Merge pull request #3059 from izeye/patch-12

* patch-12:
  Fix allowCredentials property handling

spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/MvcEndpointCorsProperties.java

@@ -133,7 +133,7 @@ public class MvcEndpointCorsProperties {
 			corsConfiguration.setMaxAge(this.maxAge);
 		}
 		if (this.allowCredentials != null) {
-			corsConfiguration.setAllowCredentials(true);
+			corsConfiguration.setAllowCredentials(this.allowCredentials);
 		}
 		return corsConfiguration;
 	}

spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/MvcEndpointCorsIntegrationTests.java

@@ -160,6 +160,15 @@ public class MvcEndpointCorsIntegrationTests {
 				header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true"));
 	}
 
+	@Test
+	public void credentialsCanBeDisabled() throws Exception {
+		EnvironmentTestUtils.addEnvironment(this.context,
+				"endpoints.cors.allowed-origins:foo.example.com",
+				"endpoints.cors.allow-credentials:false");
+		performAcceptedCorsRequest().andExpect(
+				header().doesNotExist(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
+	}
+
 	@Test
 	public void jolokiaEndpointUsesGlobalCorsConfiguration() throws Exception {
 		EnvironmentTestUtils.addEnvironment(this.context,