From 88612393f3955d8cd49566127b09a75d50e5f642 Mon Sep 17 00:00:00 2001
From: izeye <izeye@naver.com>
Date: Thu, 28 May 2015 21:08:42 +0900
Subject: [PATCH] Fix allowCredentials property handling

Closes gh-3059
---
 .../actuate/autoconfigure/MvcEndpointCorsProperties.java | 2 +-
 .../endpoint/mvc/MvcEndpointCorsIntegrationTests.java    | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/MvcEndpointCorsProperties.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/MvcEndpointCorsProperties.java
index cd0cffce60..aaddb94663 100644
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/MvcEndpointCorsProperties.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/MvcEndpointCorsProperties.java
@@ -133,7 +133,7 @@ public class MvcEndpointCorsProperties {
 			corsConfiguration.setMaxAge(this.maxAge);
 		}
 		if (this.allowCredentials != null) {
-			corsConfiguration.setAllowCredentials(true);
+			corsConfiguration.setAllowCredentials(this.allowCredentials);
 		}
 		return corsConfiguration;
 	}
diff --git a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/MvcEndpointCorsIntegrationTests.java b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/MvcEndpointCorsIntegrationTests.java
index ca068175d3..a085fc0417 100644
--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/MvcEndpointCorsIntegrationTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/MvcEndpointCorsIntegrationTests.java
@@ -160,6 +160,15 @@ public class MvcEndpointCorsIntegrationTests {
 				header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true"));
 	}
 
+	@Test
+	public void credentialsCanBeDisabled() throws Exception {
+		EnvironmentTestUtils.addEnvironment(this.context,
+				"endpoints.cors.allowed-origins:foo.example.com",
+				"endpoints.cors.allow-credentials:false");
+		performAcceptedCorsRequest().andExpect(
+				header().doesNotExist(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+	}
+
 	@Test
 	public void jolokiaEndpointUsesGlobalCorsConfiguration() throws Exception {
 		EnvironmentTestUtils.addEnvironment(this.context,