Better encapsulation for CORS default permit configuration

This commit also improves CorsRegistration Javadoc.

Issue: SPR-14798
This commit is contained in:
Sebastien Deleuze
2016-10-18 14:49:12 +02:00
committed by Rossen Stoyanchev
parent 25e7cd577d
commit 50f2cda009
8 changed files with 160 additions and 98 deletions

View File

@@ -23,11 +23,13 @@ import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import org.springframework.core.annotation.AliasFor;
import org.springframework.web.cors.CorsConfiguration;
/**
* Marks the annotated method or type as permitting cross origin requests.
*
* <p>By default, all origins and headers are permitted.
* <p>By default, all origins, headers are permitted, credentials are allowed and the
* maximum age is set to 30 minutes.
*
* <p><b>NOTE:</b> {@code @CrossOrigin} is processed if an appropriate
* {@code HandlerMapping}-{@code HandlerAdapter} pair is configured such as the
@@ -44,12 +46,28 @@ import org.springframework.core.annotation.AliasFor;
@Documented
public @interface CrossOrigin {
/**
* @deprecated as of Spring 5.0, in favor of using {@link CorsConfiguration#applyDefaultPermitConfiguration}
*/
@Deprecated
String[] DEFAULT_ORIGINS = { "*" };
/**
* @deprecated as of Spring 5.0, in favor of using {@link CorsConfiguration#applyDefaultPermitConfiguration}
*/
@Deprecated
String[] DEFAULT_ALLOWED_HEADERS = { "*" };
/**
* @deprecated as of Spring 5.0, in favor of using {@link CorsConfiguration#applyDefaultPermitConfiguration}
*/
@Deprecated
boolean DEFAULT_ALLOW_CREDENTIALS = true;
/**
* @deprecated as of Spring 5.0, in favor of using {@link CorsConfiguration#applyDefaultPermitConfiguration}
*/
@Deprecated
long DEFAULT_MAX_AGE = 1800;

View File

@@ -17,6 +17,7 @@
package org.springframework.web.cors;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
@@ -71,7 +72,9 @@ public class CorsConfiguration {
/**
* Construct a new, empty {@code CorsConfiguration} instance.
* Construct a new {@code CorsConfiguration} instance with nothing allowed by default
* but {@code "GET"} and {@code "HEAD"} methods.
* @see #applyDefaultPermitConfiguration()
*/
public CorsConfiguration() {
}
@@ -90,6 +93,36 @@ public class CorsConfiguration {
this.maxAge = other.maxAge;
}
/**
* Apply the following default permit configuration only for properties that has not
* been defined:
* <ul>
* <li>All origins are allowed</li>
* <li>Simple methods ({@code GET}, {@code HEAD} and {@code POST}) are allowed</li>
* <li>All headers are allowed</li>
* <li>Credentials are allowed</li>
* <li>Max age is set to 1800 seconds (30 minutes)</li>
* </ul>
*/
public CorsConfiguration applyDefaultPermitConfiguration() {
if (this.allowedOrigins == null) {
this.addAllowedOrigin(ALL);
}
if (this.allowedMethods == null) {
this.setAllowedMethods(Arrays.asList(HttpMethod.GET.name(),
HttpMethod.HEAD.name(), HttpMethod.POST.name()));
}
if (this.allowedHeaders == null) {
this.addAllowedHeader(ALL);
}
if (this.allowCredentials == null) {
this.setAllowCredentials(true);
}
if (this.maxAge == null) {
this.setMaxAge(1800L);
}
return this;
}
/**
* Combine the supplied {@code CorsConfiguration} with this one.