0

In my setup I have a service behind a zuul gatway, configured with Spring Security; my client is a simple website performing an AJAX-request to the gateway.

I placed the CrossOrigin-Annotation on the endpoint in the service controller, so performing a request directly to the service passes, pointing the request to the gateway currently ends up in a 401 error in my OPTIONS-request.

It seems like the request with the Authorization Header doesn't reach Spring Security, as this header isn't allowed right now.

Currently I extend the WebSecurityConfigurerAdapter to permit all Options-requests.

EDIT: Question: How do I configure Spring Security to don't require authentication for OPTIONS-requests?

EDIT2: I created a GIST with the relevant code:

  • Client: hello.js, index.html
  • Gateway: WebSecurityonfig.java, SimpleCORSFilter.java, GatewayApp.java
  • Service: ContactController.java

EDIT2: After gathering more information about OPTIONS-Preflight and Spring (Security) it seems like the problem comes from Spring Security.

We use a bearer token to authorize the clients, so the browser sends an OPTIONS-Preflight request to the server. The server is secured by Spring Security, which doesn't find a valid authorization header and therefore returns with 401-unauthorized

Kevin Raddatz
  • 81
  • 1
  • 8

2 Answers2

1

You have to specify the allowed origin in your CrossOrigin annotation.

@CrossOrigin(origins = "http://allowed-domain.com")

Here you have an example: https://spring.io/blog/2015/06/08/cors-support-in-spring-framework

Ignasi
  • 5,887
  • 7
  • 45
  • 81
  • I already have this in my service and this works pretty goot if I call the service directly without the gateway, but unfortunately I have to use the gateway. Can I use this annotation also there? – Kevin Raddatz Jun 06 '18 at 12:08
  • If the gateway always use a defined range of IPs you could include them into the `@CrossOrigin`. Otherwise I think you have to allow the `OPTION` method on your server side. – Ignasi Jun 06 '18 at 12:13
  • And how would I allow the `OPTION` method – Kevin Raddatz Jun 06 '18 at 12:17
  • And it appears, that the request doesn't reach the service, but is already rejected by the gateway – Kevin Raddatz Jun 06 '18 at 12:46
  • To allow `OPTION` you could use: https://stackoverflow.com/questions/41075850/how-to-configure-cors-and-basic-authorization-in-spring-boot/41145670#41145670 – Ignasi Jun 06 '18 at 13:50
  • I already do: https://gist.github.com/chronm/b119b87878159bb3527cec13cf3397c1#file-websecurityconfig-java – Kevin Raddatz Jun 06 '18 at 16:38
  • Is your request been rejected by the gateway as you said? Because then your problem its not related with spring configuration – Ignasi Jun 06 '18 at 16:47
  • I don't think it is rejected by the gateway any more, as I learned more about OPTIONS-Preflight. I updated my question – Kevin Raddatz Jun 08 '18 at 07:05
0

I know my answer is a bit off topic, but the way I usually handle this problem is to use a http server (like nginx). This server is the frontend and redirect requests on the backend or the frontend (so, from the browser's view, all servers are in the same domain).

Oreste Viron
  • 3,592
  • 3
  • 22
  • 34
  • To be honest, I would to this the same, but unfortunately I don't have control over this. We have a domain for the frontend, and one for the backend. – Kevin Raddatz Jun 08 '18 at 06:58