Merge pull request #1211 from sdeleuze/SPR-14798

spring-web-reactive/src/main/java/org/springframework/web/reactive/config/CorsRegistration.java

@@ -19,20 +19,16 @@ package org.springframework.web.reactive.config;
 import java.util.ArrayList;
 import java.util.Arrays;
 
-import org.springframework.http.HttpMethod;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.cors.CorsConfiguration;
 
 /**
  * Assists with the creation of a {@link CorsConfiguration} instance mapped to
- * a path pattern.
+ * a path pattern. By default all origins, headers, and credentials for
- *
+ * {@code GET}, {@code HEAD}, and {@code POST} requests are allowed while the
- * <p>If no path pattern is specified, by default cross-origin request handling
+ * max age is set to 30 minutes.
- * is mapped to {@code "/**"}. Also by default, all origins, headers,
- * credentials and {@code GET}, {@code HEAD}, and {@code POST} methods are
- * allowed, while the max age is set to 30 minutes.
  *
  * @author Sebastien Deleuze
+ * @author Rossen Stoyanchev
  * @since 5.0
  * @see CorsRegistry
  */
@@ -43,44 +39,84 @@ public class CorsRegistration {
 	private final CorsConfiguration config;
 
 
+	/**
+	 * Create a new {@link CorsRegistration} that allows all origins, headers, and
+	 * credentials for {@code GET}, {@code HEAD}, and {@code POST} requests with
+	 * max age set to 1800 seconds (30 minutes) for the specified path.
+	 *
+	 * @param pathPattern the path that the CORS configuration should apply to;
+	 * exact path mapping URIs (such as {@code "/admin"}) are supported as well
+	 * as Ant-style path patterns (such as {@code "/admin/**"}).
+	 */
 	public CorsRegistration(String pathPattern) {
 		this.pathPattern = pathPattern;
-		// Same implicit default values as the @CrossOrigin annotation + allows simple methods
+		this.config = new CorsConfiguration().applyPermitDefaultValues();
-		this.config = new CorsConfiguration();
-		this.config.setAllowedOrigins(Arrays.asList(CrossOrigin.DEFAULT_ORIGINS));
-		this.config.setAllowedMethods(Arrays.asList(HttpMethod.GET.name(),
-				HttpMethod.HEAD.name(), HttpMethod.POST.name()));
-		this.config.setAllowedHeaders(Arrays.asList(CrossOrigin.DEFAULT_ALLOWED_HEADERS));
-		this.config.setAllowCredentials(CrossOrigin.DEFAULT_ALLOW_CREDENTIALS);
-		this.config.setMaxAge(CrossOrigin.DEFAULT_MAX_AGE);
 	}
 
 
+	/**
+	 * Set the origins to allow, e.g. {@code "http://domain1.com"}.
+	 * <p>The special value {@code "*"} allows all domains.
+	 * <p>By default all origins are allowed.
+	 */
 	public CorsRegistration allowedOrigins(String... origins) {
 		this.config.setAllowedOrigins(new ArrayList<>(Arrays.asList(origins)));
 		return this;
 	}
 
+	/**
+	 * Set the HTTP methods to allow, e.g. {@code "GET"}, {@code "POST"}, etc.
+	 * <p>The special value {@code "*"} allows all methods.
+	 * <p>By default "simple" methods {@code GET}, {@code HEAD}, and {@code POST}
+	 * are allowed.
+	 */
 	public CorsRegistration allowedMethods(String... methods) {
 		this.config.setAllowedMethods(new ArrayList<>(Arrays.asList(methods)));
 		return this;
 	}
 
+	/**
+	 * Set the list of headers that a pre-flight request can list as allowed
+	 * for use during an actual request.
+	 * <p>The special value {@code "*"} may be used to allow all headers.
+	 * <p>A header name is not required to be listed if it is one of:
+	 * {@code Cache-Control}, {@code Content-Language}, {@code Expires},
+	 * {@code Last-Modified}, or {@code Pragma} as per the CORS spec.
+	 * <p>By default all headers are allowed.
+	 */
 	public CorsRegistration allowedHeaders(String... headers) {
 		this.config.setAllowedHeaders(new ArrayList<>(Arrays.asList(headers)));
 		return this;
 	}
 
