diff --git a/spring-web/src/main/java/org/springframework/web/bind/annotation/CrossOrigin.java b/spring-web/src/main/java/org/springframework/web/bind/annotation/CrossOrigin.java index 194f4be524..4b2ad6dbe8 100644 --- a/spring-web/src/main/java/org/springframework/web/bind/annotation/CrossOrigin.java +++ b/spring-web/src/main/java/org/springframework/web/bind/annotation/CrossOrigin.java @@ -39,43 +39,54 @@ import org.springframework.core.annotation.AliasFor; @Documented public @interface CrossOrigin { + String[] DEFAULT_ORIGIN = { "*" }; + + String[] DEFAULT_ALLOWED_HEADERS = { "*" }; + + boolean DEFAULT_ALLOW_CREDENTIALS = true; + + long DEFAULT_MAX_AGE = 1800; + + /** * Alias for {@link #origin}. */ @AliasFor(attribute = "origin") - String[] value() default { "*" }; + String[] value() default {}; /** * List of allowed origins. *
These values are placed in the {@code Access-Control-Allow-Origin} * header of both the pre-flight response and the actual response. - *
Defaults to {@code "*"} which means that all origins are allowed. + * {@code "*"} means that all origins are allowed. + *
If undefined, all origins are allowed. * @see #value */ @AliasFor(attribute = "value") - String[] origin() default { "*" }; + String[] origin() default {}; /** * List of request headers that can be used during the actual request. *
This property controls the value of the pre-flight response's * {@code Access-Control-Allow-Headers} header. - *
Defaults to {@code "*"} which means that all headers requested - * by the client are allowed. + * {@code "*"} means that all headers requested by the client are allowed. + *
If undefined, all requested headers are allowed. */ - String[] allowedHeaders() default { "*" }; + String[] allowedHeaders() default {}; /** * List of response headers that the user-agent will allow the client to access. *
This property controls the value of actual response's * {@code Access-Control-Expose-Headers} header. - *
Defaults to an empty array. + *
If undefined, an empty exposed header list is used. */ String[] exposedHeaders() default {}; /** * List of supported HTTP request methods. *
Methods specified here override those specified via {@code RequestMapping}. - *
Defaults to an empty array. + *
If undefined, methods defined by {@link RequestMapping} annotation + * are used. */ RequestMethod[] method() default {}; @@ -83,22 +94,22 @@ public @interface CrossOrigin { * Whether the browser should include any cookies associated with the * domain of the request being annotated. *
Set to {@code "false"} if such cookies should not included. - *
An empty string ({@code ""}) means undefined. - *
Defaults to {@code "true"} which means that the pre-flight - * response will include the header + * An empty string ({@code ""}) means undefined. + * {@code "true"} means that the pre-flight response will include the header * {@code Access-Control-Allow-Credentials=true}. + *
If undefined, credentials are allowed. */ - String allowCredentials() default "true"; + String allowCredentials() default ""; /** * The maximum age (in seconds) of the cache duration for pre-flight responses. *
This property controls the value of the {@code Access-Control-Max-Age} * header in the pre-flight response. - *
A negative value means undefined. *
Setting this to a reasonable value can reduce the number of pre-flight * request/response interactions required by the browser. - *
Defaults to {@code 1800} seconds (i.e., 30 minutes). + * A negative value means undefined. + *
If undefined, max age is set to {@code 1800} seconds (i.e., 30 minutes).
*/
- long maxAge() default 1800;
+ long maxAge() default -1;
}
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java
index 2149558a2b..fbfd99df40 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java
@@ -18,6 +18,7 @@ package org.springframework.web.servlet.mvc.method.annotation;
import java.lang.reflect.AnnotatedElement;
import java.lang.reflect.Method;
+import java.util.Arrays;
import java.util.List;
import org.springframework.context.EmbeddedValueResolverAware;
@@ -301,17 +302,22 @@ public class RequestMappingHandlerMapping extends RequestMappingInfoHandlerMappi
updateCorsConfig(config, typeAnnotation);
updateCorsConfig(config, methodAnnotation);
+ if (CollectionUtils.isEmpty(config.getAllowedOrigins())) {
+ config.setAllowedOrigins(Arrays.asList(CrossOrigin.DEFAULT_ORIGIN));
+ }
if (CollectionUtils.isEmpty(config.getAllowedMethods())) {
for (RequestMethod allowedMethod : mappingInfo.getMethodsCondition().getMethods()) {
config.addAllowedMethod(allowedMethod.name());
}
}
if (CollectionUtils.isEmpty(config.getAllowedHeaders())) {
- for (NameValueExpression