return this; CorsConfiguration config = new CorsConfiguration(this); config.setAllowedOrigins(combine(getAllowedOrigins(), other.getAllowedOrigins())); config.setAllowedMethods(combine(getAllowedMethods(), other.getAllowedMethods())); config.setAllowedHeaders(combine(getAllowedHeaders(), other.getAllowedHeaders())); config.setExposedHeaders(combine(getExposedHeaders(), other.getExposedHeaders())); Boolean allowCredentials = other.getAllowCredentials(); if (allowCredentials != null) { config.setAllowCredentials(allowCredentials); Long maxAge = other.getMaxAge(); if (maxAge != null) { config.setMaxAge(maxAge);
@Test // SPR-15772 public void changePermitDefaultValues() { CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues(); config.addAllowedOrigin("http://domain.com"); config.addAllowedHeader("header1"); config.addAllowedMethod("PATCH"); assertEquals(Arrays.asList("*", "http://domain.com"), config.getAllowedOrigins()); assertEquals(Arrays.asList("*", "header1"), config.getAllowedHeaders()); assertEquals(Arrays.asList("GET", "HEAD", "POST", "PATCH"), config.getAllowedMethods()); }
public CorsRegistration(String pathPattern) { this.pathPattern = pathPattern; // Same implicit default values as the @CrossOrigin annotation + allows simple methods this.config = new CorsConfiguration().applyPermitDefaultValues(); }
@Override @Nullable public CorsConfiguration getCorsConfiguration(HttpServletRequest request) { if (!this.suppressCors && CorsUtils.isCorsRequest(request)) { CorsConfiguration config = new CorsConfiguration(); config.setAllowedOrigins(new ArrayList<>(this.allowedOrigins)); config.addAllowedMethod("*"); config.setAllowCredentials(true); config.setMaxAge(ONE_YEAR); config.addAllowedHeader("*"); return config; } return null; }
private CorsConfiguration buildConfig() { CorsConfiguration corsConfiguration = new CorsConfiguration(); corsConfiguration.addAllowedOrigin("*"); // 1 设置访问源地址 corsConfiguration.addAllowedHeader("*"); // 2 设置访问源请求头 corsConfiguration.addAllowedMethod("*"); // 3 设置访问源请求方法 return corsConfiguration; }
@Test public void setValues() { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); assertEquals(Arrays.asList("*"), config.getAllowedOrigins()); config.addAllowedHeader("*"); assertEquals(Arrays.asList("*"), config.getAllowedHeaders()); config.addAllowedMethod("*"); assertEquals(Arrays.asList("*"), config.getAllowedMethods()); config.addExposedHeader("header1"); config.addExposedHeader("header2"); assertEquals(Arrays.asList("header1", "header2"), config.getExposedHeaders()); config.setAllowCredentials(true); assertTrue(config.getAllowCredentials()); config.setMaxAge(123L); assertEquals(new Long(123), config.getMaxAge()); }
CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues(); corsConfigurations.put("/**", config); CorsConfiguration config = new CorsConfiguration(); if (mapping.hasAttribute("allowed-origins")) { String[] allowedOrigins = StringUtils.tokenizeToStringArray(mapping.getAttribute("allowed-origins"), ","); config.setAllowedOrigins(Arrays.asList(allowedOrigins)); config.setAllowedMethods(Arrays.asList(allowedMethods)); config.setAllowedHeaders(Arrays.asList(allowedHeaders)); config.setExposedHeaders(Arrays.asList(exposedHeaders)); config.setAllowCredentials(Boolean.parseBoolean(mapping.getAttribute("allow-credentials"))); config.setMaxAge(Long.parseLong(mapping.getAttribute("max-age"))); corsConfigurations.put(mapping.getAttribute("path"), config.applyPermitDefaultValues());
config.addAllowedOrigin(resolveCorsAnnotationValue(origin)); config.addAllowedMethod(method.name()); config.addAllowedHeader(resolveCorsAnnotationValue(header)); config.addExposedHeader(resolveCorsAnnotationValue(header)); config.setAllowCredentials(true); config.setAllowCredentials(false); if (annotation.maxAge() >= 0 && config.getMaxAge() == null) { config.setMaxAge(annotation.maxAge());
CorsConfiguration config = new CorsConfiguration(); updateCorsConfig(config, typeAnnotation); if (CollectionUtils.isEmpty(config.getAllowedOrigins())) { config.setAllowedOrigins(Arrays.asList(CrossOrigin.DEFAULT_ORIGINS)); if (CollectionUtils.isEmpty(config.getAllowedMethods())) { for (HttpMethod httpMethod : HttpMethod.values()) { config.addAllowedMethod(httpMethod); if (CollectionUtils.isEmpty(config.getAllowedHeaders())) { config.setAllowedHeaders(Arrays.asList(CrossOrigin.DEFAULT_ALLOWED_HEADERS)); if (config.getAllowCredentials() == null) { config.setAllowCredentials(CrossOrigin.DEFAULT_ALLOW_CREDENTIALS); if (config.getMaxAge() == null) { config.setMaxAge(CrossOrigin.DEFAULT_MAX_AGE);
@Bean public CorsFilter corsFilter() { final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); final CorsConfiguration config = new CorsConfiguration(); config.setAllowCredentials(true); //是否支持 cookie 跨域 config.setAllowedHeaders(Arrays.asList("*")); config.setAllowedOrigins(Arrays.asList("*")); config.setAllowedMethods(Arrays.asList("*")); config.setMaxAge(300l); //缓存时间。在这个时间段内,相同的跨域请求将不再检查 source.registerCorsConfiguration("/**", config); return new CorsFilter(source); } }
