001/* 002 * Copyright 2002-2020 the original author or authors. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * https://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 017package org.springframework.web.bind.annotation; 018 019import java.lang.annotation.Documented; 020import java.lang.annotation.ElementType; 021import java.lang.annotation.Retention; 022import java.lang.annotation.RetentionPolicy; 023import java.lang.annotation.Target; 024 025import org.springframework.core.annotation.AliasFor; 026import org.springframework.web.cors.CorsConfiguration; 027 028/** 029 * Marks the annotated method or type as permitting cross origin requests. 030 * 031 * <p>By default all origins and headers are permitted, credentials are not allowed, 032 * and the maximum age is set to 1800 seconds (30 minutes). The list of HTTP 033 * methods is set to the methods on the {@code @RequestMapping} if not 034 * explicitly set on {@code @CrossOrigin}. 035 * 036 * <p><b>NOTE:</b> {@code @CrossOrigin} is processed if an appropriate 037 * {@code HandlerMapping}-{@code HandlerAdapter} pair is configured such as the 038 * {@code RequestMappingHandlerMapping}-{@code RequestMappingHandlerAdapter} 039 * pair which are the default in the MVC Java config and the MVC namespace. 040 * In particular {@code @CrossOrigin} is not supported with the 041 * {@code DefaultAnnotationHandlerMapping}-{@code AnnotationMethodHandlerAdapter} 042 * pair both of which are also deprecated. 043 * 044 * @author Russell Allen 045 * @author Sebastien Deleuze 046 * @author Sam Brannen 047 * @since 4.2 048 */ 049@Target({ ElementType.METHOD, ElementType.TYPE }) 050@Retention(RetentionPolicy.RUNTIME) 051@Documented 052public @interface CrossOrigin { 053 054 /** 055 * @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues} 056 */ 057 @Deprecated 058 String[] DEFAULT_ORIGINS = { "*" }; 059 060 /** 061 * @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues} 062 */ 063 @Deprecated 064 String[] DEFAULT_ALLOWED_HEADERS = { "*" }; 065 066 /** 067 * @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues} 068 */ 069 @Deprecated 070 boolean DEFAULT_ALLOW_CREDENTIALS = false; 071 072 /** 073 * @deprecated as of Spring 4.3.4, in favor of using {@link CorsConfiguration#applyPermitDefaultValues} 074 */ 075 @Deprecated 076 long DEFAULT_MAX_AGE = 1800; 077 078 079 /** 080 * Alias for {@link #origins}. 081 */ 082 @AliasFor("origins") 083 String[] value() default {}; 084 085 /** 086 * List of allowed origins, e.g. {@code "https://domain1.com"}. 087 * <p>These values are placed in the {@code Access-Control-Allow-Origin} 088 * header of both the pre-flight response and the actual response. 089 * {@code "*"} means that all origins are allowed. 090 * <p>If undefined, all origins are allowed. 091 * <p><strong>Note:</strong> CORS checks use values from "Forwarded" 092 * (<a href="https://tools.ietf.org/html/rfc7239">RFC 7239</a>), 093 * "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers, 094 * if present, in order to reflect the client-originated address. 095 * Consider using the {@code ForwardedHeaderFilter} in order to choose from a 096 * central place whether to extract and use, or to discard such headers. 097 * See the Spring Framework reference for more on this filter. 098 * @see #value 099 */ 100 @AliasFor("value") 101 String[] origins() default {}; 102 103 /** 104 * List of request headers that can be used during the actual request. 105 * <p>This property controls the value of the pre-flight response's 106 * {@code Access-Control-Allow-Headers} header. 107 * {@code "*"} means that all headers requested by the client are allowed. 108 * <p>If undefined, all requested headers are allowed. 109 */ 110 String[] allowedHeaders() default {}; 111 112 /** 113 * List of response headers that the user-agent will allow the client to access. 114 * <p>This property controls the value of actual response's 115 * {@code Access-Control-Expose-Headers} header. 116 * <p>If undefined, an empty exposed header list is used. 117 */ 118 String[] exposedHeaders() default {}; 119 120 /** 121 * List of supported HTTP request methods, e.g. 122 * {@code "{RequestMethod.GET, RequestMethod.POST}"}. 123 * <p>Methods specified here override those specified via {@code RequestMapping}. 124 * <p>If undefined, methods defined by {@link RequestMapping} annotation 125 * are used. 126 */ 127 RequestMethod[] methods() default {}; 128 129 /** 130 * Whether the browser should include any cookies associated with the 131 * domain of the request being annotated. 132 * <p>Set to {@code "false"} if such cookies should not included. 133 * An empty string ({@code ""}) means <em>undefined</em>. 134 * {@code "true"} means that the pre-flight response will include the header 135 * {@code Access-Control-Allow-Credentials=true}. 136 * <p>If undefined, this is set to {@code "false"} in which case credentials 137 * are not allowed. 138 */ 139 String allowCredentials() default ""; 140 141 /** 142 * The maximum age (in seconds) of the cache duration for pre-flight responses. 143 * <p>This property controls the value of the {@code Access-Control-Max-Age} 144 * header in the pre-flight response. 145 * <p>Setting this to a reasonable value can reduce the number of pre-flight 146 * request/response interactions required by the browser. 147 * A negative value means <em>undefined</em>. 148 * <p>If undefined, max age is set to {@code 1800} seconds (i.e., 30 minutes). 149 */ 150 long maxAge() default -1; 151 152}