+	/**
+	 * Set the list of response headers other than "simple" headers, i.e.
+	 * {@code Cache-Control}, {@code Content-Language}, {@code Content-Type},
+	 * {@code Expires}, {@code Last-Modified}, or {@code Pragma}, that an
+	 * actual response might have and can be exposed.
+	 * <p>Note that {@code "*"} is not supported on this property.
+	 * <p>By default this is not set.
+	 */
 	public CorsRegistration exposedHeaders(String... headers) {
 		this.config.setExposedHeaders(new ArrayList<>(Arrays.asList(headers)));
 		return this;
 	}
 
+	/**
+	 * Configure how long in seconds the response from a pre-flight request
+	 * can be cached by clients.
+	 * <p>By default this is set to 1800 seconds (30 minutes).
+	 */
 	public CorsRegistration maxAge(long maxAge) {
 		this.config.setMaxAge(maxAge);
 		return this;
 	}
 
+	/**
+	 * Whether user credentials are supported.
+	 * <p>By default this is set to {@code true} in which case user credentials
+	 * are supported.
+	 */
 	public CorsRegistration allowCredentials(boolean allowCredentials) {
 		this.config.setAllowCredentials(allowCredentials);
 		return this;

spring-web-reactive/src/main/java/org/springframework/web/reactive/result/method/annotation/RequestMappingHandlerMapping.java

@@ -18,7 +18,6 @@ package org.springframework.web.reactive.result.method.annotation;
 
 import java.lang.reflect.AnnotatedElement;
 import java.lang.reflect.Method;
-import java.util.Arrays;
 import java.util.Set;
 
 import org.springframework.context.EmbeddedValueResolverAware;
@@ -294,25 +293,12 @@ public class RequestMappingHandlerMapping extends RequestMappingInfoHandlerMappi
 		updateCorsConfig(config, typeAnnotation);
 		updateCorsConfig(config, methodAnnotation);
 
-		if (CollectionUtils.isEmpty(config.getAllowedOrigins())) {
-			config.setAllowedOrigins(Arrays.asList(CrossOrigin.DEFAULT_ORIGINS));
-		}
 		if (CollectionUtils.isEmpty(config.getAllowedMethods())) {
 			for (RequestMethod allowedMethod : mappingInfo.getMethodsCondition().getMethods()) {
 				config.addAllowedMethod(allowedMethod.name());
 			}
 		}
-		if (CollectionUtils.isEmpty(config.getAllowedHeaders())) {
+		return config.applyPermitDefaultValues();
-			config.setAllowedHeaders(Arrays.asList(CrossOrigin.DEFAULT_ALLOWED_HEADERS));
-		}
-		if (config.getAllowCredentials() == null) {
-			config.setAllowCredentials(CrossOrigin.DEFAULT_ALLOW_CREDENTIALS);
-		}
-		if (config.getMaxAge() == null) {
-			config.setMaxAge(CrossOrigin.DEFAULT_MAX_AGE);
-		}
-
-		return config;
 	}
 
 	private void updateCorsConfig(CorsConfiguration config, CrossOrigin annotation) {

spring-web/src/main/java/org/springframework/web/bind/annotation/CrossOrigin.java

@@ -23,11 +23,15 @@ import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 
 import org.springframework.core.annotation.AliasFor;
+import org.springframework.web.cors.CorsConfiguration;
 
 /**
  * Marks the annotated method or type as permitting cross origin requests.
  *
- * <p>By default, all origins and headers are permitted.
+ * <p>By default all origins and headers are permitted, credentials are allowed,
+ * and the maximum age is set to 1800 seconds (30 minutes). The list of HTTP
+ * methods is set to the methods on the {@code @RequestMapping} if not
+ * explicitly set on {@code @CrossOrigin}.
  *
  * <p><b>NOTE:</b> {@code @CrossOrigin} is processed if an appropriate
  * {@code HandlerMapping}-{@code HandlerAdapter} pair is configured such as the
@@ -44,12 +48,28 @@ import org.springframework.core.annotation.AliasFor;
 @Documented
 public @interface CrossOrigin {
 
