Package io.muserver.rest

Class CORSConfigBuilder

  • public class CORSConfigBuilder
extends java.lang.Object

    A builder to set configuration for CORS requests.

    • Constructor Detail

      • CORSConfigBuilder

        public CORSConfigBuilder()

    • Method Detail

      • withAllOriginsAllowed

        public CORSConfigBuilder withAllOriginsAllowed()
        All origins will be allowed
        Returns:
        This builder

      • withAllowCredentials

        public CORSConfigBuilder withAllowCredentials​(boolean allowCredentials)
        If set to true, then access-control-allow-credentials is returned with true on CORS responses.
        Parameters:
        allowCredentials - Whether or not to include the credentials header
        Returns:
        This builder

      • withAllowedOrigins

        public CORSConfigBuilder withAllowedOrigins​(java.util.Collection<java.lang.String> allowedOrigins)
        The origin values that CORS requests are allowed for, or null to allow all origins.
        Parameters:
        allowedOrigins - Allowed origins, such as https://example.org or http://localhost:8080
        Returns:
        This builder

      • withAllowedOrigins

        public CORSConfigBuilder withAllowedOrigins​(java.lang.String... allowedOrigins)
        The origin values that CORS requests are allowed for.
        Parameters:
        allowedOrigins - Allowed origins, such as https://example.org or http://localhost:8080
        Returns:
        This builder

      • withAllowedOriginRegex

        public CORSConfigBuilder withAllowedOriginRegex​(java.util.regex.Pattern allowedOriginRegex)

        The origin values that CORS requests are allowed for.

        If called multiple times, then just one of the patterns need to match to allow the origin.

        Note: this is a no-op if null is used.

        Parameters:
        allowedOriginRegex - A regex to match, e.g. Pattern.compile("https://.*\\.example\\.org") to allow all subdomains of example.org over HTTPS.
        Returns:
        This builder

      • withAllowedOriginRegex

        public CORSConfigBuilder withAllowedOriginRegex​(java.lang.String allowedOriginRegex)

        The origin values that CORS requests are allowed for.

        If called multiple times, then just one of the patterns need to match to allow the origin.

        Note: this is a no-op if null is used.

        Parameters:
        allowedOriginRegex - A regex to match, e.g. "https://.*\\.example\\.org" to allow all subdomains of example.org over HTTPS.
        Returns:
        This builder
        Throws:
        java.util.regex.PatternSyntaxException - If the expression's syntax is invalid

      • withLocalhostAllowed

        public CORSConfigBuilder withLocalhostAllowed()
        Adds all localhost URLs (whether http or https) as allowed origins.
        Returns:
        This builder

      • withExposedHeaders

        public CORSConfigBuilder withExposedHeaders​(java.lang.String... headerNames)

        Specifies which headers (aside from "simple" headers) are allowed to be accessed by JavaScript in responses.

        The "simple" headers are: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma (so you do not need to specify these values).

        Parameters:
        headerNames - The names of headers to allow, for example Content-Type
        Returns:
        This builder

      • withExposedHeaders

        public CORSConfigBuilder withExposedHeaders​(java.util.Collection<java.lang.String> headerNames)

        Specifies which headers (aside from "simple" headers) are allowed to be accessed by JavaScript in responses.

        The "simple" headers are: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma (so you do not need to specify these values).

        Parameters:
        headerNames - The names of headers to allow, for example Content-Type
        Returns:
        This builder

      • withAllowedHeaders

        public CORSConfigBuilder withAllowedHeaders​(java.lang.String... headerNames)

        On preflight OPTIONS requests, specifies which headers are allowed to be sent on the request, aside from the "simple" headers.

        The "simple" headers are Accept, Accept-Language, Content-Language, Content-Type (but only with a MIME type of application/x-www-form-urlencoded, multipart/form-data, or text/plain). You do not need to specify the simple headers.

        Parameters:
        headerNames - The names of headers to allow, for example Content-Length
        Returns:
        This builder

      • withAllowedHeaders

        public CORSConfigBuilder withAllowedHeaders​(java.util.Collection<java.lang.String> headerNames)

        On preflight OPTIONS requests, specifies which headers are allowed to be sent on the request, aside from the "simple" headers.

        The "simple" headers are Accept, Accept-Language, Content-Language, Content-Type (but only with a MIME type of application/x-www-form-urlencoded, multipart/form-data, or text/plain). You do not need to specify the simple headers.

        Parameters:
        headerNames - The names of headers to allow, for example Content-Length
        Returns:
        This builder

      • withMaxAge

        public CORSConfigBuilder withMaxAge​(long seconds)
        On preflight OPTIONS requests, specifies the time the response is valid for
        Parameters:
        seconds - The age in seconds, for example 600 for five minutes.
        Returns:
        This builder.

      • disabled

        public static CORSConfigBuilder disabled()
        Creates CORS configuration that disables all CORS requests.
        Returns:
        A new builder to create CORS config with

      • toHandler

        public CORSHandlerBuilder toHandler​(Method... allowedMethods)
        Creates a CORS handler from this config.

        This can be used when CORS configuration is needed outside of JAX-RS. Add the created handler to a MuServerBuilder before any other handlers that require CORS config.

        Note that if you only need CORS config for JAX-RS then instead of this method you should pass this config to RestHandlerBuilder.withCORS(CORSConfigBuilder)

        Parameters:
        allowedMethods - The allowed methods for CORS calls
        Returns:
        A handler that can be added.

      • build

        public CORSConfig build()
        Builds CORS configuration from a builder
        Returns:
        An immutable configuration object.