From 9dd29f76ae52477bd8fd6eb5c31412ab477e8027 Mon Sep 17 00:00:00 2001 From: sdeleuze Date: Wed, 15 Nov 2017 16:16:13 +0100 Subject: [PATCH] Polish CORS documentation --- .../handler/AbstractHandlerMapping.java | 3 +- src/docs/asciidoc/web/webmvc-cors.adoc | 34 +++++++++++++------ 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/spring-webflux/src/main/java/org/springframework/web/reactive/handler/AbstractHandlerMapping.java b/spring-webflux/src/main/java/org/springframework/web/reactive/handler/AbstractHandlerMapping.java index 3aa515d626..b2aff9aa5f 100644 --- a/spring-webflux/src/main/java/org/springframework/web/reactive/handler/AbstractHandlerMapping.java +++ b/spring-webflux/src/main/java/org/springframework/web/reactive/handler/AbstractHandlerMapping.java @@ -151,8 +151,7 @@ public abstract class AbstractHandlerMapping extends ApplicationObjectSupport im *

On CORS pre-flight requests this method should return a match not for * the pre-flight request but for the expected actual request based on the URL * path, the HTTP methods from the "Access-Control-Request-Method" header, and - * the headers from the "Access-Control-Request-Headers" header thus allowing - * the CORS configuration to be obtained via {@link #getCorsConfigurations}, + * the headers from the "Access-Control-Request-Headers" header. * @param exchange current exchange * @return {@code Mono} for the matching handler, if any */ diff --git a/src/docs/asciidoc/web/webmvc-cors.adoc b/src/docs/asciidoc/web/webmvc-cors.adoc index 1b25ef4ead..dc77b0d226 100644 --- a/src/docs/asciidoc/web/webmvc-cors.adoc +++ b/src/docs/asciidoc/web/webmvc-cors.adoc @@ -38,7 +38,7 @@ Since CORS requests are automatically dispatched, you *do not need* to change th [[mvc-cors-controller]] -== @Controller CORS +== @CrossOrigin You can add an {api-spring-framework}/web/bind/annotation/CrossOrigin.html[`@CrossOrigin`] @@ -54,12 +54,12 @@ it. By default `@CrossOrigin` allows all origins and the HTTP methods specified public class AccountController { @CrossOrigin - @RequestMapping("/{id}") + @GetMapping("/{id}") public Account retrieve(@PathVariable Long id) { // ... } - @RequestMapping(method = RequestMethod.DELETE, path = "/{id}") + @DeleteMapping("/{id}") public void remove(@PathVariable Long id) { // ... } @@ -76,12 +76,12 @@ It is also possible to enable CORS for the whole controller: @RequestMapping("/account") public class AccountController { - @RequestMapping("/{id}") + @GetMapping("/{id}") public Account retrieve(@PathVariable Long id) { // ... } - @RequestMapping(method = RequestMethod.DELETE, path = "/{id}") + @DeleteMapping("/{id}") public void remove(@PathVariable Long id) { // ... } @@ -216,7 +216,7 @@ It is also possible to declare several CORS mappings with customized properties: allows you to specify how the CORS requests should be processed: allowed origins, headers, methods, etc. It can be provided in various ways: - * {api-spring-framework}/web/servlet/handler/AbstractHandlerMapping.html#setCorsConfiguration-java.util.Map-[`AbstractHandlerMapping#setCorsConfiguration()`] + * {api-spring-framework}/web/servlet/handler/AbstractHandlerMapping.html#setCorsConfigurations-java.util.Map-[`AbstractHandlerMapping#setCorsConfigurations()`] allows to specify a `Map` with several {api-spring-framework}/web/cors/CorsConfiguration.html[CorsConfiguration] instances mapped to path patterns like `/api/**`. * Subclasses can provide their own `CorsConfiguration` by overriding the @@ -232,10 +232,17 @@ It can be provided in various ways: [[mvc-cors-filter]] == CORS Filter -You can apply CORS checks through the built-in -http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/filter/CorsFilter.html[`CorsFilter`] -which can be used with http://projects.spring.io/spring-security/[Spring Security] and -ordered ahead of its chain of filters. To configure the filter pass a +You can apply CORS support through the built-in +{api-spring-framework}/web/filter/CorsFilter.html[`CorsFilter`]. + +[NOTE] +==== +Spring Security now provides +https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#cors[builtin support for CORS] +so you don't need to use a `CorsFilter`. +==== + +To configure the filter pass a `CorsConfigurationSource` to its constructor: [source,java,indent=0] @@ -252,6 +259,13 @@ source.registerCorsConfiguration("/**", config); CorsFilter filter = new CorsFilter(source); ---- +You can also easily permit all cross-origin requests for GET, HEAD, and POST requests by writing +[source,java,indent=0] + +---- +CorsFilter filter = new CorsFilter(exchange -> new CorsConfiguration().applyPermitDefaultValues()); +---- + Also the information on https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#cors[CORS] in the Spring Security reference.