+	/**
+	 * @deprecated as of Spring 5.0, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
+	 */
+	@Deprecated
 	String[] DEFAULT_ORIGINS = { "*" };
 
+	/**
+	 * @deprecated as of Spring 5.0, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
+	 */
+	@Deprecated
 	String[] DEFAULT_ALLOWED_HEADERS = { "*" };
 
+	/**
+	 * @deprecated as of Spring 5.0, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
+	 */
+	@Deprecated
 	boolean DEFAULT_ALLOW_CREDENTIALS = true;
 
+	/**
+	 * @deprecated as of Spring 5.0, in favor of using {@link CorsConfiguration#applyPermitDefaultValues}
+	 */
+	@Deprecated
 	long DEFAULT_MAX_AGE = 1800;
 
 

spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java

@@ -17,6 +17,7 @@
 package org.springframework.web.cors;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.LinkedHashSet;
 import java.util.List;
@@ -28,8 +29,16 @@ import org.springframework.util.ObjectUtils;
 import org.springframework.util.StringUtils;
 
 /**
- * A container for CORS configuration that also provides methods to check
+ * A container for CORS configuration along with methods to check against the
- * the actual or requested origin, HTTP methods, and headers.
+ * actual origin, HTTP methods, and headers of a given request.
+ *
+ * <p>By default a newly created {@code CorsConfiguration} does not permit any
+ * cross-origin requests and must be configured explicitly to indicate what
+ * should be allowed.
+ *
+ * <p>Use {@link #applyPermitDefaultValues()} to flip the initialization model
+ * to start with open defaults that permit all cross-origin requests for GET,
+ * HEAD, and POST requests.
  *
  * @author Sebastien Deleuze
  * @author Rossen Stoyanchev
@@ -71,7 +80,9 @@ public class CorsConfiguration {
 
 
 	/**
-	 * Construct a new, empty {@code CorsConfiguration} instance.
+	 * Construct a new {@code CorsConfiguration} instance with no cross-origin
+	 * requests allowed for any origin by default.
+	 * @see #applyPermitDefaultValues()
 	 */
 	public CorsConfiguration() {
 	}
@@ -91,45 +102,6 @@ public class CorsConfiguration {
 	}
 
 
-	/**
-	 * Combine the supplied {@code CorsConfiguration} with this one.
-	 * <p>Properties of this configuration are overridden by any non-null
-	 * properties of the supplied one.
-	 * @return the combined {@code CorsConfiguration} or {@code this}
-	 * configuration if the supplied configuration is {@code null}
-	 */
-	public CorsConfiguration combine(CorsConfiguration other) {
-		if (other == null) {
-			return this;
-		}
-		CorsConfiguration config = new CorsConfiguration(this);
-		config.setAllowedOrigins(combine(getAllowedOrigins(), other.getAllowedOrigins()));
-		config.setAllowedMethods(combine(getAllowedMethods(), other.getAllowedMethods()));
-		config.setAllowedHeaders(combine(getAllowedHeaders(), other.getAllowedHeaders()));
-		config.setExposedHeaders(combine(getExposedHeaders(), other.getExposedHeaders()));
-		Boolean allowCredentials = other.getAllowCredentials();
-		if (allowCredentials != null) {
-			config.setAllowCredentials(allowCredentials);
-		}
-		Long maxAge = other.getMaxAge();
-		if (maxAge != null) {
-			config.setMaxAge(maxAge);
-		}
-		return config;
-	}
-
-	private List<String> combine(List<String> source, List<String> other) {
-		if (other == null || other.contains(ALL)) {
-			return source;
-		}
-		if (source == null || source.contains(ALL)) {
-			return other;
-		}
-		Set<String> combined = new LinkedHashSet<>(source);
-		combined.addAll(other);
-		return new ArrayList<>(combined);
-	}
-
 	/**
 	 * Set the origins to allow, e.g. {@code "http://domain1.com"}.
 	 * <p>The special value {@code "*"} allows all domains.
@@ -325,6 +297,83 @@ public class CorsConfiguration {
 		return this.maxAge;
 	}
 
