Search code examples
corsspring-cloud-gateway

Double CORS headers with spring-cloud-gateway

How to disable CORS on gateway? I mean really disable, not allow requests from all origins with all methods like you find when searching for "disable gateway CORS" on stackoeverflow or elsewhere.

I have a spring-cloud-gateway in front of a few services which already position response CORS headers (Access-Control-Allow-Origin and alike) and for some of this services, I can hardly disable CORS (Keycloak for instance).

My problem is spring-cloud-gateway set some of those headers too, which results in duplicate CORS headers and a CORS error in client app. So I'd like to completely disable CORS filters on the gateway (ideally globally but a filter configuration to apply to each route would be acceptable too)

Gateway configuration:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.0.0-RC2</version>
        <relativePath />
    </parent>
    <groupId>com.c4-soft.user-proxies</groupId>
    <artifactId>gateway</artifactId>
    <version>1.0.0-SNAPSHOT</version>

    <properties>
        <java.version>17</java.version>
        <spring-cloud.version>2022.0.0-RC1</spring-cloud.version>
    </properties>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>${spring-cloud.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-gateway</artifactId>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

spring.cloud.gateway.globalcors.add-to-simple-url-handler-mapping=true
spring.cloud.gateway.globalcors.corsConfigurations.[/**].allowed-origins=*
spring.cloud.gateway.globalcors.corsConfigurations.[/**].allowed-headers=*
spring.cloud.gateway.globalcors.corsConfigurations.[/**].allowed-methods=*
spring.cloud.gateway.globalcors.corsConfigurations.[/**].exposed-headers=*

@SpringBootApplication
public class GatewayApplication {

    public static void main(String[] args) {
        SpringApplication.run(GatewayApplication.class, args);
    }

    @Bean
    public RouteLocator myRoutes(RouteLocatorBuilder builder) {
        return builder.routes()
                .route(p -> p.path("/users/**").uri("https://localhost:9443"))
                .route(p -> p.path("/greet/**").uri("https://localhost:9445"))
                .route(p -> p.path("/realms/**").uri("https://localhost:8443"))
                .build();
    }
}

When trying to go through the gateway (send all requests to port 8080) with CORS enabled on resource-servers, I get cors Errors and response headers contained doubled CORS headers: CORS error in Chrome developer tools showing doubled CORS headers in response

When configured for direct connection (contact resource-servers on ports 9443 and 9445), Angular requests are sucessful.

If I disable CORS in resource-servers (those on ports 9443 and 9445), then CORS headers are not doubled anymore and requests through the gateway are successful (but direct requests fail).

Solution

  • I found a way to de-duplicate CORS headers on the gateway:

        @Bean
    public RouteLocator myRoutes(RouteLocatorBuilder builder, Function<GatewayFilterSpec, UriSpec> brutalCorsFilters) {
        return builder.routes()
                .route(p -> p.path("/users/**").filters(brutalCorsFilters).uri("https://localhost:9443"))
                .route(p -> p.path("/greet/**").filters(brutalCorsFilters).uri("https://localhost:9445"))
                .route(p -> p.path("/realms/**").filters(brutalCorsFilters).uri("https://localhost:8443"))
                .build();
    }

    @Bean
    Function<GatewayFilterSpec, UriSpec> brutalCorsFilters() {
        return f -> f
                .setResponseHeader("Access-Control-Allow-Origin", "*")
                .setResponseHeader("Access-Control-Allow-Methods", "*")
                .setResponseHeader("Access-Control-Expose-Headers", "*");
    }

    With this, CORS configuration can remain active on resource-servers (but will be ignored).

    I'd prefer to disable gateway CORS processor and keep resource-servers CORS headers, but at least this is usable.