SpringCloudGateway Access-Allow-Origin header contains multiple values“, ”,but only one is allowed

朴灿烈づ我的快乐病毒、 2022-12-28 06:11 32阅读 0赞

### 问题现象 ###

在spring cloud gateway网关中加入了跨域支持，但是报了如下错误：

The ‘Access-Control-Allow-Origin’ header contains multiple values “*, *”, but only one is allowed.

错误显示设置了两次Access-Control-Allow-Origin:\*。

### 问题原因 ###

经查看请求报文和错误确定是 Access-Control-Allow-Origin 出现了多个值（浏览器目前是不允许的），其原因是是在 gateway 中配置过了 Access-Control-Allow-Origin，后端服务的开发人员也配置了 Access-Control-Allow-Origin，导致 response 在响应的时候 Access-Control-Allow-Origin 出现了多个值（不管两个值相同还是不同浏览器目前都会报错），截图如下：  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L21hbWVuZzE5ODg_size_16_color_FFFFFF_t_70]

### 解决该问题的思路 ###

*  可以将所有后端服务的跨域处理都去除，交网关统一处理
 *  可以将网关的处理去除（那么后端所有服务都需要添加）
 *  在网关做去重处理，只保留一个值响应给浏览器（这是本文选择的处理方法）

### 解决方案 ###

1 设置跨域：

import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.http.HttpHeaders;
    import org.springframework.http.HttpMethod;
    import org.springframework.http.HttpStatus;
    import org.springframework.http.server.reactive.ServerHttpRequest;
    import org.springframework.http.server.reactive.ServerHttpResponse;
    import org.springframework.web.cors.reactive.CorsUtils;
    import org.springframework.web.server.ServerWebExchange;
    import org.springframework.web.server.WebFilter;
    import org.springframework.web.server.WebFilterChain;
    import reactor.core.publisher.Mono;
    
    /** * @author mazhen * @className CorsConfig * @Description TODO * @date 2020/12/14 19:09 */
    @Configuration
    public class GatewayCorsConfig { 
        private static final String MAX_AGE = "18000L";
        @Bean
        public WebFilter corsFilter() { 
            return (ServerWebExchange ctx, WebFilterChain chain) -> { 
                ServerHttpRequest request = ctx.getRequest();
    
                if (CorsUtils.isCorsRequest(request)) { 
                    HttpHeaders requestHeaders = request.getHeaders();
                    ServerHttpResponse response = ctx.getResponse();
                    HttpMethod requestMethod = requestHeaders.getAccessControlRequestMethod();
                    HttpHeaders headers = response.getHeaders();
                    headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, requestHeaders.getOrigin());
                    headers.addAll(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, requestHeaders
                            .getAccessControlRequestHeaders());
                    if(requestMethod != null){ 
                        headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, requestMethod.name());
                    }
                    headers.add(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
                    headers.add(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS, "*");
                    headers.add(HttpHeaders.ACCESS_CONTROL_MAX_AGE, MAX_AGE);
                    if (request.getMethod() == HttpMethod.OPTIONS) { 
                        response.setStatusCode(HttpStatus.OK);
                        return Mono.empty();
                    }
                }
                return chain.filter(ctx);
            };
        }
    }

2 修改响应头，去掉\*:

package com.cloudpath.gateway.portal.config.cors;
    
    import org.springframework.cloud.gateway.filter.GatewayFilterChain;
    import org.springframework.cloud.gateway.filter.GlobalFilter;
    import org.springframework.cloud.gateway.filter.NettyWriteResponseFilter;
    import org.springframework.core.Ordered;
    import org.springframework.http.HttpHeaders;
    import org.springframework.stereotype.Component;
    import org.springframework.web.server.ServerWebExchange;
    import reactor.core.publisher.Mono;
    
    import java.util.ArrayList;
    
    /** * @author mazhen * @className CorsResponseHeaderFilter * @Description TODO * @date 2020/12/14 19:16 */
    @Component("corsResponseHeaderFilter")
    public class CorsResponseHeaderFilter implements GlobalFilter, Ordered { 
    
        @Override
        public int getOrder() { 
            // 指定此过滤器位于NettyWriteResponseFilter之后
            // 即待处理完响应体后接着处理响应头
            return NettyWriteResponseFilter.WRITE_RESPONSE_FILTER_ORDER + 1;
        }
    
        /** * Process the Web request and (optionally) delegate to the next {@code WebFilter} * through the given {@link GatewayFilterChain}. * * @param exchange the current server exchange * @param chain provides a way to delegate to the next filter * @return {@code Mono<Void>} to indicate when request processing is complete */
        @Override
        public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) { 
            return chain.filter(exchange).then(Mono.defer(() -> { 
                exchange.getResponse().getHeaders().entrySet().stream()
                        .filter(kv -> (kv.getValue() != null && kv.getValue().size() > 1))
                        .filter(kv -> (kv.getKey().equals(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN)
                                || kv.getKey().equals(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)))
                        .forEach(kv -> { 
                            kv.setValue(new ArrayList<String>() { { 
                                add(kv.getValue().get(0));
                            }});
                        });
    
                return chain.filter(exchange);
            }));
        }
    }

到这里，就解决了问题！

[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L21hbWVuZzE5ODg_size_16_color_FFFFFF_t_70]: /images/20221120/c23cc69e787c4df98fbef0042a2ff62a.png

SpringCloudGateway Access-Allow-Origin header contains multiple values“, ”,but only one is allowed

发表评论取消回复

还没有评论，来说两句吧...

相关阅读

相关解决：The 'Access-Control-Allow-Origin' header contains multiple values'x, *', but only one is allowed

相关 No ‘Access-Control-Allow-Origin‘ header is present on the requested resource.

相关 SpringCloudGateway Access-Allow-Origin header contains multiple values“, ”,but only one is allowed

相关 No ‘Access-Control-Allow-Origin‘ header is present on the requested resource.

相关 the 'access-control-allow-origin' header has a value 'http://localhost' but origin is null

相关 Spring Cloud Zuul The 'Access-Control-Allow-Origin' header contains multiple values

相关 has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '

相关 The 'Access-Control-Allow-Origin' header contains multiple values', ', but only one is allowed.

相关解决：The ‘Access-Control-Allow-Origin‘ header contains multiple values‘x, *‘, but only one is allowed.

相关 No 'Access-Control-Allow-Origin' header is present on the requested resource.