From c11dd4a83910a7bab774eac7a886027edd52d330 Mon Sep 17 00:00:00 2001
From: mdindoffer <mdindoffer@gmail.com>
Date: Fri, 13 Mar 2020 15:21:53 +0100
Subject: [PATCH] Do not mention credentials as enabled by default in
 CorsRegistry

Credentials are not enabled by default contrary to the javadocs.
The credentials support must be enabled via #allowCredentials.

Closes gh-24691

Co-authored-by: Martin Dindoffer <martin.dindoffer@sigp.eu>
---
 .../web/servlet/config/annotation/CorsRegistry.java          | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistry.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistry.java
index da99c0b5b4..ead009eb05 100644
--- a/spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistry.java
+++ b/spring-webmvc/src/main/java/org/springframework/web/servlet/config/annotation/CorsRegistry.java
@@ -42,9 +42,8 @@ public class CorsRegistry {
 	 *
 	 * <p>Exact path mapping URIs (such as {@code "/admin"}) are supported as
 	 * well as Ant-style path patterns (such as {@code "/admin/**"}).
-	 * <p>By default, all origins, all headers, credentials and {@code GET},
-	 * {@code HEAD}, and {@code POST} methods are allowed, and the max age
-	 * is set to 30 minutes.
+	 * <p>By default, all origins, all headers and {@code GET}, {@code HEAD},
+	 * and {@code POST} methods are allowed, and the max age is set to 30 minutes.
 	 *
 	 * <p>The following defaults are applied to the {@link CorsRegistration}:
 	 * <ul>