程序包 cn.taketoday.web.cors

类 CorsConfiguration

java.lang.Object
cn.taketoday.web.cors.CorsConfiguration
public class CorsConfiguration extends Object
A container for CORS configuration along with methods to check against the actual origin, HTTP methods, and headers of a given request.

By default a newly created CorsConfiguration does not permit any cross-origin requests and must be configured explicitly to indicate what should be allowed. Use applyPermitDefaultValues() to flip the initialization model to start with open defaults that permit all cross-origin requests for GET, HEAD, and POST requests.

从以下版本开始:
2.3.7
作者:
Sebastien Deleuze, Rossen Stoyanchev, Juergen Hoeller, Sam Brannen, TODAY
2019-12-08 16:39
另请参阅:

  • 字段详细资料

    • ALL

      public static final String ALL
      Wildcard representing all origins, methods, or headers.
      另请参阅:

    • DEFAULT_METHODS

      private static final List<HttpMethod> DEFAULT_METHODS

    • DEFAULT_PERMIT_ALL

      private static final List<String> DEFAULT_PERMIT_ALL

    • DEFAULT_PERMIT_METHODS

      private static final List<String> DEFAULT_PERMIT_METHODS

    • ALL_PATTERN

      private static final CorsConfiguration.OriginPattern ALL_PATTERN
      从以下版本开始:
      3.0

    • ALL_PATTERN_LIST

      private static final List<CorsConfiguration.OriginPattern> ALL_PATTERN_LIST
      从以下版本开始:
      3.0

    • ALL_LIST

      private static final List<String> ALL_LIST
      从以下版本开始:
      3.0

    • maxAge

      @Nullable private Long maxAge

    • allowCredentials

      @Nullable private Boolean allowCredentials

    • allowedOrigins

      @Nullable private List<String> allowedOrigins

    • allowedMethods

      @Nullable private List<String> allowedMethods

    • allowedHeaders

      @Nullable private List<String> allowedHeaders

    • exposedHeaders

      @Nullable private List<String> exposedHeaders

    • resolvedMethods

      @Nullable private List<HttpMethod> resolvedMethods

    • allowedOriginPatterns

      @Nullable private List<CorsConfiguration.OriginPattern> allowedOriginPatterns
      从以下版本开始:
      3.0

  • 构造器详细资料

    • CorsConfiguration

      public CorsConfiguration()
      Construct a new CorsConfiguration instance with no cross-origin requests allowed for any origin by default.
      另请参阅:

    • CorsConfiguration

      public CorsConfiguration(CorsConfiguration other)
      Construct a new CorsConfiguration instance by copying all values from the supplied CorsConfiguration.

  • 方法详细资料

    • setAllowedOrigins

      public void setAllowedOrigins(@Nullable List<String> origins)
      A list of origins for which cross-origin requests are allowed where each value may be one of the following:
      • a specific domain, e.g. "https://domain1.com"
      • comma-delimited list of specific domains, e.g. "https://a1.com,https://a2.com"; this is convenient when a value is resolved through a property placeholder, e.g. "${origin}"; note that such placeholders must be resolved externally.
      • the CORS defined special value "*" for all origins

      For matched pre-flight and actual requests the Access-Control-Allow-Origin response header is set either to the matched domain value or to "*". Keep in mind however that the CORS spec does not allow "*" when allowCredentials is set to true and as of 5.3 that combination is rejected in favor of using allowedOriginPatterns instead.

      By default this is not set which means that no origins are allowed. However, an instance of this class is often initialized further, e.g. for @CrossOrigin, via applyPermitDefaultValues().

    • trimTrailingSlash

      private String trimTrailingSlash(String origin)

    • getAllowedOrigins

      @Nullable public List<String> getAllowedOrigins()
      Return the configured origins to allow, or null if none.
      另请参阅:

    • addAllowedOrigin

      public void addAllowedOrigin(@Nullable String origin)
      Variant of setAllowedOrigins(java.util.List<java.lang.String>) for adding one origin at a time.