+	/**
+	 * By default a newly created {@code CorsConfiguration} does not permit any
+	 * cross-origin requests and must be configured explicitly to indicate what
+	 * should be allowed.
+	 *
+	 * <p>Use this method to flip the initialization model to start with open
+	 * defaults that permit all cross-origin requests for GET, HEAD, and POST
+	 * requests. Note however that this method will not override any existing
+	 * values already set.
+	 *
+	 * <p>The following defaults are applied if not already set:
+	 * <ul>
+	 *     <li>Allow all origins, i.e. {@code "*"}.</li>
+	 *     <li>Allow "simple" methods {@code GET}, {@code HEAD} and {@code POST}.</li>
+	 *     <li>Allow all headers.</li>
+	 *     <li>Allow credentials.</li>
+	 *     <li>Set max age to 1800 seconds (30 minutes).</li>
+	 * </ul>
+	 */
+	public CorsConfiguration applyPermitDefaultValues() {
+		if (this.allowedOrigins == null) {
+			this.addAllowedOrigin(ALL);
+		}
+		if (this.allowedMethods == null) {
+			this.setAllowedMethods(Arrays.asList(
+					HttpMethod.GET.name(), HttpMethod.HEAD.name(), HttpMethod.POST.name()));
+		}
+		if (this.allowedHeaders == null) {
+			this.addAllowedHeader(ALL);
+		}
+		if (this.allowCredentials == null) {
+			this.setAllowCredentials(true);
+		}
+		if (this.maxAge == null) {
+			this.setMaxAge(1800L);
+		}
+		return this;
+	}
+
+	/**
+	 * Combine the supplied {@code CorsConfiguration} with this one.
+	 * <p>Properties of this configuration are overridden by any non-null
+	 * properties of the supplied one.
+	 * @return the combined {@code CorsConfiguration} or {@code this}
+	 * configuration if the supplied configuration is {@code null}
+	 */
+	public CorsConfiguration combine(CorsConfiguration other) {
+		if (other == null) {
+			return this;
+		}
+		CorsConfiguration config = new CorsConfiguration(this);
+		config.setAllowedOrigins(combine(getAllowedOrigins(), other.getAllowedOrigins()));
+		config.setAllowedMethods(combine(getAllowedMethods(), other.getAllowedMethods()));
+		config.setAllowedHeaders(combine(getAllowedHeaders(), other.getAllowedHeaders()));
+		config.setExposedHeaders(combine(getExposedHeaders(), other.getExposedHeaders()));
+		Boolean allowCredentials = other.getAllowCredentials();
+		if (allowCredentials != null) {
+			config.setAllowCredentials(allowCredentials);
+		}
+		Long maxAge = other.getMaxAge();
+		if (maxAge != null) {
+			config.setMaxAge(maxAge);
+		}
+		return config;
+	}
+
+	private List<String> combine(List<String> source, List<String> other) {
+		if (other == null || other.contains(ALL)) {
+			return source;
+		}
+		if (source == null || source.contains(ALL)) {
+			return other;
+		}
+		Set<String> combined = new LinkedHashSet<>(source);
+		combined.addAll(other);
+		return new ArrayList<>(combined);
+	}
 
 	/**
 	 * Check the origin of the request against the configured allowed origins.

spring-webmvc/src/main/java/org/springframework/web/servlet/config/CorsBeanDefinitionParser.java

@@ -26,7 +26,6 @@ import org.w3c.dom.Element;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
-import org.springframework.http.HttpMethod;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
 import org.springframework.web.cors.CorsConfiguration;
@@ -42,18 +41,6 @@ import org.springframework.web.cors.CorsConfiguration;
  */
 public class CorsBeanDefinitionParser implements BeanDefinitionParser {
 
