Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Swagger UI API testing- 'Invalid CORS Request' response for all requests methods expect for 'GET' requests #488

Open
devcode100 opened this issue Nov 15, 2020 · 6 comments
Open

Swagger UI API testing- 'Invalid CORS Request' response for all requests methods expect for 'GET' requests #488

devcode100 opened this issue Nov 15, 2020 · 6 comments

Comments

@devcode100
Copy link

Overview of the issue:

version: 6.3.0

I have set up the Jhipster registry project for Swagger API documentation.Its now the central place for gateway and all other microservices API.
When testing API's for gateway and other microservices, if the request verb is other than 'GET',ie. if the request method is POST, PUT, DELETE- 'Invalid CORS request' is thrown.
Response status: 403, Invalid CORS request
All API requests with GET verb works fine.

Context path is configured as below:
jhipster registry: /registry
gateway: /gateway

In local(profile local) set up everything is working fine from Swagger UI, but once its deployed to respective environments requests starts failing.

PF the below swagger generated URL for API testing:
gateway authentication API:
https://xx.99.xx.64/registry/services/gateway/gateway:78b627b6a671cd1a33e53ae603e0eb12/gateway/api/authenticate
microservice: micro1
https://xx.99.xx.64/registry/services/micro1/micro1:a8ebfb8ee491ceceda595c63e3e87966/api/save

This APIs fails from swagger,but works fine when tested through Postman

CORS configuration for registry,gateway

jhipster:
  # CORS is only enabled by default with the "dev" profile, so BrowserSync can access the API
  cors:
    allowed-origins: '*'
    allowed-methods: '*'
    allowed-headers: '*'
    exposed-headers: 'Authorization,Link,X-Total-Count'
    allow-credentials: true
    max-age: 1800
  security:
    client-authorization:
      client-id: internal
      client-secret: internal
    authentication:
      jwt:
        base64-secret: _xxsecretkeyxx_

Authentication: JWT

Couldn't figure out the issue as the set up works fine in local and the swagger generated API URLs responds successfully when tested from postman
@gmarziou
Copy link
Contributor

Please don't crosspost https://stackoverflow.com/questions/64858052/swagger-ui-api-testing-invalid-cors-request-response-for-all-requests-methods

@devcode100
Copy link
Author

Please don't crosspost https://stackoverflow.com/questions/64858052/swagger-ui-api-testing-invalid-cors-request-response-for-all-requests-methods

@gmarziou The thread has been removed.Thanks

@gmarziou
Copy link
Contributor

Postman does not run in a web browser so it does not apply CORS restrictions.

The registry is a Zuul proxy so it should not be different than a gateway, have you compared their configurations?

@devcode100
Copy link
Author

devcode100 commented Nov 16, 2020
edited by gmarziou

Postman does not run in a web browser so it does not apply CORS restrictions.

The registry is a Zuul proxy so it should not be different than a gateway, have you compared their configurations?

The issue is resolved and it was straight forward :)

The WebConfigurer.java

@Bean
    public CorsFilter corsFilter() {
        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        final CorsConfiguration config = jHipsterProperties.getCors();
        if (config.getAllowedOrigins() != null && !config.getAllowedOrigins().isEmpty()) {
            log.debug("Registering CORS filter");
            source.registerCorsConfiguration("/api/**", config);
            source.registerCorsConfiguration("/management/**", config);
            source.registerCorsConfiguration("/v2/api-docs", config);
            source.registerCorsConfiguration("/config/**", config);
            source.registerCorsConfiguration("/eureka/**", config);
            source.registerCorsConfiguration("/*/api/**", config);
            source.registerCorsConfiguration("/services/*/api/**", config);
            source.registerCorsConfiguration("/*/management/**", config);
        }

        // default is to deny all CORS requests
        **source.registerCorsConfiguration("/**", new CorsConfiguration());** -- It was evident from this line of code that CORS default methods were set to 'GET' and 'HEAD'(class:CorsConfiguration, method: setAllowedMethods()). Removing the line now filters the configured allowed-methods from corresponding config file.
        return new CorsFilter(source);
    }

Just curious to know , could you please highlight the thought behind denying the CORS requests by default in registry where we have Swagger UI which can act as central resource to test all API's across microservices including gateway.

@gmarziou
Copy link
Contributor

gmarziou commented Nov 16, 2020
edited

I have no idea why this is done.

@vishal423 do you remember why you made this change? 76a6efc

@vishal423
Copy link
Contributor

The intention was to deny CORS by default, and if the user would like to open, then he can override during application startup. However, there is still a problem noted in the comment that should be fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gmarziou @vishal423 @devcode100