    • setAllowedOriginPatterns

      public CorsConfiguration setAllowedOriginPatterns(@Nullable List<String> allowedOriginPatterns)
      Alternative to setAllowedOrigins(java.util.List<java.lang.String>) that supports more flexible origins patterns with "*" anywhere in the host name in addition to port lists. Examples:
      • https://*.domain1.com -- domains ending with domain1.com
      • https://*.domain1.com:[8080,8081] -- domains ending with domain1.com on port 8080 or port 8081
      • https://*.domain1.com:[*] -- domains ending with domain1.com on any port, including the default port
      • comma-delimited list of patters, e.g. "https://*.a1.com,https://*.a2.com"; this is convenient when a value is resolved through a property placeholder, e.g. "${origin}"; note that such placeholders must be resolved externally.

      In contrast to allowedOrigins which only supports "*" and cannot be used with allowCredentials, when an allowedOriginPattern is matched, the Access-Control-Allow-Origin response header is set to the matched origin and not to "*" nor to the pattern. Therefore, allowedOriginPatterns can be used in combination with setAllowCredentials(java.lang.Boolean) set to true.

      By default this is not set.

      从以下版本开始:
      3.0

    • getAllowedOriginPatterns

      @Nullable public List<String> getAllowedOriginPatterns()
      Return the configured origins patterns to allow, or null if none.
      从以下版本开始:
      3.0

    • addAllowedOriginPattern

      public void addAllowedOriginPattern(@Nullable String originPattern)
      Variant of setAllowedOriginPatterns(java.util.List<java.lang.String>) for adding one origin at a time.
      从以下版本开始:
      3.0

    • parseCommaDelimitedOrigin

      private static void parseCommaDelimitedOrigin(String rawValue, Consumer<String> valueConsumer)

    • setAllowedMethods

      public void setAllowedMethods(@Nullable List<String> allowedMethods)
      Set the HTTP methods to allow, e.g. "GET", "POST", "PUT", etc. The special value "*" allows all methods.

      Access-Control-Allow-Methods response header is set either to the configured method or to "*". Keep in mind however that the CORS spec does not allow "*" when allowCredentials is set to true, that combination is handled by copying the method specified in the CORS preflight request.

      If not set, only "GET" and "HEAD" are allowed.

      By default this is not set.

      Note: CORS checks use values from "Forwarded" (RFC 7239), "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers, if present, in order to reflect the client-originated address. Consider using the ForwardedHeaderFilter in order to choose from a central place whether to extract and use, or to discard such headers.

    • getAllowedMethods

      @Nullable public List<String> getAllowedMethods()
      Return the allowed HTTP methods, or null in which case only "GET" and "HEAD" allowed.
      另请参阅:

    • addAllowedMethod

      public void addAllowedMethod(HttpMethod method)
      Variant of setAllowedMethods(java.util.List<java.lang.String>) for adding one allowed method at a time.

    • addAllowedMethod

      public void addAllowedMethod(String method)
      Variant of setAllowedMethods(java.util.List<java.lang.String>) for adding one allowed method at a time.

    • setAllowedHeaders

      public void setAllowedHeaders(@Nullable List<String> allowedHeaders)
      Set the list of headers that a pre-flight request can list as allowed for use during an actual request. The special value "*" allows actual requests to send any header.

      Access-Control-Allow-Headers response header is set either to the configured list of headers or to "*". Keep in mind however that the CORS spec does not allow "*" when allowCredentials is set to true, that combination is handled by copying the headers specified in the CORS preflight request.

      A header name is not required to be listed if it is one of: Cache-Control, Content-Language, Expires, Last-Modified, or Pragma.

      By default this is not set.

    • getAllowedHeaders

      @Nullable public List<String> getAllowedHeaders()
      Return the allowed actual request headers, or null if none.
      另请参阅:

    • addAllowedHeader

      public void addAllowedHeader(String allowedHeader)
      Variant of setAllowedHeaders(List) for adding one allowed header at a time.

    • setExposedHeaders

      public void setExposedHeaders(@Nullable List<String> exposedHeaders)
      Set the list of response headers that an actual response might have and can be exposed to the client. The special value "*" allows all headers to be exposed.

      Access-Control-Expose-Headers response header is set either to the configured list of headers or to "*". While the CORS spec does not allow "*" when Access-Control-Allow-Credentials is set to true, most browsers support it and the response headers are not all available during the CORS processing, so as a consequence "*" is the header value used when specified regardless of the value of the `allowCredentials` property.

      A header name is not required to be listed if it is one of: Cache-Control, Content-Language, Expires, Last-Modified, or Pragma.

      By default this is not set.

