SpringCloudGateway Access-Allow-Origin header contains multiple values“*, *”,but only one is allowed-蒲公英云

SpringCloudGateway Access-Allow-Origin header contains multiple values“*, *”,but only one is allowed

问题现象

在spring cloud gateway网关中加入了跨域支持，但是报了如下错误：

The ‘Access-Control-Allow-Origin’ header contains multiple values “*, *”, but only one is allowed.

错误显示设置了两次Access-Control-Allow-Origin:*。

问题原因

经查看请求报文和错误确定是 Access-Control-Allow-Origin 出现了多个值（浏览器目前是不允许的），其原因是是在 gateway 中配置过了 Access-Control-Allow-Origin，后端服务的开发人员也配置了 Access-Control-Allow-Origin，导致 response 在响应的时候 Access-Control-Allow-Origin 出现了多个值（不管两个值相同还是不同浏览器目前都会报错），截图如下：
在这里插入图片描述

解决该问题的思路

可以将所有后端服务的跨域处理都去除，交网关统一处理
可以将网关的处理去除（那么后端所有服务都需要添加）
在网关做去重处理，只保留一个值响应给浏览器（这是本文选择的处理方法）

解决方案

1 设置跨域：

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.web.cors.reactive.CorsUtils;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
/** * @author mazhen * @className CorsConfig * @Description TODO * @date 2020/12/14 19:09 */
@Configuration
public class GatewayCorsConfig { 
    private static final String MAX_AGE = "18000L";
    @Bean
    public WebFilter corsFilter() { 
        return (ServerWebExchange ctx, WebFilterChain chain) -> { 
            ServerHttpRequest request = ctx.getRequest();
            if (CorsUtils.isCorsRequest(request)) { 
                HttpHeaders requestHeaders = request.getHeaders();
                ServerHttpResponse response = ctx.getResponse();
                HttpMethod requestMethod = requestHeaders.getAccessControlRequestMethod();
                HttpHeaders headers = response.getHeaders();
                headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, requestHeaders.getOrigin());
                headers.addAll(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, requestHeaders
                        .getAccessControlRequestHeaders());
                if(requestMethod != null){ 
                    headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, requestMethod.name());
                }
                headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
                headers.add(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS, "*");
                headers.add(HttpHeaders.ACCESS_CONTROL_MAX_AGE, MAX_AGE);
                if (request.getMethod() == HttpMethod.OPTIONS) { 
                    response.setStatusCode(HttpStatus.OK);
                    return Mono.empty();
                }
            }
            return chain.filter(ctx);
        };
    }
}

2 修改响应头，去掉*:

package com.cloudpath.gateway.portal.config.cors;
import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.cloud.gateway.filter.GlobalFilter;
import org.springframework.cloud.gateway.filter.NettyWriteResponseFilter;
import org.springframework.core.Ordered;
import org.springframework.http.HttpHeaders;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import java.util.ArrayList;
/** * @author mazhen * @className CorsResponseHeaderFilter * @Description TODO * @date 2020/12/14 19:16 */
@Component("corsResponseHeaderFilter")
public class CorsResponseHeaderFilter implements GlobalFilter, Ordered { 
    @Override
    public int getOrder() { 
        // 指定此过滤器位于NettyWriteResponseFilter之后
        // 即待处理完响应体后接着处理响应头
        return NettyWriteResponseFilter.WRITE_RESPONSE_FILTER_ORDER + 1;
    }
    /** * Process the Web request and (optionally) delegate to the next {@code WebFilter} * through the given {@link GatewayFilterChain}. * * @param exchange the current server exchange * @param chain provides a way to delegate to the next filter * @return {@code Mono<Void>} to indicate when request processing is complete */
    @Override
    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) { 
        return chain.filter(exchange).then(Mono.defer(() -> { 
            exchange.getResponse().getHeaders().entrySet().stream()
                    .filter(kv -> (kv.getValue() != null && kv.getValue().size() > 1))
                    .filter(kv -> (kv.getKey().equals(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)
                            || kv.getKey().equals(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)))
                    .forEach(kv -> { 
                        kv.setValue(new ArrayList<String>() { { 
                            add(kv.getValue().get(0));
                        }});
                    });
            return chain.filter(exchange);
        }));
    }
}