Record Class CorsConfig

java.lang.Object

java.lang.Record

cloud.opencode.base.web.cors.CorsConfig

public record CorsConfig(Set<String> allowedOrigins, Set<String> allowedMethods, Set<String> allowedHeaders, Set<String> exposedHeaders, boolean allowCredentials, long maxAge)
extends Record

CORS Configuration - Cross-Origin Resource Sharing configuration builder and applier CORS 配置 - 跨域资源共享配置构建器和应用器

An immutable record representing a complete CORS policy. Use the CorsConfig.Builder to construct instances with a fluent API. Provides preset configurations for common scenarios and methods to generate CORS response headers.

一个不可变记录，表示完整的 CORS 策略。使用 CorsConfig.Builder 通过流式 API 构建实例。 提供常见场景的预设配置和生成 CORS 响应头部的方法。

Features | 主要功能:

• Builder pattern with fluent API - 流式 API 构建器模式
• Origin/method/header allowlist checking - 来源/方法/头部白名单检查
• Automatic CORS response header generation - 自动 CORS 响应头部生成
• Preset configurations (allowAll, restrictive) - 预设配置
• Security: credentials + wildcard origin prevention - 安全：凭证+通配符来源防护

Usage Examples | 使用示例:

// Allow all origins
CorsConfig cors = CorsConfig.allowAll();

// Restrictive: only specific origins
CorsConfig cors = CorsConfig.restrictive("https://example.com");

// Custom configuration
CorsConfig cors = CorsConfig.builder()
    .allowOrigin("https://example.com", "https://api.example.com")
    .allowMethod("GET", "POST")
    .allowHeader("Authorization", "Content-Type")
    .allowCredentials(true)
    .maxAge(3600)
    .build();

// Generate response headers
Map<String, String> headers = cors.toHeaders("https://example.com");

// Apply to HttpHeaders
HttpHeaders httpHeaders = HttpHeaders.of();
cors.applyTo(httpHeaders, "https://example.com");

Security | 安全性:

• Thread-safe: Yes (immutable record) - 是（不可变记录）
• Null-safe: Builder rejects null arguments - 构建器拒绝 null 参数
• Credentials + wildcard origin is rejected at build time - 凭证+通配符来源在构建时被拒绝

Since:

JDK 25, opencode-base-web V1.0.3

Author:

Leon Soo www.LeonSoo.com

See Also:

• OpenCode.cloud

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static final class	CorsConfig.Builder	Builder for CorsConfig - fluent API for constructing CORS configurations.

Constructor Summary

Constructors

Constructor	Description
CorsConfig(Set<String> allowedOrigins, Set<String> allowedMethods, Set<String> allowedHeaders, Set<String> exposedHeaders, boolean allowCredentials, long maxAge)	Compact constructor that creates defensive copies of all sets.

Method Summary

Modifier and Type	Method	Description
static CorsConfig	allowAll()	Creates a permissive CORS configuration that allows all origins, methods, and headers.
boolean	allowCredentials()	Returns the value of the allowCredentials record component.
Set<String>	allowedHeaders()	Returns the value of the allowedHeaders record component.
Set<String>	allowedMethods()	Returns the value of the allowedMethods record component.
Set<String>	allowedOrigins()	Returns the value of the allowedOrigins record component.
boolean	allowsAll()	Checks if this configuration allows all origins (wildcard).
void	applyTo(HttpHeaders headers, String requestOrigin)	Applies CORS response headers to the given HttpHeaders for the specified request origin.
static CorsConfig.Builder	builder()	Creates a new builder.
final boolean	equals(Object o)	Indicates whether some other object is "equal to" this one.
Set<String>	exposedHeaders()	Returns the value of the exposedHeaders record component.
final int	hashCode()	Returns a hash code value for this object.
boolean	isHeaderAllowed(String header)	Checks if the given header is allowed by this CORS configuration.
boolean	isMethodAllowed(String method)	Checks if the given HTTP method is allowed by this CORS configuration.
boolean	isOriginAllowed(String origin)	Checks if the given origin is allowed by this CORS configuration.
long	maxAge()	Returns the value of the maxAge record component.
static CorsConfig	restrictive(String... origins)	Creates a restrictive CORS configuration that only allows specified origins.
Map<String,String>	toHeaders(String requestOrigin)	Generates CORS response headers for the given request origin.
final String	toString()	Returns a string representation of this record class.

