-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove cors/csrf java code configuration, in favor of regular spring-cloud-gateway configuration #59
Conversation
Also documenting the option in the application yaml file
gateway/src/main/java/org/georchestra/gateway/security/GatewaySecurityConfiguration.java
Outdated
Show resolved
Hide resolved
How is the CORS configuration different than the default spring-cloud-gateway way of doing so? e.g.
See https://docs.spring.io/spring-cloud-gateway/reference/spring-cloud-gateway/cors-configuration.html |
I missed that, sorry. But if we go through official yaml configuration, shall we remove the java calls to It makes totally sense to me to rely on what spring already provides anyway. |
okay, stripping the
The following curl payload returns indeed a 200 - ok:
Funny thing is that if I revert my java modification, the configuration stays valid and I am able to get "200 - OK" status, without touching the Java code (which does not really make sense, because with @groldan does removing the related Java code make sense to you ? As we can use the yaml configuration anyway. |
As mentioned by @groldan on #59 (comment) the spring-cloud-gateway project already provides a convenient way to configure CORS. About CSRF, it is IMHO the role of each proxified webapps to mitigate the issue, and outside of the gateway's concern. As a result, removing cors/csrf management from our code's side.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Partially reverts #59 CORS is configurable via yaml config files, CSRF is not. From my understanding, CSRF protection has to be managed separately by the underlying webapps being proxified by the gateway.
* Testsuite broken because sending a request with no Accept header (or "Accept: */*") will make spring sending a 401 instead of a 302 redirect to /login * restoring previous work on csrf/cors not present in DT's fork (#73, #59) * restoring some other works related to login/logout controllers/templates
* Testsuite broken because sending a request with no Accept header (or "Accept: */*") will make spring sending a 401 instead of a 302 redirect to /login * restoring previous work on csrf/cors not present in DT's fork (#73, #59) * restoring some other works related to login/logout controllers/templates
Using the 2 introduced flagsgeorchestra.gateway.corsEnabled
andgeorchestra.gateway.csrfEnabled
we can leverage default spring security behaviour related to both security measures.Removing the
cors() / csrf() .disable()
calls, leaving the framework do all its own magic for us.Note: we keep them disabled by default, as this was the default intended behaviour.Note2: this might require a revisit to make the configuration more flexible.Note3: With the former security-proxy, the configuration was left to the proxified webapp. If we go with this PR, we will invert the configuration and leave it to the gateway, it will then be necessary to deactivate the filters on proxified webapps, to avoid having the http response headers being set twice, which can mess up the browsers.