spring-cloud-gateway icon indicating copy to clipboard operation
spring-cloud-gateway copied to clipboard

Published 20 hours ago verified publisher icon spring-cloud

CORS request is forbidden

Open fragaLY opened this issue 4 years ago • 9 comments
trafficstars

Description I'm using 2020.0.3 version of Gateway. When I'm trying to send the POST request to gateway the preflight request works correctly but the main POST method is forbidden.

Configurations

application.yml spring: application: name: gateway-service config: activate: on-profile: default import: configserver:http://localhost:8088?fail-fast=true&max-attempts=3&max-interval=1500&multiplier=1.2&initial-interval=1100

server: port: 8082

gateway-service.yml server: port: 8082 shutdown: graceful

spring: main: banner-mode: off lifecycle: timeout-per-shutdown-phase: 60s zipkin: kafka: topic: zipkin sender: type: KAFKA kafka: bootstrap-servers: http://localhost:9092, http://localhost:9093, http://localhost:9094 listener: missing-topics-fatal: false thymeleaf: enabled: false cloud: gateway: globalcors: corsConfigurations: '[/]': allowedOrigins: - "*" allowedMethods: - POST - PUT - OPTIONS routes: - id: notification-service uri: http://localhost:8083 predicates: - Path=/api/notifications/ - Header=X-CSRF-TOKEN, [0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12} filters: - name: NotificationPreFilter - name: NotificationPostFilter

logging: level: org.springframework: info org.springframework.cloud: info com.api.gateway.demo: info

NotificationPreFilter.kt

/** @author Vadzim_Kavalkou */ @Component class NotificationPreFilter : AbstractGatewayFilterFactory<NotificationPreFilter.Config>(Config::class.java) {

private val logger = LoggerFactory.getLogger(javaClass)

class Config

override fun apply(config: Config?) =
        GatewayFilter { exchange: ServerWebExchange?, chain: GatewayFilterChain ->
            chain.filter(exchange).then(Mono.fromRunnable { logger.info("[GATEWAY] Request with [ TraceId = ${exchange?.request?.headers?.get("X-Cloud-Trace-Context")}] and [CSRF token = ${exchange?.request?.headers?.get("X-CSRF-TOKEN")}] pre handling.") })
        }

} `

NotificationPostFilter.kt `/** @author Vadzim_Kavalkou */ @Component class NotificationPostFilter : AbstractGatewayFilterFactory<NotificationPostFilter.Config>(Config::class.java) {

private val logger = LoggerFactory.getLogger(javaClass)

class Config

override fun apply(config: Config?): GatewayFilter {
    return GatewayFilter { exchange: ServerWebExchange?, chain: GatewayFilterChain ->
        chain.filter(exchange)
            .then(Mono.fromRunnable {
                logger.info("[GATEWAY] Post filter")
                when (exchange?.response?.statusCode) {
                    HttpStatus.NO_CONTENT -> exchange.response.headers["post-filter"] =
                        mutableListOf(UUID.randomUUID().toString())
                    else -> logger.warn("[GATEWAY] Something went wrong. Response status is [${exchange?.response?.statusCode}]")
                }
            })
    }
}

}`

Preflight request: image

Post method invocation: image

fragaLY avatar Jul 06 '21 08:07 fragaLY

Can you provide a complete, minimal, verifiable sample that reproduces the problem? It should be available as a GitHub (or similar) project or attached to this issue as a zip file.

tony-clarke-amdocs avatar Jul 06 '21 12:07 tony-clarke-amdocs

@tony-clarke-amdocs https://github.com/fragaLY/notification - the project https://github.com/fragaLY/notification-configs - the configs

fragaLY avatar Jul 07 '21 12:07 fragaLY

Is this the minimal sample that reproduces the problem? Is there a unit test that you can add that will illustrate the issue?

tony-clarke-amdocs avatar Jul 07 '21 13:07 tony-clarke-amdocs

Yes, you can easily reproduce it by just replacing the default config ( application.yml) with the config from configs (gateway-service.yml).

