/** * Add an origin to allow. */ public void addAllowedOrigin(String origin) { if (this.allowedOrigins == null) { this.allowedOrigins = new ArrayList<>(4); } else if (this.allowedOrigins == DEFAULT_PERMIT_ALL) { setAllowedOrigins(DEFAULT_PERMIT_ALL); } this.allowedOrigins.add(origin); }
/** * The list of allowed origins that be specific origins, e.g. * {@code "http://domain1.com"}, or {@code "*"} for all origins. * <p>A matched origin is listed in the {@code Access-Control-Allow-Origin} * response header of preflight actual CORS requests. * <p>By default, all origins are allowed. * <p><strong>Note:</strong> CORS checks use values from "Forwarded" * (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>), * "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers, * if present, in order to reflect the client-originated address. * Consider using the {@code ForwardedHeaderFilter} in order to choose from a * central place whether to extract and use, or to discard such headers. * See the Spring Framework reference for more on this filter. */ public CorsRegistration allowedOrigins(String... origins) { this.config.setAllowedOrigins(Arrays.asList(origins)); return this; }
/** * The list of allowed origins that be specific origins, e.g. * {@code "http://domain1.com"}, or {@code "*"} for all origins. * <p>A matched origin is listed in the {@code Access-Control-Allow-Origin} * response header of preflight actual CORS requests. * <p>By default all origins are allowed. * <p><strong>Note:</strong> CORS checks use values from "Forwarded" * (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>), * "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers, * if present, in order to reflect the client-originated address. * Consider using the {@code ForwardedHeaderFilter} in order to choose from a * central place whether to extract and use, or to discard such headers. * See the Spring Framework reference for more on this filter. */ public CorsRegistration allowedOrigins(String... origins) { this.config.setAllowedOrigins(new ArrayList<>(Arrays.asList(origins))); return this; }
/** * Add an origin to allow. */ public void addAllowedOrigin(String origin) { if (this.allowedOrigins == null) { this.allowedOrigins = new ArrayList<>(4); } else if (this.allowedOrigins == DEFAULT_PERMIT_ALL) { setAllowedOrigins(DEFAULT_PERMIT_ALL); } this.allowedOrigins.add(origin); }
/** * The list of allowed origins that be specific origins, e.g. * {@code "http://domain1.com"}, or {@code "*"} for all origins. * <p>A matched origin is listed in the {@code Access-Control-Allow-Origin} * response header of preflight actual CORS requests. * <p>By default, all origins are allowed. * <p><strong>Note:</strong> CORS checks use values from "Forwarded" * (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>), * "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers, * if present, in order to reflect the client-originated address. * Consider using the {@code ForwardedHeaderFilter} in order to choose from a * central place whether to extract and use, or to discard such headers. * See the Spring Framework reference for more on this filter. */ public CorsRegistration allowedOrigins(String... origins) { this.config.setAllowedOrigins(Arrays.asList(origins)); return this; }
@Override protected CorsConfiguration initCorsConfiguration(Object handler, Method method, String mapping) { CorsConfiguration corsConfig = new CorsConfiguration(); corsConfig.setAllowedOrigins(Collections.singletonList("http://" + handler.hashCode() + method.getName())); return corsConfig; }
if (mapping.hasAttribute("allowed-origins")) { String[] allowedOrigins = StringUtils.tokenizeToStringArray(mapping.getAttribute("allowed-origins"), ","); config.setAllowedOrigins(Arrays.asList(allowedOrigins));
@Override @Nullable public CorsConfiguration getCorsConfiguration(HttpServletRequest request) { if (!this.suppressCors && CorsUtils.isCorsRequest(request)) { CorsConfiguration config = new CorsConfiguration(); config.setAllowedOrigins(new ArrayList<>(this.allowedOrigins)); config.addAllowedMethod("*"); config.setAllowCredentials(true); config.setMaxAge(ONE_YEAR); config.addAllowedHeader("*"); return config; } return null; }
if (mapping.hasAttribute("allowed-origins")) { String[] allowedOrigins = StringUtils.tokenizeToStringArray(mapping.getAttribute("allowed-origins"), ","); config.setAllowedOrigins(Arrays.asList(allowedOrigins));
@Before public void setup() throws Exception { config.setAllowedOrigins(Arrays.asList("http://domain1.com", "http://domain2.com")); config.setAllowedMethods(Arrays.asList("GET", "POST")); config.setAllowedHeaders(Arrays.asList("header1", "header2")); config.setExposedHeaders(Arrays.asList("header3", "header4")); config.setMaxAge(123L); config.setAllowCredentials(false); filter = new CorsWebFilter(r -> config); }
@Before public void setup() throws Exception { config.setAllowedOrigins(Arrays.asList("http://domain1.com", "http://domain2.com")); config.setAllowedMethods(Arrays.asList("GET", "POST")); config.setAllowedHeaders(Arrays.asList("header1", "header2")); config.setExposedHeaders(Arrays.asList("header3", "header4")); config.setMaxAge(123L); config.setAllowCredentials(false); filter = new CorsFilter(r -> config); }
@Bean public CorsFilter corsFilter() { final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); final CorsConfiguration config = new CorsConfiguration(); config.setAllowCredentials(true); //是否支持 cookie 跨域 config.setAllowedHeaders(Arrays.asList("*")); config.setAllowedOrigins(Arrays.asList("*")); config.setAllowedMethods(Arrays.asList("*")); config.setMaxAge(300l); //缓存时间。在这个时间段内,相同的跨域请求将不再检查 source.registerCorsConfiguration("/**", config); return new CorsFilter(source); } }
@Test public void combineWithNull() { CorsConfiguration config = new CorsConfiguration(); config.setAllowedOrigins(Arrays.asList("*")); config.combine(null); assertEquals(Arrays.asList("*"), config.getAllowedOrigins()); }
@Before public void setup() { this.http = new TestingServerHttpSecurity() .applicationContext(this.context); CorsConfiguration value = new CorsConfiguration(); value.setAllowedOrigins(Arrays.asList("*")); when(this.source.getCorsConfiguration(any())).thenReturn(value); }
@Test public void checkOriginAllowed() { CorsConfiguration config = new CorsConfiguration(); config.setAllowedOrigins(Arrays.asList("*")); assertEquals("*", config.checkOrigin("http://domain.com")); config.setAllowCredentials(true); assertEquals("http://domain.com", config.checkOrigin("http://domain.com")); config.setAllowedOrigins(Arrays.asList("http://domain.com")); assertEquals("http://domain.com", config.checkOrigin("http://domain.com")); config.setAllowCredentials(false); assertEquals("http://domain.com", config.checkOrigin("http://domain.com")); }
@Test public void checkOriginNotAllowed() { CorsConfiguration config = new CorsConfiguration(); assertNull(config.checkOrigin(null)); assertNull(config.checkOrigin("http://domain.com")); config.addAllowedOrigin("*"); assertNull(config.checkOrigin(null)); config.setAllowedOrigins(Arrays.asList("http://domain1.com")); assertNull(config.checkOrigin("http://domain2.com")); config.setAllowedOrigins(new ArrayList<>()); assertNull(config.checkOrigin("http://domain.com")); }
MyCorsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.setAllowedOrigins(Arrays.asList("*")); configuration.setAllowedMethods(Arrays.asList(RequestMethod.GET.name(), RequestMethod.POST.name())); super.registerCorsConfiguration( "/**", configuration); } }
config.setAllowedOrigins(combine(getAllowedOrigins(), other.getAllowedOrigins())); config.setAllowedMethods(combine(getAllowedMethods(), other.getAllowedMethods())); config.setAllowedHeaders(combine(getAllowedHeaders(), other.getAllowedHeaders()));
config.setAllowedOrigins(combine(getAllowedOrigins(), other.getAllowedOrigins())); config.setAllowedMethods(combine(getAllowedMethods(), other.getAllowedMethods())); config.setAllowedHeaders(combine(getAllowedHeaders(), other.getAllowedHeaders()));
@Test public void setNullValues() { CorsConfiguration config = new CorsConfiguration(); config.setAllowedOrigins(null); assertNull(config.getAllowedOrigins()); config.setAllowedHeaders(null); assertNull(config.getAllowedHeaders()); config.setAllowedMethods(null); assertNull(config.getAllowedMethods()); config.setExposedHeaders(null); assertNull(config.getExposedHeaders()); config.setAllowCredentials(null); assertNull(config.getAllowCredentials()); config.setMaxAge(null); assertNull(config.getMaxAge()); }