-	private static final List<String> DEFAULT_ALLOWED_ORIGINS = Arrays.asList("*");
-
-	private static final List<String> DEFAULT_ALLOWED_METHODS =
-			Arrays.asList(HttpMethod.GET.name(), HttpMethod.HEAD.name(), HttpMethod.POST.name());
-
-	private static final List<String> DEFAULT_ALLOWED_HEADERS = Arrays.asList("*");
-
-	private static final boolean DEFAULT_ALLOW_CREDENTIALS = true;
-
-	private static final long DEFAULT_MAX_AGE = 1600;
-
-
 	@Override
 	public BeanDefinition parse(Element element, ParserContext parserContext) {
 
@@ -61,12 +48,7 @@ public class CorsBeanDefinitionParser implements BeanDefinitionParser {
 		List<Element> mappings = DomUtils.getChildElementsByTagName(element, "mapping");
 
 		if (mappings.isEmpty()) {
-			CorsConfiguration config = new CorsConfiguration();
+			CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues();
-			config.setAllowedOrigins(DEFAULT_ALLOWED_ORIGINS);
-			config.setAllowedMethods(DEFAULT_ALLOWED_METHODS);
-			config.setAllowedHeaders(DEFAULT_ALLOWED_HEADERS);
-			config.setAllowCredentials(DEFAULT_ALLOW_CREDENTIALS);
-			config.setMaxAge(DEFAULT_MAX_AGE);
 			corsConfigurations.put("/**", config);
 		}
 		else {
@@ -76,23 +58,14 @@ public class CorsBeanDefinitionParser implements BeanDefinitionParser {
 					String[] allowedOrigins = StringUtils.tokenizeToStringArray(mapping.getAttribute("allowed-origins"), ",");
 					config.setAllowedOrigins(Arrays.asList(allowedOrigins));
 				}
-				else {
-					config.setAllowedOrigins(DEFAULT_ALLOWED_ORIGINS);
-				}
 				if (mapping.hasAttribute("allowed-methods")) {
 					String[] allowedMethods = StringUtils.tokenizeToStringArray(mapping.getAttribute("allowed-methods"), ",");
 					config.setAllowedMethods(Arrays.asList(allowedMethods));
 				}
-				else {
-					config.setAllowedMethods(DEFAULT_ALLOWED_METHODS);
-				}
 				if (mapping.hasAttribute("allowed-headers")) {
 					String[] allowedHeaders = StringUtils.tokenizeToStringArray(mapping.getAttribute("allowed-headers"), ",");
 					config.setAllowedHeaders(Arrays.asList(allowedHeaders));
 				}
-				else {
-					config.setAllowedHeaders(DEFAULT_ALLOWED_HEADERS);
-				}
 				if (mapping.hasAttribute("exposed-headers")) {
 					String[] exposedHeaders = StringUtils.tokenizeToStringArray(mapping.getAttribute("exposed-headers"), ",");
 					config.setExposedHeaders(Arrays.asList(exposedHeaders));
@@ -100,16 +73,10 @@ public class CorsBeanDefinitionParser implements BeanDefinitionParser {
 				if (mapping.hasAttribute("allow-credentials")) {
 					config.setAllowCredentials(Boolean.parseBoolean(mapping.getAttribute("allow-credentials")));
 				}
-				else {
-					config.setAllowCredentials(DEFAULT_ALLOW_CREDENTIALS);
-				}
 				if (mapping.hasAttribute("max-age")) {
 					config.setMaxAge(Long.parseLong(mapping.getAttribute("max-age")));
 				}
-				else {
+				corsConfigurations.put(mapping.getAttribute("path"), config.applyPermitDefaultValues());
-					config.setMaxAge(DEFAULT_MAX_AGE);
-				}
-				corsConfigurations.put(mapping.getAttribute("path"), config);
 			}
 		}
 

spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistration.java

@@ -19,22 +19,16 @@ package org.springframework.web.servlet.config.annotation;
 import java.util.ArrayList;
 import java.util.Arrays;
 
