Improve docs on forwarded headers
Issue: SPR-16660
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -88,6 +88,13 @@ public @interface CrossOrigin {
|
||||
* header of both the pre-flight response and the actual response.
|
||||
* {@code "*"} means that all origins are allowed.
|
||||
* <p>If undefined, all origins are allowed.
|
||||
* <p><strong>Note:</strong> CORS checks use values from "Forwarded"
|
||||
* (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
|
||||
* if present, in order to reflect the client-originated address.
|
||||
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
|
||||
* central place whether to extract and use, or to discard such headers.
|
||||
* See the Spring Framework reference for more on this filter.
|
||||
* @see #value
|
||||
*/
|
||||
@AliasFor("value")
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -106,6 +106,13 @@ public class CorsConfiguration {
|
||||
* Set the origins to allow, e.g. {@code "http://domain1.com"}.
|
||||
* <p>The special value {@code "*"} allows all domains.
|
||||
* <p>By default this is not set.
|
||||
* <p><strong>Note:</strong> CORS checks use values from "Forwarded"
|
||||
* (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
|
||||
* if present, in order to reflect the client-originated address.
|
||||
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
|
||||
* central place whether to extract and use, or to discard such headers.
|
||||
* See the Spring Framework reference for more on this filter.
|
||||
*/
|
||||
public void setAllowedOrigins(List<String> allowedOrigins) {
|
||||
this.allowedOrigins = (allowedOrigins != null ? new ArrayList<String>(allowedOrigins) : null);
|
||||
|
||||
@@ -278,6 +278,11 @@ public class UriComponentsBuilder implements Cloneable {
|
||||
* "Forwarded" (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* or "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" if
|
||||
* "Forwarded" is not found.
|
||||
* <p><strong>Note:</strong> this method uses values from forwarded headers,
|
||||
* if present, in order to reflect the client-originated protocol and address.
|
||||
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
|
||||
* central place whether to extract and use, or to discard such headers.
|
||||
* See the Spring Framework reference for more on this filter.
|
||||
* @param request the source request
|
||||
* @return the URI components of the URI
|
||||
* @since 4.1.5
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -790,6 +790,13 @@ public abstract class WebUtils {
|
||||
* Check the given request origin against a list of allowed origins.
|
||||
* A list containing "*" means that all origins are allowed.
|
||||
* An empty list means only same origin is allowed.
|
||||
* <p><strong>Note:</strong> this method may use values from "Forwarded"
|
||||
* (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
|
||||
* if present, in order to reflect the client-originated address.
|
||||
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
|
||||
* central place whether to extract and use, or to discard such headers.
|
||||
* See the Spring Framework reference for more on this filter.
|
||||
* @return {@code true} if the request origin is valid, {@code false} otherwise
|
||||
* @since 4.1.5
|
||||
* @see <a href="https://tools.ietf.org/html/rfc6454">RFC 6454: The Web Origin Concept</a>
|
||||
@@ -814,6 +821,13 @@ public abstract class WebUtils {
|
||||
* Check if the request is a same-origin one, based on {@code Origin}, {@code Host},
|
||||
* {@code Forwarded}, {@code X-Forwarded-Proto}, {@code X-Forwarded-Host} and
|
||||
* @code X-Forwarded-Port} headers.
|
||||
* <p><strong>Note:</strong> this method uses values from "Forwarded"
|
||||
* (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
|
||||
* if present, in order to reflect the client-originated address.
|
||||
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
|
||||
* central place whether to extract and use, or to discard such headers.
|
||||
* See the Spring Framework reference for more on this filter.
|
||||
* @return {@code true} if the request is a same-origin one, {@code false} in case
|
||||
* of cross-origin request
|
||||
* @since 4.2
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -16,7 +16,6 @@
|
||||
|
||||
package org.springframework.web.servlet.config.annotation;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
|
||||
import org.springframework.web.cors.CorsConfiguration;
|
||||
@@ -60,6 +59,13 @@ public class CorsRegistration {
|
||||
* Set the origins to allow, e.g. {@code "http://domain1.com"}.
