredentials)
Whether user credentials are supported.void
setAllowedHeaders(List<String> allowedHeaders)
Set the list of headers that a pre-flight request can list as allowed for use during an actual request.void
setAllowedMethods(List<String> allowedMethods)
Set the HTTP methods to allow, e.g.void
setAllowedOrigins(List<String> allowedOrigins)
Set the origins to allow, e.g.void
setExposedHeaders(List<String> exposedHeaders)
Set the list of response headers other than simple headers (i.e.void
setMaxAge(Long maxAge)
Configure how long, in seconds, the response from a pre-flight request can be cached by clients.
构造器详细资料
CorsConfiguration
public CorsConfiguration()
Construct a newCorsConfiguration
instance with no cross-origin requests allowed for any origin by default.
CorsConfiguration
public CorsConfiguration(CorsConfiguration other)
Construct a newCorsConfiguration
instance by copying all values from the suppliedCorsConfiguration
.
方法详细资料
setAllowedOrigins
public void setAllowedOrigins(List<String> allowedOrigins)
Set the origins to allow, e.g."https://domain1.com"
.The special value
"*"
allows all domains.By default this is not set.
Note: CORS checks use values from "Forwarded" (RFC 7239), "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers, if present, in order to reflect the client-originated address. Consider using the
ForwardedHeaderFilter
in order to choose from a central place whether to extract and use, or to discard such headers. See the Spring Framework reference for more on this filter.
getAllowedOrigins
public List<String> getAllowedOrigins()
Return the configured origins to allow, ornull
if none.
addAllowedOrigin
public void addAllowedOrigin(String origin)
Add an origin to allow.
setAllowedMethods
public void setAllowedMethods(List<String> allowedMethods)
Set the HTTP methods to allow, e.g."GET"
,"POST"
,"PUT"
, etc.The special value
"*"
allows all methods.If not set, only
"GET"
and"HEAD"
are allowed.By default this is not set.
getAllowedMethods
public List<String> getAllowedMethods()
Return the allowed HTTP methods, ornull
in which case only"GET"
and"HEAD"
allowed.
addAllowedMethod
public void addAllowedMethod(HttpMethod method)
Add an HTTP method to allow.
addAllowedMethod
public void addAllowedMethod(String method)
Add an HTTP method to allow.
setAllowedHeaders
public void setAllowedHeaders(List<String> allowedHeaders)
Set the list of headers that a pre-flight request can list as allowed for use during an actual request.The special value
"*"
allows actual requests to send any header.A header name is not required to be listed if it is one of:
Cache-Control
,Content-Language
,Expires
,Last-Modified
, orPragma
.By default this is not set.
getAllowedHeaders
public List<String> getAllowedHeaders()
Return the allowed actual request headers, ornull
if none.
addAllowedHeader
public void addAllowedHeader(String allowedHeader)
Add an actual request header to allow.
setExposedHeaders
public void setExposedHeaders(List<String> exposedHeaders)
Set the list of response headers other than simple headers (i.e.Cache-Control
,Content-Language
,Content-Type
,Expires
,Last-Modified
, orPragma
) that an actual response might have and can be exposed.Note that
"*"
is not a valid exposed header value.By default this is not set.
getExposedHeaders
public List<String> getExposedHeaders()
Return the configured response headers to expose, ornull
if none.
addExposedHeader
public void addExposedHeader(String exposedHeader)
Add a response header to expose.Note that
"*"
is not a valid exposed header value.
setAllowCredentials
public void setAllowCredentials(Boolean allowCredentials)
Whether user credentials are supported.By default this is not set (i.e. user credentials are not supported).
getAllowCredentials
public Boolean getAllowCredentials()
Return the configuredallowCredentials
flag, ornull
if none.
setMaxAge
public void setMaxAge(Long maxAge)
Configure how long, in seconds, the response from a pre-flight request can be cached by clients.By default this is not set.
getMaxAge
public Long getMaxAge()
Return the configuredmaxAge
value, ornull
if none.- 另请参阅:
setMaxAge(Long)
applyPermitDefaultValues
public CorsConfiguration applyPermitDefaultValues()
By default a newly createdCorsConfiguration
does not permit any cross-origin requests and must be configured explicitly to indicate what should be allowed.Use this method to flip the initialization model to start with open defaults that permit all cross-origin requests for GET, HEAD, and POST requests. Note however that this method will not override any existing values already set.
The following defaults are applied if not already set:
- Allow all origins.
- Allow "simple" methods
GET
,HEAD
andPOST
. - Allow all headers.
- Set max age to 1800 seconds (30 minutes).
combine
public CorsConfiguration combine(CorsConfiguration other)
Combine the suppliedCorsConfiguration
with this one.Properties of this configuration are overridden by any non-null properties of the supplied one.
- 返回:
- the combined
CorsConfiguration
orthis
configuration if the supplied configuration isnull
checkOrigin
public String checkOrigin(String requestOrigin)
Check the origin of the request against the configured allowed origins.- 参数:
requestOrigin
- the origin to check- 返回:
- the origin to use for the response, or
null
which means the request origin is not allowed
checkHttpMethod
public List<HttpMethod> checkHttpMethod(HttpMethod requestMethod)
Check the HTTP request method (or the method from theAccess-Control-Request-Method
header on a pre-flight request) against the configured allowed methods.- 参数:
requestMethod
- the HTTP request method to check- 返回:
- the list of HTTP methods to list in the response of a pre-flight request, or
null
if the suppliedrequestMethod
is not allowed
checkHeaders
public List<String> checkHeaders(List<String> requestHeaders)
Check the supplied request headers (or the headers listed in theAccess-Control-Request-Headers
of a pre-flight request) against the configured allowed headers.- 参数:
requestHeaders
- the request headers to check- 返回:
- the list of allowed headers to list in the response of a pre-flight request, or
null
if none of the supplied request headers is allowed