There are no tests. It was smoke testing for PoC.

fragaLY avatar Jul 07 '21 15:07 fragaLY

I spent 20 minutes trying to work with this git repository, but I have to time box it. Looking at the screen shoots things look correct. I suggest you turn on trace logging for package: org.springframework.web.cors.reactive. It does log the reason why it rejects the request. Alternatively, you can look at the unit test here and try to determine any differences.

tony-clarke-amdocs avatar Jul 09 '21 17:07 tony-clarke-amdocs

@tony-clarke-amdocs

This is the output with trace:

18:02:39.214 [reactor-http-nio-2] TRACE o.s.w.s.a.HttpWebHandlerAdapter - [c199e2e5-1, L:/0:0:0:0:0:0:0:1:8082 - R:/0:0:0:0:0:0:0:1:58608] HTTP OPTIONS "/api/notifications", headers={masked} 18:02:39.219 [reactor-http-nio-2] DEBUG o.s.c.s.i.web.TraceWebFilter - Received a request to uri [/api/notifications] 18:02:39.222 [reactor-http-nio-2] TRACE o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'braveSpanFromContextRetriever' 18:02:39.231 [reactor-http-nio-2] DEBUG o.s.c.s.i.web.TraceWebFilter - Handled receive of span RealSpan(1132e1c04c8eede6/1132e1c04c8eede6) 18:02:39.233 [reactor-http-nio-2] TRACE o.s.c.g.f.WeightCalculatorWebFilter - Weights attr: {} 18:02:39.251 [reactor-http-nio-2] TRACE o.s.c.g.h.p.PathRoutePredicateFactory - Pattern "/api/notifications/**" matches against value "/api/notifications" 18:02:39.252 [reactor-http-nio-2] TRACE o.s.c.g.h.RoutePredicateHandlerMapping - No RouteDefinition found for [Exchange: OPTIONS http://localhost:8082/api/notifications] 18:02:39.252 [reactor-http-nio-2] DEBUG o.s.w.r.h.SimpleUrlHandlerMapping - [c199e2e5-1, L:/0:0:0:0:0:0:0:1:8082 - R:/0:0:0:0:0:0:0:1:58608] Mapped to ResourceWebHandler ["classpath:/META-INF/resources/", "classpath:/resources/", "classpath:/static/", "classpath:/public/"] 18:02:39.253 [reactor-http-nio-2] DEBUG o.s.c.s.i.web.TraceWebFilter - Adding a class tag with value [ResourceWebHandler] to a span RealSpan(1132e1c04c8eede6/1132e1c04c8eede6) 18:02:39.261 [reactor-http-nio-2] DEBUG o.s.c.s.i.web.TraceWebFilter - Handled send of RealSpan(1132e1c04c8eede6/1132e1c04c8eede6) 18:02:39.261 [reactor-http-nio-2] TRACE o.s.w.s.a.HttpWebHandlerAdapter - [c199e2e5-1, L:/0:0:0:0:0:0:0:1:8082 - R:/0:0:0:0:0:0:0:1:58608] Completed 403 FORBIDDEN, headers={masked} 18:02:39.264 [reactor-http-nio-2] TRACE o.s.h.s.r.ReactorHttpHandlerAdapter - [c199e2e5-1, L:/0:0:0:0:0:0:0:1:8082 - R:/0:0:0:0:0:0:0:1:58608] Handling completed

As I can see even preflight doesn't work correctly. I did no changes due to vacation from the previous time.

fragaLY avatar Jul 15 '21 15:07 fragaLY

@fragaLY But none of those logs are coming from org.springframework.web.cors.reactive.DefaultCorsProcessor. Is it possible that the actual target URI implementation is raising the 403?

tony-clarke-amdocs avatar Jul 15 '21 16:07 tony-clarke-amdocs

It could be. I will try to investigate it. We can close the current issue. If I will have additional information I will reopen.

fragaLY avatar Jul 20 '21 07:07 fragaLY

@fragaLY Maybe you can refer to this: https://github.com/spring-cloud/spring-cloud-gateway/issues/2472#issuecomment-1233659197

lgscofield avatar Sep 01 '22 02:09 lgscofield

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-cloud-issues avatar Mar 20 '24 22:03 spring-cloud-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

spring-cloud-issues avatar Mar 27 '24 22:03 spring-cloud-issues