-import org.springframework.http.HttpMethod;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.cors.CorsConfiguration;
 
 /**
- * {@code CorsRegistration} assists with the creation of a
+ * Assists with the creation of a {@link CorsConfiguration} instance mapped to
- * {@link CorsConfiguration} instance mapped to a path pattern.
+ * a path pattern. By default all origins, headers, and credentials for
- *
+ * {@code GET}, {@code HEAD}, and {@code POST} requests are allowed while the
- * <p>If no path pattern is specified, cross-origin request handling is
+ * max age is set to 30 minutes.
- * mapped to {@code "/**"}.
- *
- * <p>By default, all origins, all headers, credentials and {@code GET},
- * {@code HEAD}, and {@code POST} methods are allowed, and the max age is
- * set to 30 minutes.
  *
  * @author Sebastien Deleuze
+ * @author Rossen Stoyanchev
  * @author Sam Brannen
  * @since 4.2
  * @see CorsConfiguration
@@ -47,43 +41,85 @@ public class CorsRegistration {
 	private final CorsConfiguration config;
 
 
+	/**
+	 * Create a new {@link CorsRegistration} that allows all origins, headers, and
+	 * credentials for {@code GET}, {@code HEAD}, and {@code POST} requests with
+	 * max age set to 1800 seconds (30 minutes) for the specified path.
+	 *
+	 * @param pathPattern the path that the CORS configuration should apply to;
+	 * exact path mapping URIs (such as {@code "/admin"}) are supported as well
+	 * as Ant-style path patterns (such as {@code "/admin/**"}).
+	 */
 	public CorsRegistration(String pathPattern) {
 		this.pathPattern = pathPattern;
 		// Same implicit default values as the @CrossOrigin annotation + allows simple methods
-		this.config = new CorsConfiguration();
+		this.config = new CorsConfiguration().applyPermitDefaultValues();
-		this.config.setAllowedOrigins(Arrays.asList(CrossOrigin.DEFAULT_ORIGINS));
-		this.config.setAllowedMethods(Arrays.asList(HttpMethod.GET.name(),
-				HttpMethod.HEAD.name(), HttpMethod.POST.name()));
-		this.config.setAllowedHeaders(Arrays.asList(CrossOrigin.DEFAULT_ALLOWED_HEADERS));
-		this.config.setAllowCredentials(CrossOrigin.DEFAULT_ALLOW_CREDENTIALS);
-		this.config.setMaxAge(CrossOrigin.DEFAULT_MAX_AGE);
 	}
 
+	/**
+	 * Set the origins to allow, e.g. {@code "http://domain1.com"}.
+	 * <p>The special value {@code "*"} allows all domains.
+	 * <p>By default, all origins are allowed.
+	 */
 	public CorsRegistration allowedOrigins(String... origins) {
 		this.config.setAllowedOrigins(new ArrayList<>(Arrays.asList(origins)));
 		return this;
 	}
 
+
+	/**
+	 * Set the HTTP methods to allow, e.g. {@code "GET"}, {@code "POST"}, etc.
+	 * <p>The special value {@code "*"} allows all methods.
+	 * <p>By default "simple" methods {@code GET}, {@code HEAD}, and {@code POST}
+	 * are allowed.
+	 */
 	public CorsRegistration allowedMethods(String... methods) {
 		this.config.setAllowedMethods(new ArrayList<>(Arrays.asList(methods)));
 		return this;
 	}
 
+	/**
+	 * Set the list of headers that a pre-flight request can list as allowed
+	 * for use during an actual request.
+	 * <p>The special value {@code "*"} may be used to allow all headers.
+	 * <p>A header name is not required to be listed if it is one of:
+	 * {@code Cache-Control}, {@code Content-Language}, {@code Expires},
+	 * {@code Last-Modified}, or {@code Pragma} as per the CORS spec.
+	 * <p>By default all headers are allowed.
+	 */
 	public CorsRegistration allowedHeaders(String... headers) {
 		this.config.setAllowedHeaders(new ArrayList<>(Arrays.asList(headers)));
 		return this;
 	}
 