Methods inherited from class Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Details

CorsConfig

public CorsConfig(Set<String> allowedOrigins,
 Set<String> allowedMethods,
 Set<String> allowedHeaders,
 Set<String> exposedHeaders,
 boolean allowCredentials,
 long maxAge)

Compact constructor that creates defensive copies of all sets. Methods and headers use case-insensitive TreeSet for O(log n) lookup. Origins are normalized to lowercase for consistent matching. 紧凑构造函数，创建所有集合的防御性副本。 方法和头部使用大小写不敏感的 TreeSet 以实现 O(log n) 查找。 来源统一转为小写以保证匹配一致性。

Method Details

builder

public static CorsConfig.Builder builder()

Creates a new builder. 创建新的构建器。

Returns:

a new Builder - 新的构建器

allowAll

public static CorsConfig allowAll()

Creates a permissive CORS configuration that allows all origins, methods, and headers. 创建允许所有来源、方法和头部的宽松 CORS 配置。

Note: allowCredentials is false because wildcard origin and credentials cannot be used together per the CORS specification.

注意：allowCredentials 为 false，因为根据 CORS 规范通配符来源和凭证不能同时使用。

Returns:

a permissive CorsConfig - 宽松的 CorsConfig

restrictive

public static CorsConfig restrictive(String... origins)

Creates a restrictive CORS configuration that only allows specified origins. 创建仅允许指定来源的限制性 CORS 配置。

Allows common HTTP methods and standard headers with credentials enabled.

允许常见 HTTP 方法和标准头部，并启用凭证。

Parameters:

origins - the allowed origins - 允许的来源

Returns:

a restrictive CorsConfig - 限制性的 CorsConfig

Throws:

IllegalArgumentException - if origins is null or empty - 如果 origins 为 null 或空

isOriginAllowed

public boolean isOriginAllowed(String origin)

Checks if the given origin is allowed by this CORS configuration. 检查给定的来源是否被此 CORS 配置允许。

Parameters:

origin - the origin to check - 要检查的来源

Returns:

true if allowed - 如果允许返回 true

isMethodAllowed

public boolean isMethodAllowed(String method)

Checks if the given HTTP method is allowed by this CORS configuration. 检查给定的 HTTP 方法是否被此 CORS 配置允许。

Parameters:

method - the method to check - 要检查的方法

Returns:

true if allowed - 如果允许返回 true

isHeaderAllowed

public boolean isHeaderAllowed(String header)

Checks if the given header is allowed by this CORS configuration. 检查给定的头部是否被此 CORS 配置允许。

Parameters:

header - the header to check - 要检查的头部

Returns:

true if allowed - 如果允许返回 true

allowsAll

public boolean allowsAll()

Checks if this configuration allows all origins (wildcard). 检查此配置是否允许所有来源（通配符）。

Returns:

true if wildcard origin is allowed - 如果允许通配符来源返回 true

toHeaders

public Map<String,String> toHeaders(String requestOrigin)

Generates CORS response headers for the given request origin. 为给定的请求来源生成 CORS 响应头部。

Returns an empty map if the origin is not allowed.

如果来源不被允许则返回空 Map。

Parameters:

requestOrigin - the request origin - 请求来源

Returns:

CORS response headers map - CORS 响应头部 Map

applyTo

public void applyTo(HttpHeaders headers,
 String requestOrigin)

Applies CORS response headers to the given HttpHeaders for the specified request origin. 将 CORS 响应头部应用到给定的 HttpHeaders 上。

Parameters:

headers - the headers to apply to - 要应用的头部

requestOrigin - the request origin - 请求来源

toString

public final String toString()

Returns a string representation of this record class. The representation contains the name of the class, followed by the name and value of each of the record components.

Specified by:

toString in class Record

Returns:

a string representation of this object

hashCode

public final int hashCode()

Returns a hash code value for this object. The value is derived from the hash code of each of the record components.

Specified by:

hashCode in class Record

Returns:

a hash code value for this object

equals

public final boolean equals(Object o)

Indicates whether some other object is "equal to" this one. The objects are equal if the other object is of the same class and if all the record components are equal. Reference components are compared with Objects::equals(Object,Object); primitive components are compared with the compare method from their corresponding wrapper classes.

Specified by:

equals in class Record

Parameters:

o - the object with which to compare

Returns:

true if this object is the same as the o argument; false otherwise.

allowedOrigins

public Set<String> allowedOrigins()

Returns the value of the allowedOrigins record component.

Returns:

the value of the allowedOrigins record component

allowedMethods

public Set<String> allowedMethods()

Returns the value of the allowedMethods record component.

Returns:

the value of the allowedMethods record component

allowedHeaders

public Set<String> allowedHeaders()

Returns the value of the allowedHeaders record component.

Returns:

the value of the allowedHeaders record component

exposedHeaders

public Set<String> exposedHeaders()

Returns the value of the exposedHeaders record component.

Returns:

the value of the exposedHeaders record component

allowCredentials

public boolean allowCredentials()

Returns the value of the allowCredentials record component.

Returns:

the value of the allowCredentials record component

maxAge

public long maxAge()

Returns the value of the maxAge record component.

Returns:

the value of the maxAge record component