/** * Configure how long in seconds the response from a pre-flight request * can be cached by clients. * <p>By default this is set to 1800 seconds (30 minutes). */ public CorsRegistration maxAge(long maxAge) { this.config.setMaxAge(maxAge); return this; }
@Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { return corsProcessor.processRequest(this.config, request, response); }
public CorsRegistration(String pathPattern) { this.pathPattern = pathPattern; // Same implicit default values as the @CrossOrigin annotation + allows simple methods this.config = new CorsConfiguration().applyPermitDefaultValues(); }
@Override public CorsConfiguration getCorsConfiguration(HttpServletRequest request) { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); config.setAllowCredentials(true); return config; } }
@Override public CorsConfiguration getCorsConfiguration(ServerWebExchange exchange) { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); return config; } }
@Test(expected = IllegalArgumentException.class) public void asteriskWildCardOnAddExposedHeader() { CorsConfiguration config = new CorsConfiguration(); config.addExposedHeader("*"); }
@Test(expected = UnsupportedOperationException.class) public void unmodifiableConfigurationsMap() { this.configSource.getCorsConfigurations().put("/**", new CorsConfiguration()); }
/** * Whether the browser should send credentials, such as cookies along with * cross domain requests, to the annotated endpoint. The configured value is * set on the {@code Access-Control-Allow-Credentials} response header of * preflight requests. * <p><strong>NOTE:</strong> Be aware that this option establishes a high * level of trust with the configured domains and also increases the surface * attack of the web application by exposing sensitive user-specific * information such as cookies and CSRF tokens. * <p>By default this is not set in which case the * {@code Access-Control-Allow-Credentials} header is also not set and * credentials are therefore not allowed. */ public CorsRegistration allowCredentials(boolean allowCredentials) { this.config.setAllowCredentials(allowCredentials); return this; }
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { if (CorsUtils.isCorsRequest(request)) { CorsConfiguration corsConfiguration = this.configSource.getCorsConfiguration(request); if (corsConfiguration != null) { boolean isValid = this.processor.processRequest(corsConfiguration, request, response); if (!isValid || CorsUtils.isPreFlightRequest(request)) { return; } } } filterChain.doFilter(request, response); }
/** * Check the headers and determine the headers for the response of a * pre-flight request. The default implementation simply delegates to * {@link org.springframework.web.cors.CorsConfiguration#checkOrigin(String)}. */ @Nullable protected List<String> checkHeaders(CorsConfiguration config, List<String> requestHeaders) { return config.checkHeaders(requestHeaders); }
/** * Check the origin and determine the origin for the response. The default * implementation simply delegates to * {@link CorsConfiguration#checkOrigin(String)}. */ @Nullable protected String checkOrigin(CorsConfiguration config, @Nullable String requestOrigin) { return config.checkOrigin(requestOrigin); }
/** * Shortcut to same property on underlying {@link #setUrlPathHelper UrlPathHelper}. * @see org.springframework.web.util.UrlPathHelper#setAlwaysUseFullPath(boolean) */ public void setAlwaysUseFullPath(boolean alwaysUseFullPath) { this.urlPathHelper.setAlwaysUseFullPath(alwaysUseFullPath); if (this.corsConfigurationSource instanceof UrlBasedCorsConfigurationSource) { ((UrlBasedCorsConfigurationSource)this.corsConfigurationSource).setAlwaysUseFullPath(alwaysUseFullPath); } }
/** * Set the PathMatcher implementation to use for matching URL paths * against registered URL patterns. Default is AntPathMatcher. * @see org.springframework.util.AntPathMatcher */ public void setPathMatcher(PathMatcher pathMatcher) { Assert.notNull(pathMatcher, "PathMatcher must not be null"); this.pathMatcher = pathMatcher; if (this.corsConfigurationSource instanceof UrlBasedCorsConfigurationSource) { ((UrlBasedCorsConfigurationSource)this.corsConfigurationSource).setPathMatcher(pathMatcher); } }
/** * Shortcut to same property on underlying {@link #setUrlPathHelper UrlPathHelper}. * @see org.springframework.web.util.UrlPathHelper#setRemoveSemicolonContent(boolean) */ public void setRemoveSemicolonContent(boolean removeSemicolonContent) { this.urlPathHelper.setRemoveSemicolonContent(removeSemicolonContent); if (this.corsConfigurationSource instanceof UrlBasedCorsConfigurationSource) { ((UrlBasedCorsConfigurationSource)this.corsConfigurationSource).setRemoveSemicolonContent(removeSemicolonContent); } }
@Override public CorsConfiguration getCorsConfiguration(ServerWebExchange exchange) { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); config.setAllowCredentials(true); return config; } }
@Override public CorsConfiguration getCorsConfiguration(HttpServletRequest request) { CorsConfiguration config = new CorsConfiguration(); config.addAllowedOrigin("*"); return config; }
public CorsRegistration(String pathPattern) { this.pathPattern = pathPattern; this.config = new CorsConfiguration().applyPermitDefaultValues(); }
/** * Whether the browser should send credentials, such as cookies along with * cross domain requests, to the annotated endpoint. The configured value is * set on the {@code Access-Control-Allow-Credentials} response header of * preflight requests. * <p><strong>NOTE:</strong> Be aware that this option establishes a high * level of trust with the configured domains and also increases the surface * attack of the web application by exposing sensitive user-specific * information such as cookies and CSRF tokens. * <p>By default this is not set in which case the * {@code Access-Control-Allow-Credentials} header is also not set and * credentials are therefore not allowed. */ public CorsRegistration allowCredentials(boolean allowCredentials) { this.config.setAllowCredentials(allowCredentials); return this; }
/** * Configure how long in seconds the response from a pre-flight request * can be cached by clients. * <p>By default this is set to 1800 seconds (30 minutes). */ public CorsRegistration maxAge(long maxAge) { this.config.setMaxAge(maxAge); return this; }
@Override public void handleRequest(HttpServletRequest request, HttpServletResponse response) throws IOException { corsProcessor.processRequest(this.config, request, response); }