+	/**
+	 * Set the list of response headers other than "simple" headers, i.e.
+	 * {@code Cache-Control}, {@code Content-Language}, {@code Content-Type},
+	 * {@code Expires}, {@code Last-Modified}, or {@code Pragma}, that an
+	 * actual response might have and can be exposed.
+	 * <p>Note that {@code "*"} is not supported on this property.
+	 * <p>By default this is not set.
+	 */
 	public CorsRegistration exposedHeaders(String... headers) {
 		this.config.setExposedHeaders(new ArrayList<>(Arrays.asList(headers)));
 		return this;
 	}
 
+	/**
+	 * Configure how long in seconds the response from a pre-flight request
+	 * can be cached by clients.
+	 * <p>By default this is set to 1800 seconds (30 minutes).
+	 */
 	public CorsRegistration maxAge(long maxAge) {
 		this.config.setMaxAge(maxAge);
 		return this;
 	}
 
+	/**
+	 * Whether user credentials are supported.
+	 * <p>By default this is set to {@code true} in which case user credentials
+	 * are supported.
+	 */
 	public CorsRegistration allowCredentials(boolean allowCredentials) {
 		this.config.setAllowCredentials(allowCredentials);
 		return this;

spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java

@@ -18,7 +18,6 @@ package org.springframework.web.servlet.mvc.method.annotation;
 
 import java.lang.reflect.AnnotatedElement;
 import java.lang.reflect.Method;
-import java.util.Arrays;
 import java.util.List;
 import java.util.Set;
 import javax.servlet.http.HttpServletRequest;
@@ -305,24 +304,12 @@ public class RequestMappingHandlerMapping extends RequestMappingInfoHandlerMappi
 		updateCorsConfig(config, typeAnnotation);
 		updateCorsConfig(config, methodAnnotation);
 
-		if (CollectionUtils.isEmpty(config.getAllowedOrigins())) {
-			config.setAllowedOrigins(Arrays.asList(CrossOrigin.DEFAULT_ORIGINS));
-		}
 		if (CollectionUtils.isEmpty(config.getAllowedMethods())) {
 			for (RequestMethod allowedMethod : mappingInfo.getMethodsCondition().getMethods()) {
 				config.addAllowedMethod(allowedMethod.name());
 			}
 		}
-		if (CollectionUtils.isEmpty(config.getAllowedHeaders())) {
+		return config.applyPermitDefaultValues();
-			config.setAllowedHeaders(Arrays.asList(CrossOrigin.DEFAULT_ALLOWED_HEADERS));
-		}
-		if (config.getAllowCredentials() == null) {
-			config.setAllowCredentials(CrossOrigin.DEFAULT_ALLOW_CREDENTIALS);
-		}
-		if (config.getMaxAge() == null) {
-			config.setMaxAge(CrossOrigin.DEFAULT_MAX_AGE);
-		}
-		return config;
 	}
 
 	private void updateCorsConfig(CorsConfiguration config, CrossOrigin annotation) {

spring-webmvc/src/test/java/org/springframework/web/servlet/config/MvcNamespaceTests.java

@@ -882,7 +882,7 @@ public class MvcNamespaceTests {
 			assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
 			assertNull(config.getExposedHeaders());
 			assertTrue(config.getAllowCredentials());
-			assertEquals(new Long(1600), config.getMaxAge());
+			assertEquals(new Long(1800), config.getMaxAge());
 		}
 	}
 
@@ -912,7 +912,7 @@ public class MvcNamespaceTests {
 			assertArrayEquals(new String[]{"*"}, config.getAllowedHeaders().toArray());
 			assertNull(config.getExposedHeaders());
 			assertTrue(config.getAllowCredentials());
-			assertEquals(new Long(1600), config.getMaxAge());
+			assertEquals(new Long(1800), config.getMaxAge());
 		}
 	}