    • getExposedHeaders

      @Nullable public List<String> getExposedHeaders()
      Return the configured response headers to expose, or null if none.
      另请参阅:

    • addExposedHeader

      public void addExposedHeader(String exposedHeader)
      Variant of setExposedHeaders(java.util.List<java.lang.String>) for adding one exposed header at a time.

    • setAllowCredentials

      public void setAllowCredentials(@Nullable Boolean allowCredentials)
      Whether user credentials are supported.

      Setting this property has an impact on how origins, originPatterns, allowedMethods and allowedHeaders are processed, see related API documentation for more details.

      NOTE: Be aware that this option establishes a high level of trust with the configured domains and also increases the surface attack of the web application by exposing sensitive user-specific information such as cookies and CSRF tokens.

      By default this is not set (i.e. user credentials are not supported).

    • getAllowCredentials

      @Nullable public Boolean getAllowCredentials()
      Return the configured allowCredentials flag, or null if none.
      另请参阅:

    • setMaxAge

      public void setMaxAge(Duration maxAge)
      Configure how long, as a duration, the response from a pre-flight request can be cached by clients.
      另请参阅:

    • setMaxAge

      public void setMaxAge(@Nullable Long maxAge)
      Configure how long, in seconds, the response from a pre-flight request can be cached by clients.

      By default this is not set.

    • getMaxAge

      @Nullable public Long getMaxAge()
      Return the configured maxAge value, or null if none.
      另请参阅:

    • applyPermitDefaultValues

      public CorsConfiguration applyPermitDefaultValues()
      By default a newly created CorsConfiguration does not permit any cross-origin requests and must be configured explicitly to indicate what should be allowed.

      Use this method to flip the initialization model to start with open defaults that permit all cross-origin requests for GET, HEAD, and POST requests. Note however that this method will not override any existing values already set.

      The following defaults are applied if not already set:

      • Allow all origins.
      • Allow "simple" methods GET, HEAD and POST.
      • Allow all headers.
      • Set max age to 1800 seconds (30 minutes).

    • combine

      public CorsConfiguration combine(@Nullable CorsConfiguration other)
      Combine the non-null properties of the supplied CorsConfiguration with this one.

      When combining single values like allowCredentials or maxAge, this properties are overridden by non-null other properties if any.

      Combining lists like allowedOrigins, allowedMethods, allowedHeaders or exposedHeaders is done in an additive way. For example, combining ["GET", "POST"] with ["PATCH"] results in ["GET", "POST", "PATCH"], but keep in mind that combining ["GET", "POST"] with ["*"] results in ["*"].

      Notice that default permit values set by applyPermitDefaultValues() are overridden by any value explicitly defined.

      返回:
      the combined CorsConfiguration, or this configuration if the supplied configuration is null

    • combine

      private List<String> combine(@Nullable List<String> source, @Nullable List<String> other)

    • combinePatterns

      private List<CorsConfiguration.OriginPattern> combinePatterns(@Nullable List<CorsConfiguration.OriginPattern> source, @Nullable List<CorsConfiguration.OriginPattern> other)

    • checkOrigin

      @Nullable public String checkOrigin(@Nullable String requestOrigin)
      Check the origin of the request against the configured allowed origins.
      参数:
      requestOrigin - the origin to check
      返回:
      the origin to use for the response, or null which means the request origin is not allowed

    • validateAllowCredentials

      public void validateAllowCredentials()
      Validate that when allowCredentials is true, allowedOrigins does not contain the special value "*" since in that case the "Access-Control-Allow-Origin" cannot be set to "*".
      抛出:
      IllegalArgumentException - if the validation fails
      从以下版本开始:
      3.0

    • checkHeaders

      @Nullable public List<String> checkHeaders(@Nullable List<String> requestHeaders)
      Check the supplied request headers (or the headers listed in the Access-Control-Request-Headers of a pre-flight request) against the configured allowed headers.
      参数:
      requestHeaders - the request headers to check
      返回:
      the list of allowed headers to list in the response of a pre-flight request, or null if none of the supplied request headers is allowed

    • checkHttpMethod

      @Nullable public List<HttpMethod> checkHttpMethod(@Nullable HttpMethod method)
      Check the HTTP request method (or the method from the Access-Control-Request-Method header on a pre-flight request) against the configured allowed methods.
      参数:
      method - the HTTP request method to check
      返回:
      the list of HTTP methods to list in the response of a pre-flight request, or null if the supplied requestMethod is not allowed