Microservices open pits stepped on by CORS

How CORS(cross-domain) works

Detailed introduction:

• SpringBoot implements cross-domain access (CORS) with back-end separation
• Cross-domain resource sharing (CORS
• Stop asking me cross-domain questions

To sum up: When a browser makes an Ajax request, if the target server is not under the same domain name as the current page, it will not be accessible. To support cross-domain calls, browsers and servers need to work together:

• Add the request header when the browser requests it
  • Origin Indicates the original domain of the cross-domain request
  • Access-control-request-method Cross-domain Request Method (such as GET/POST)
  • Access-control-request-headers Request Headers for cross-domain requests

When the browser initiates a cross-domain request, the request header is automatically added without manual processing.

• Add the response header when the server returns
  • Access-control-allow-origin Specifies the original domain that allows cross-domain requests
  • Access-control-allow-credentials Specifies whether clients are allowed to obtain user Credentials (Boolean)
  • Access-control-allow-methods HTTP Methods that Allow cross-domain requests (such as enabling only GET/POST)
  • Access-control-allow-headers Specifies the request header that allows cross-domain requests
  • Access-control-expose-headers indicates which header information is exposed and provided to the client. (For security reasons, the cross-domain communication object XMLHttpRequest can only get the standard header information if no additional exposure is set.)
  • Access-control-max-age Specifies the maximum cache time for Preflight requests. (Pre-check request refer to ruan Yifeng’s article above: Non-simple request)

The browser determines whether to allow cross-domain access based on the server’s response header.

CORS implementation

SpringBoot

• Method 1: Return a new CorsFilter
• Method 2: Override WebMvcConfigurer
• Method 3: Use annotations (@crossorigin)
• Option 4: Manually set the response header (HttpServletResponse)

See the previous link for details.

Spring Cloud Gateway

In the microservices architecture, we can set up cross-domain support globally in the API gateway, in addition to setting it individually within each microservice. Add the configuration to the YML configuration file of the Spring Cloud Gateway

spring:
  cloud:
    gateway:
      globalcors:
        cors-configurations:
          '[/ * *]':
            allowedOrigins: "*"
            allowedHeaders: "*"
            allowedMethods: "*"
            allowCredentials: true
Copy the code

pit

Once our system needed to enable cross-domain support. After configuring the system in the above way, we tested it with Postman. No matter which way we configured it, there was no response header returned. When I suspected it was a Spring bug, I added the Origin header to postman and it worked. Later, I looked at the Spring source code, which will determine whether the current request is cross-domain request, and only cross-domain request will execute the code logic related to adding the response header.