|
||||
* <p>The special value {@code "*"} allows all domains.
|
||||
* <p>By default, all origins are allowed.
|
||||
* <p><strong>Note:</strong> CORS checks use values from "Forwarded"
|
||||
* (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
|
||||
* if present, in order to reflect the client-originated address.
|
||||
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
|
||||
* central place whether to extract and use, or to discard such headers.
|
||||
* See the Spring Framework reference for more on this filter.
|
||||
*/
|
||||
public CorsRegistration allowedOrigins(String... origins) {
|
||||
this.config.setAllowedOrigins(Arrays.asList(origins));
|
||||
|
||||
@@ -82,14 +82,13 @@ import org.springframework.web.util.UriComponentsBuilder;
|
||||
* {@link #relativeTo(org.springframework.web.util.UriComponentsBuilder)}.
|
||||
* </ul>
|
||||
*
|
||||
* <p><strong>Note:</strong> This class extracts and uses values from the headers
|
||||
* "Forwarded" (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* or "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" if
|
||||
* "Forwarded" is not found, in order to reflect the client-originated protocol
|
||||
* and address. As an alternative consider using the
|
||||
* {@link org.springframework.web.filter.ForwardedHeaderFilter} to have such
|
||||
* headers extracted once and removed, or removed only (without being used).
|
||||
* See the reference for further information including security considerations.
|
||||
* <p><strong>Note:</strong> This class uses values from "Forwarded"
|
||||
* (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
|
||||
* if present, in order to reflect the client-originated protocol and address.
|
||||
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
|
||||
* central place whether to extract and use, or to discard such headers.
|
||||
* See the Spring Framework reference for more on this filter.
|
||||
*
|
||||
* @author Oliver Gierke
|
||||
* @author Rossen Stoyanchev
|
||||
|
||||
@@ -35,14 +35,13 @@ import org.springframework.web.util.UrlPathHelper;
|
||||
* UriComponentsBuilder with additional static factory methods to create links
|
||||
* based on the current HttpServletRequest.
|
||||
*
|
||||
* <p><strong>Note:</strong> This class extracts and uses values from the headers
|
||||
* "Forwarded" (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* or "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" if
|
||||
* "Forwarded" is not found, in order to reflect the client-originated protocol
|
||||
* and address. As an alternative consider using the
|
||||
* {@link org.springframework.web.filter.ForwardedHeaderFilter} to have such
|
||||
* headers extracted once and removed, or removed only (without being used).
|
||||
* See the reference for further information including security considerations.
|
||||
* <p><strong>Note:</strong> This class uses values from "Forwarded"
|
||||
* (<a href="http://tools.ietf.org/html/rfc7239">RFC 7239</a>),
|
||||
* "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto" headers,
|
||||
* if present, in order to reflect the client-originated protocol and address.
|
||||
* Consider using the {@code ForwardedHeaderFilter} in order to choose from a
|
||||
* central place whether to extract and use, or to discard such headers.
|
||||
* See the Spring Framework reference for more on this filter.
|
||||
*
|
||||
* @author Rossen Stoyanchev
|
||||
* @since 3.1
|
||||
|
||||
@@ -1323,6 +1323,12 @@
|
||||
<xsd:documentation><![CDATA[
|
||||
Comma-separated list of origins to allow, e.g. "http://domain1.com, http://domain2.com".
|
||||
The special value "*" allows all domains (default).
|
||||
|
||||
Note that CORS checks use values from "Forwarded" (RFC 7239), "X-Forwarded-Host",
|
||||
"X-Forwarded-Port", and "X-Forwarded-Proto" headers, if present, in order to reflect
|
||||
the client-originated address. Consider using the ForwardedHeaderFilter in order to
|
||||
choose from a central place whether to extract and use such headers, or whether to
|
||||
discard them. See the Spring Framework reference for more on this filter.
|
||||
]]></xsd:documentation>
|
||||
</xsd:annotation>
|
||||
</xsd:attribute>
|
||||
|
||||
Reference in New Issue
Block a user