@Before public void setup() throws Exception { config.setAllowedOrigins(Arrays.asList("http://domain1.com", "http://domain2.com")); config.setAllowedMethods(Arrays.asList("GET", "POST")); config.setAllowedHeaders(Arrays.asList("header1", "header2")); config.setExposedHeaders(Arrays.asList("header3", "header4")); config.setMaxAge(123L); config.setAllowCredentials(false); filter = new CorsWebFilter(r -> config); }
private static UrlBasedCorsConfigurationSource configurationSource() { CorsConfiguration config = new CorsConfiguration(); config.setAllowCredentials(true); config.addAllowedOrigin("*"); config.addAllowedHeader("*"); config.setMaxAge(36000L); config.setAllowedMethods(Arrays.asList("GET", "HEAD", "POST", "PUT", "DELETE", "OPTIONS")); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/api/**", config); return source; } }
@Test public void preflightRequestCredentialsWithOriginWildcard() throws Exception { this.request.setMethod(HttpMethod.OPTIONS.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1"); this.conf.addAllowedOrigin("http://domain1.com"); this.conf.addAllowedOrigin("*"); this.conf.addAllowedOrigin("http://domain3.com"); this.conf.addAllowedHeader("Header1"); this.conf.setAllowCredentials(true); this.processor.processRequest(this.conf, this.request, this.response); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals(HttpServletResponse.SC_OK, this.response.getStatus()); }
@Override public CorsConfiguration getCorsConfiguration(HttpServletRequest request) { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); config.setAllowCredentials(true); return config; } }
@Override public CorsConfiguration getCorsConfiguration(ServerWebExchange exchange) { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); return config; } }
@Override protected CorsConfiguration initCorsConfiguration(Object handler, Method method, RequestMappingInfo mappingInfo) { HandlerMethod handlerMethod = createHandlerMethod(handler, method); Class<?> beanType = handlerMethod.getBeanType(); CrossOrigin typeAnnotation = AnnotatedElementUtils.findMergedAnnotation(beanType, CrossOrigin.class); CrossOrigin methodAnnotation = AnnotatedElementUtils.findMergedAnnotation(method, CrossOrigin.class); if (typeAnnotation == null && methodAnnotation == null) { return null; } CorsConfiguration config = new CorsConfiguration(); updateCorsConfig(config, typeAnnotation); updateCorsConfig(config, methodAnnotation); if (CollectionUtils.isEmpty(config.getAllowedMethods())) { for (RequestMethod allowedMethod : mappingInfo.getMethodsCondition().getMethods()) { config.addAllowedMethod(allowedMethod.name()); } } return config.applyPermitDefaultValues(); }
private static CorsConfiguration createDefaultCorsConfig() { CorsConfiguration retVal = new CorsConfiguration(); retVal.setAllowedHeaders(new ArrayList<>(Constants.CORS_ALLOWED_HEADERS)); retVal.setAllowedMethods(new ArrayList<>(Constants.CORS_ALLWED_METHODS)); retVal.addExposedHeader("Content-Location"); retVal.addExposedHeader("Location"); retVal.addAllowedOrigin("*"); return retVal; }
@Test public void preflightRequestAllowedHeaders() throws Exception { this.request.setMethod(HttpMethod.OPTIONS.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET"); this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, "Header1, Header2"); this.conf.addAllowedHeader("Header1"); this.conf.addAllowedHeader("Header2"); this.conf.addAllowedHeader("Header3"); this.conf.addAllowedOrigin("http://domain2.com"); this.processor.processRequest(this.conf, this.request, this.response); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS)); assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header1")); assertTrue(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header2")); assertFalse(this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).contains("Header3")); assertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals(HttpServletResponse.SC_OK, this.response.getStatus()); }
@Test public void actualRequestCredentials() throws Exception { this.request.setMethod(HttpMethod.GET.name()); this.request.addHeader(HttpHeaders.ORIGIN, "http://domain2.com"); this.conf.addAllowedOrigin("http://domain1.com"); this.conf.addAllowedOrigin("http://domain2.com"); this.conf.addAllowedOrigin("http://domain3.com"); this.conf.setAllowCredentials(true); this.processor.processRequest(this.conf, this.request, this.response); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertEquals("http://domain2.com", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)); assertTrue(this.response.containsHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertEquals("true", this.response.getHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)); assertThat(this.response.getHeaders(HttpHeaders.VARY), contains(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS)); assertEquals(HttpServletResponse.SC_OK, this.response.getStatus()); }
@Test public void checkOriginAllowed() { CorsConfiguration config = new CorsConfiguration(); config.setAllowedOrigins(Arrays.asList("*")); assertEquals("*", config.checkOrigin("http://domain.com")); config.setAllowCredentials(true); assertEquals("http://domain.com", config.checkOrigin("http://domain.com")); config.setAllowedOrigins(Arrays.asList("http://domain.com")); assertEquals("http://domain.com", config.checkOrigin("http://domain.com")); config.setAllowCredentials(false); assertEquals("http://domain.com", config.checkOrigin("http://domain.com")); }