zuul + security problem to solve cross-domain Cors

Others 2019-12-14 09:55:19 views: null

zuul + security problem to solve cross-domain Cors

Brief introduction

Scenes

Service background will appear in the cross-domain cors problem, but most of spring solve more convenient, on the basis of the framework + framework, the problem is especially obvious, conflicts, do not understand the principles of operation of the source code, it was powerless to solve.

Zuul presented here is cross-domain configuration, cross-domain issues still appear in the front-end calls.

Generally do not have permission to add cors configuration interface will by cross-domain issues. But calling function has authority between services, reported inexplicable cross-domain issues.

post special request

Found in solving problems postrequest a bit special, there also needs to handle it.

post requests into requests simple and complex requests.

In CORSmay be used OPTIONSa method to initiate a request for pre-screening, to detect whether an actual request may be accepted by the server. Preflight request packet in Access-Control-Request-Methodthe server actually requested header field is used to inform HTTPmethod; Access-Control-Request-Headersheader field to inform the custom request header field of the server actually carried. Based on information obtained from the server preflight request to judge whether to accept the next request practical.

And OPTIONSdid not carry any rights related content, will be certified to intercept, we have to let go of OPTIONSthe type of request

Use function

Cross solve

cross

Before you set up is very simple, used to operate the code before copying over, the first operation is the creation of a CorsFilterbean, but indeed by simple request, but had not privilege interfaces, so some information configured in accordance with the following code injected FilterRegistrationBeanbean loading sequence order is also provided.

Still no avail before and after the effect of the same resolve.

/**
 * 跨域配置 C - Cross  O - Origin  R - Resource  S - Sharing
 *
 * @author purgeyao
 * @since 1.0
 */
@Configuration
//@Order(Ordered.HIGHEST_PRECEDENCE)
public class CorsConfig {

  @Bean
  public FilterRegistrationBean filterRegistrationBean() {
    final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    final CorsConfiguration config = new CorsConfiguration();

    config.setAllowCredentials(true);
    config.setAllowedOrigins(Arrays.asList("*"));
    config.setAllowedHeaders(Arrays.asList("*"));
    config.setAllowedMethods(Arrays.asList("*"));
    config.setMaxAge(300L);

    source.registerCorsConfiguration("/**", config);
    CorsFilter corsFilter = new CorsFilter(source);
    FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean(corsFilter);
    filterRegistrationBean.setOrder(0);
    return filterRegistrationBean;
  }
}

+ With the help of some of the information source, try the following codes:

The realization of a CorsFilterclass loaded @Orderorder of (Ordered.HIGHEST_PRECEDENCE)highest priority.

/**
 * 解决 zuul+oauth2 跨域配置 C - Cross  O - Origin  R - Resource  S - Sharing
 *
 * @author purgeyao
 * @since 1.0
 */
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class AjaxCorsFilter extends CorsFilter {

  public AjaxCorsFilter() {
    super(configurationSource());
  }

  private static UrlBasedCorsConfigurationSource configurationSource() {
    CorsConfiguration corsConfig = new CorsConfiguration();
//        List<String> allowedHeaders = Arrays.asList("x-auth-token", "content-type", "X-Requested-With", "XMLHttpRequest");
    List<String> exposedHeaders = Arrays
        .asList("x-auth-token", "content-type", "X-Requested-With", "XMLHttpRequest");
//        List<String> allowedMethods = Arrays.asList("POST", "GET", "DELETE", "PUT", "OPTIONS");

    List<String> allowedHeaders = Arrays.asList("*");
    List<String> allowedMethods = Arrays.asList("*");
    List<String> allowedOrigins = Arrays.asList("*");
    corsConfig.setAllowedHeaders(allowedHeaders);
    corsConfig.setAllowedMethods(allowedMethods);
    corsConfig.setAllowedOrigins(allowedOrigins);
    corsConfig.setExposedHeaders(exposedHeaders);
    corsConfig.setMaxAge(36000L);
    corsConfig.setAllowCredentials(true);

    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", corsConfig);
    return source;
  }
}

Ha ha ha, I resolved, but somehow did not feel ah, after understanding

In fact, just found a loaded question order, we injected above FilterRegistrationBeancan also be used, but in order to set the time you need to set more than a little problem securitya high priority, instead Ordered.HIGHEST_PRECEDENCEfound success through a cross-domain.

/**
 * 跨域配置 C - Cross  O - Origin  R - Resource  S - Sharing
 *
 * @author purgeyao
 * @since 1.0
 */
@Configuration
//@Order(Ordered.HIGHEST_PRECEDENCE)
public class CorsConfig {

  @Bean
  public FilterRegistrationBean filterRegistrationBean() {
    final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    final CorsConfiguration config = new CorsConfiguration();

    config.setAllowCredentials(true);
    config.setAllowedOrigins(Arrays.asList("*"));
    config.setAllowedHeaders(Arrays.asList("*"));
    config.setAllowedMethods(Arrays.asList("*"));
    config.setMaxAge(300L);

    source.registerCorsConfiguration("/**", config);
    CorsFilter corsFilter = new CorsFilter(source);
    FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean(corsFilter);
    // 设置为 Ordered.HIGHEST_PRECEDENCE
    filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);
    return filterRegistrationBean;
  }
}

To resolve resolved. . .

OPTIONS request to solve

About the OPTIONS (the NDN
Web docs) introduction.

Sending post request will find there will be a before actually sending OPTIONSthe request.

Because OPTIONSto carry any authentication information stateful, permission was intercepted abnormal, it's not a real request after.

Now we just need to OPTIONSrequest release returns a 200 status can be.

There are many ways to do it, you can let go in zuul gateway, can also securityignore list Add to intercept.

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    ...
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        ...
        // 添加忽略拦截OPTIONS 类型的请求
        http.authorizeRequests().antMatchers(HttpMethod.OPTIONS).permitAll();
        ...
    }
}

options

Everything is all right.

to sum up

A simple bug to solve simple point, but the intersection encountered a bug, powerless feeling, inexplicable problem, you need to run the principle of patient observation source.

Sample Code Address: Zuul-Security

On GitHub:
Purgeyao welcome attention

qq exchange group: 812321371micro-channel exchange group:MercyYao

Micro-channel public number:

Micro-channel public number two-dimensional code

Guess you like

Origin www.cnblogs.com/Purgeyao/p/12038077.html
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com