zuul + security problem to solve cross-domain Cors
Brief introduction
Scenes
Service background will appear in the cross-domain cors problem, but most of spring solve more convenient, on the basis of the framework + framework, the problem is especially obvious, conflicts, do not understand the principles of operation of the source code, it was powerless to solve.
Zuul presented here is cross-domain configuration, cross-domain issues still appear in the front-end calls.
Generally do not have permission to add cors configuration interface will by cross-domain issues. But calling function has authority between services, reported inexplicable cross-domain issues.
post special request
Found in solving problems post
request a bit special, there also needs to handle it.
post requests into requests simple and complex requests.
In CORS
may be used OPTIONS
a method to initiate a request for pre-screening, to detect whether an actual request may be accepted by the server. Preflight request packet in Access-Control-Request-Method
the server actually requested header field is used to inform HTTP
method; Access-Control-Request-Headers
header field to inform the custom request header field of the server actually carried. Based on information obtained from the server preflight request to judge whether to accept the next request practical.
And OPTIONS
did not carry any rights related content, will be certified to intercept, we have to let go of OPTIONS
the type of request
Use function
Cross solve
Before you set up is very simple, used to operate the code before copying over, the first operation is the creation of a CorsFilter
bean, but indeed by simple request, but had not privilege interfaces, so some information configured in accordance with the following code injected FilterRegistrationBean
bean loading sequence order is also provided.
Still no avail before and after the effect of the same resolve.
/**
* 跨域配置 C - Cross O - Origin R - Resource S - Sharing
*
* @author purgeyao
* @since 1.0
*/
@Configuration
//@Order(Ordered.HIGHEST_PRECEDENCE)
public class CorsConfig {
@Bean
public FilterRegistrationBean filterRegistrationBean() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
final CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.setAllowedOrigins(Arrays.asList("*"));
config.setAllowedHeaders(Arrays.asList("*"));
config.setAllowedMethods(Arrays.asList("*"));
config.setMaxAge(300L);
source.registerCorsConfiguration("/**", config);
CorsFilter corsFilter = new CorsFilter(source);
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean(corsFilter);
filterRegistrationBean.setOrder(0);
return filterRegistrationBean;
}
}
+ With the help of some of the information source, try the following codes:
The realization of a CorsFilter
class loaded @Order
order of (Ordered.HIGHEST_PRECEDENCE)
highest priority.
/**
* 解决 zuul+oauth2 跨域配置 C - Cross O - Origin R - Resource S - Sharing
*
* @author purgeyao
* @since 1.0
*/
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class AjaxCorsFilter extends CorsFilter {
public AjaxCorsFilter() {
super(configurationSource());
}
private static UrlBasedCorsConfigurationSource configurationSource() {
CorsConfiguration corsConfig = new CorsConfiguration();
// List<String> allowedHeaders = Arrays.asList("x-auth-token", "content-type", "X-Requested-With", "XMLHttpRequest");
List<String> exposedHeaders = Arrays
.asList("x-auth-token", "content-type", "X-Requested-With", "XMLHttpRequest");
// List<String> allowedMethods = Arrays.asList("POST", "GET", "DELETE", "PUT", "OPTIONS");
List<String> allowedHeaders = Arrays.asList("*");
List<String> allowedMethods = Arrays.asList("*");
List<String> allowedOrigins = Arrays.asList("*");
corsConfig.setAllowedHeaders(allowedHeaders);
corsConfig.setAllowedMethods(allowedMethods);
corsConfig.setAllowedOrigins(allowedOrigins);
corsConfig.setExposedHeaders(exposedHeaders);
corsConfig.setMaxAge(36000L);
corsConfig.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", corsConfig);
return source;
}
}
Ha ha ha, I resolved, but somehow did not feel ah, after understanding
In fact, just found a loaded question order, we injected above FilterRegistrationBean
can also be used, but in order to set the time you need to set more than a little problem security
a high priority, instead Ordered.HIGHEST_PRECEDENCE
found success through a cross-domain.
/**
* 跨域配置 C - Cross O - Origin R - Resource S - Sharing
*
* @author purgeyao
* @since 1.0
*/
@Configuration
//@Order(Ordered.HIGHEST_PRECEDENCE)
public class CorsConfig {
@Bean
public FilterRegistrationBean filterRegistrationBean() {
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
final CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true);
config.setAllowedOrigins(Arrays.asList("*"));
config.setAllowedHeaders(Arrays.asList("*"));
config.setAllowedMethods(Arrays.asList("*"));
config.setMaxAge(300L);
source.registerCorsConfiguration("/**", config);
CorsFilter corsFilter = new CorsFilter(source);
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean(corsFilter);
// 设置为 Ordered.HIGHEST_PRECEDENCE
filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);
return filterRegistrationBean;
}
}
To resolve resolved. . .
OPTIONS request to solve
About the OPTIONS (the NDN
Web docs) introduction.
Sending post request will find there will be a before actually sending OPTIONS
the request.
Because OPTIONS
to carry any authentication information stateful, permission was intercepted abnormal, it's not a real request after.
Now we just need to OPTIONS
request release returns a 200 status can be.
There are many ways to do it, you can let go in zuul gateway, can also security
ignore list Add to intercept.
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
...
@Override
protected void configure(HttpSecurity http) throws Exception {
...
// 添加忽略拦截OPTIONS 类型的请求
http.authorizeRequests().antMatchers(HttpMethod.OPTIONS).permitAll();
...
}
}
Everything is all right.
to sum up
A simple bug to solve simple point, but the intersection encountered a bug, powerless feeling, inexplicable problem, you need to run the principle of patient observation source.
Sample Code Address: Zuul-Security
On GitHub:
Purgeyao welcome attention
qq exchange group:
812321371
micro-channel exchange group:MercyYao
Micro-channel public number: