Spring-cloud-netflix: Zuul & CORS

Created on 28 Apr 2016 · 3Comments · Source: spring-cloud/spring-cloud-netflix

Can't seem to get a CORS filter to work with Zuul as a proxy to a backend user service to support a web client running on another port in dev mode using gulp serve. This is important for front-end productivity:

XMLHttpRequest cannot load http://localhost:5000/user/v1/users. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. The response had HTTP status code 403.

Zuul security config is:

@Configuration
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@ComponentScan("com.auth0")
@ImportResource("classpath:auth0-security-context.xml")
@PropertySource("classpath:auth0.properties")
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public CorsFilter corsFilter() {
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        final CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true);
        config.addAllowedOrigin("*");
        config.addAllowedHeader("*");
        config.addAllowedMethod("OPTIONS");
        config.addAllowedMethod("HEAD");
        config.addAllowedMethod("GET");
        config.addAllowedMethod("PUT");
        config.addAllowedMethod("POST");
        config.addAllowedMethod("DELETE");
        config.addAllowedMethod("PATCH");
        source.registerCorsConfiguration("/**", config);
        return new CorsFilter(source);
    }

    /**
     * Define the security that applies to the proxy
     */
    public void configure(HttpSecurity http) throws Exception {
        http
            .logout().and()
            .authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .anyRequest().authenticated().and()
            .csrf().disable();
    }

}

Have tried inserting the CORS filter beside ChannelProcessingFilter
Have tried adding the same CORS filter to the user service project as well

Any ideas?

question

Source

jjparsons

👍2

All 3 comments

I guess your CorsFilter is not reached because of some security configuration that we can't see. You could register it with a low order to make sure it runs before the security filter.

dsyer on 28 Apr 2016

This call below needed to be added in order for the configure(HttpSecurity http) to be called so that the CORS filler could be correctly registered. You can close.

@Bean(name = "authenticationManager")
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

jjparsons on 5 May 2016

😕1

I doubt that had any effect on the CORS filter, but it's good if you got it working.

dsyer on 5 May 2016

👍1

Was this page helpful?

0 / 5 - 0 ratings