001/* 002 * Copyright 2002-2020 the original author or authors. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * https://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 017package org.springframework.web.servlet.config.annotation; 018 019import java.util.Arrays; 020 021import org.springframework.web.cors.CorsConfiguration; 022 023/** 024 * Assists with the creation of a {@link CorsConfiguration} instance mapped to 025 * a path pattern. By default all origins, headers, and credentials for 026 * {@code GET}, {@code HEAD}, and {@code POST} requests are allowed while the 027 * max age is set to 30 minutes. 028 * 029 * @author Sebastien Deleuze 030 * @author Rossen Stoyanchev 031 * @author Sam Brannen 032 * @since 4.2 033 * @see CorsConfiguration 034 * @see CorsRegistry 035 */ 036public class CorsRegistration { 037 038 private final String pathPattern; 039 040 private final CorsConfiguration config; 041 042 043 /** 044 * Create a new {@link CorsRegistration} that allows all origins, headers, and 045 * credentials for {@code GET}, {@code HEAD}, and {@code POST} requests with 046 * max age set to 1800 seconds (30 minutes) for the specified path. 047 * @param pathPattern the path that the CORS configuration should apply to; 048 * exact path mapping URIs (such as {@code "/admin"}) are supported as well 049 * as Ant-style path patterns (such as {@code "/admin/**"}). 050 */ 051 public CorsRegistration(String pathPattern) { 052 this.pathPattern = pathPattern; 053 // Same implicit default values as the @CrossOrigin annotation + allows simple methods 054 this.config = new CorsConfiguration().applyPermitDefaultValues(); 055 } 056 057 058 /** 059 * Set the origins to allow, e.g. {@code "https://domain1.com"}. 060 * <p>The special value {@code "*"} allows all domains. 061 * <p>By default, all origins are allowed. 062 * <p><strong>Note:</strong> CORS checks use values from "Forwarded" 063 * (<a href="https://tools.ietf.org/html/rfc7239">RFC 7239</a>), 064 * "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers, 065 * if present, in order to reflect the client-originated address. 066 * Consider using the {@code ForwardedHeaderFilter} in order to choose from a 067 * central place whether to extract and use, or to discard such headers. 068 * See the Spring Framework reference for more on this filter. 069 */ 070 public CorsRegistration allowedOrigins(String... origins) { 071 this.config.setAllowedOrigins(Arrays.asList(origins)); 072 return this; 073 } 074 075 076 /** 077 * Set the HTTP methods to allow, e.g. {@code "GET"}, {@code "POST"}, etc. 078 * <p>The special value {@code "*"} allows all methods. 079 * <p>By default "simple" methods {@code GET}, {@code HEAD}, and {@code POST} 080 * are allowed. 081 */ 082 public CorsRegistration allowedMethods(String... methods) { 083 this.config.setAllowedMethods(Arrays.asList(methods)); 084 return this; 085 } 086 087 /** 088 * Set the list of headers that a pre-flight request can list as allowed 089 * for use during an actual request. 090 * <p>The special value {@code "*"} may be used to allow all headers. 091 * <p>A header name is not required to be listed if it is one of: 092 * {@code Cache-Control}, {@code Content-Language}, {@code Expires}, 093 * {@code Last-Modified}, or {@code Pragma} as per the CORS spec. 094 * <p>By default all headers are allowed. 095 */ 096 public CorsRegistration allowedHeaders(String... headers) { 097 this.config.setAllowedHeaders(Arrays.asList(headers)); 098 return this; 099 } 100 101 /** 102 * Set the list of response headers other than "simple" headers, i.e. 103 * {@code Cache-Control}, {@code Content-Language}, {@code Content-Type}, 104 * {@code Expires}, {@code Last-Modified}, or {@code Pragma}, that an 105 * actual response might have and can be exposed. 106 * <p>Note that {@code "*"} is not supported on this property. 107 * <p>By default this is not set. 108 */ 109 public CorsRegistration exposedHeaders(String... headers) { 110 this.config.setExposedHeaders(Arrays.asList(headers)); 111 return this; 112 } 113 114 /** 115 * Configure how long in seconds the response from a pre-flight request 116 * can be cached by clients. 117 * <p>By default this is set to 1800 seconds (30 minutes). 118 */ 119 public CorsRegistration maxAge(long maxAge) { 120 this.config.setMaxAge(maxAge); 121 return this; 122 } 123 124 /** 125 * Whether user credentials are supported in which case the browser should 126 * include any cookies associated with the domain of the request being 127 * annotated. 128 * <p>By default this is {@code false} and user credentials are not allowed. 129 */ 130 public CorsRegistration allowCredentials(boolean allowCredentials) { 131 this.config.setAllowCredentials(allowCredentials); 132 return this; 133 } 134 135 protected String getPathPattern() { 136 return this.pathPattern; 137 } 138 139 protected CorsConfiguration getCorsConfiguration() { 140 return this.config; 141 } 142 143}