io.netty.handler.codec.http.cors

Class CorsConfig

java.lang.Object

io.netty.handler.codec.http.cors.CorsConfig

public final class CorsConfig
extends Object

Configuration for Cross-Origin Resource Sharing (CORS).

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	CorsConfig.Builder Deprecated. Use CorsConfigBuilder instead.
static class	CorsConfig.DateValueGenerator Deprecated. Removed without alternatives.

Method Summary

Modifier and Type	Method and Description
Set<String>	allowedRequestHeaders() Returns the allowed set of Request Headers.
Set<HttpMethod>	allowedRequestMethods() Returns the allowed set of Request Methods.
Set<String>	exposedHeaders() Returns a set of headers to be exposed to calling clients.
boolean	isAnyOriginSupported() Determines whether a wildcard origin, '*', is supported.
boolean	isCorsSupportEnabled() Determines if support for CORS is enabled.
boolean	isCredentialsAllowed() Determines if cookies are supported for CORS requests.
boolean	isNullOriginAllowed() Web browsers may set the 'Origin' request header to 'null' if a resource is loaded from the local file system.
boolean	isPrivateNetworkAllowed() Web browsers may set the 'Access-Control-Request-Private-Network' request header if a resource is loaded from a local network.
boolean	isShortCircuit() Determines whether a CORS request should be rejected if it's invalid before being further processing.
boolean	isShortCurcuit() Deprecated. Use isShortCircuit() instead.
long	maxAge() Gets the maxAge setting.
String	origin() Returns the allowed origin.
Set<String>	origins() Returns the set of allowed origins.
HttpHeaders	preflightResponseHeaders() Returns HTTP response headers that should be added to a CORS preflight response.
String	toString()
static CorsConfig.Builder	withAnyOrigin() Deprecated. Use CorsConfigBuilder.forAnyOrigin() instead.
static CorsConfig.Builder	withOrigin(String origin) Deprecated. Use CorsConfigBuilder.forOrigin(String) instead.
static CorsConfig.Builder	withOrigins(String... origins) Deprecated. Use CorsConfigBuilder.forOrigins(String...) instead.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Method Detail

isCorsSupportEnabled

public boolean isCorsSupportEnabled()

Determines if support for CORS is enabled.

Returns:

true if support for CORS is enabled, false otherwise.

isAnyOriginSupported

public boolean isAnyOriginSupported()

Determines whether a wildcard origin, '*', is supported.

Returns:

boolean true if any origin is allowed.

origin

public String origin()

Returns the allowed origin. This can either be a wildcard or an origin value.

Returns:

the value that will be used for the CORS response header 'Access-Control-Allow-Origin'

origins

public Set<String> origins()

Returns the set of allowed origins.

Returns:

Set the allowed origins.

isNullOriginAllowed

public boolean isNullOriginAllowed()

Web browsers may set the 'Origin' request header to 'null' if a resource is loaded from the local file system. If isNullOriginAllowed is true then the server will response with the wildcard for the CORS response header 'Access-Control-Allow-Origin'.

Returns:

true if a 'null' origin should be supported.

isPrivateNetworkAllowed

public boolean isPrivateNetworkAllowed()

Web browsers may set the 'Access-Control-Request-Private-Network' request header if a resource is loaded from a local network. By default direct access to private network endpoints from public websites is not allowed. If isPrivateNetworkAllowed is true the server will response with the CORS response header 'Access-Control-Request-Private-Network'.

Returns:

true if private network access should be allowed.

exposedHeaders

public Set<String> exposedHeaders()

Returns a set of headers to be exposed to calling clients. During a simple CORS request only certain response headers are made available by the browser, for example using:

 xhr.getResponseHeader("Content-Type");
 

The headers that are available by default are:

• Cache-Control
• Content-Language
• Content-Type
• Expires
• Last-Modified
• Pragma

To expose other headers they need to be specified, which is what this method enables by adding the headers names to the CORS 'Access-Control-Expose-Headers' response header.

Returns:

List<String> a list of the headers to expose.

isCredentialsAllowed

public boolean isCredentialsAllowed()

Determines if cookies are supported for CORS requests. By default cookies are not included in CORS requests but if isCredentialsAllowed returns true cookies will be added to CORS requests. Setting this value to true will set the CORS 'Access-Control-Allow-Credentials' response header to true. Please note that cookie support needs to be enabled on the client side as well. The client needs to opt-in to send cookies by calling:

 xhr.withCredentials = true;
 

The default value for 'withCredentials' is false in which case no cookies are sent. Setting this to true will included cookies in cross origin requests.

Returns:

true if cookies are supported.

maxAge

public long maxAge()

Gets the maxAge setting. When making a preflight request the client has to perform two request with can be inefficient. This setting will set the CORS 'Access-Control-Max-Age' response header and enables the caching of the preflight response for the specified time. During this time no preflight request will be made.

Returns:

long the time in seconds that a preflight request may be cached.

allowedRequestMethods

public Set<HttpMethod> allowedRequestMethods()

Returns the allowed set of Request Methods. The Http methods that should be returned in the CORS 'Access-Control-Request-Method' response header.

Returns:

Set of HttpMethods that represent the allowed Request Methods.

allowedRequestHeaders

public Set<String> allowedRequestHeaders()

Returns the allowed set of Request Headers. The header names returned from this method will be used to set the CORS 'Access-Control-Allow-Headers' response header.

Returns:

Set<String> of strings that represent the allowed Request Headers.

preflightResponseHeaders

public HttpHeaders preflightResponseHeaders()

Returns HTTP response headers that should be added to a CORS preflight response.

Returns:

HttpHeaders the HTTP response headers to be added.

isShortCircuit

public boolean isShortCircuit()

Determines whether a CORS request should be rejected if it's invalid before being further processing. CORS headers are set after a request is processed. This may not always be desired and this setting will check that the Origin is valid and if it is not valid no further processing will take place, and an error will be returned to the calling client.

Returns:

true if a CORS request should short-circuit upon receiving an invalid Origin header.

isShortCurcuit

@Deprecated
public boolean isShortCurcuit()

Deprecated. Use isShortCircuit() instead.

toString

public String toString()

Overrides:

toString in class Object

withAnyOrigin

@Deprecated
public static CorsConfig.Builder withAnyOrigin()

Deprecated. Use CorsConfigBuilder.forAnyOrigin() instead.

withOrigin

@Deprecated
public static CorsConfig.Builder withOrigin(String origin)

Deprecated. Use CorsConfigBuilder.forOrigin(String) instead.

withOrigins

@Deprecated
public static CorsConfig.Builder withOrigins(String... origins)

Deprecated. Use CorsConfigBuilder.forOrigins(String...) instead.