我正在尝试授予我们的非产品 quarkus 容器 CORS 运行到 http://localhost:8080 的权限。我感觉我的配置中出现了一个愚蠢的错误,但我只是没有看到它。 也许我用来测试预检的curl命令是错误的?
quarkus-bom 版本 3.13.2
应用程序.属性
%nonprod.quarkus.http.cors=true
%nonprod.quarkus.http.cors.access-control-allow-credentials=true
%nonprod.quarkus.http.cors.methods=GET,POST,OPTIONS
%nonprod.quarkus.http.cors.origins=http://localhost:8080
%nonprod.quarkus.http.cors.headers=authorization,content-type,origin,accept,x-requested-with,access-control-allow-origin,access-control-request-method
卷曲命令
curl "$API_SERVICE_HOST/api/portal/resources" -H "Origin: http://localhost:8080" -H "Access-Control-Request-Method: GET" -X OPTIONS -i
我收到带有 access-control-allow-methods 的 HTTP 403 响应:GET、POST、OPTIONS,并且可以在 quarkus 日志中看到
{
"@timestamp": "2024-09-09T14:40:45.482843394Z",
"logger_name": "io.quarkus.vertx.http.runtime.cors.CORSFilter",
"level": "DEBUG",
"message": "Invalid origin http://localhost:8080",
"thread_name": "vert.x-eventloop-thread-1",
"application": "msg-dex-api"
}
这正在运行 keycloak 授权,但我已禁用 OPTIONS 方法的策略执行器
%nonprod.quarkus.keycloak.policy-enforcer.paths.4.path=/api/*
%nonprod.quarkus.keycloak.policy-enforcer.paths.4.methods.1.method=OPTIONS
%nonprod.quarkus.keycloak.policy-enforcer.paths.4.methods.1.scopes=ANY
%nonprod.quarkus.keycloak.policy-enforcer.paths.4.methods.1.scopes-enforcement-mode=DISABLED
%nonprod.quarkus.keycloak.policy-enforcer.paths.4.enforcement-mode=DISABLED
而且我不包含 Origin 标头,我确实得到了 200 响应,因此授权服务器不应干扰选项请求。
curl "$API_SERVICE_HOST/api/portal/resources" -H "Access-Control-Request-Method: GET" -X OPTIONS -i
编辑:curl -v headers(屏蔽服务地址)
> OPTIONS /api/portal/resources HTTP/2
> Host: $API_SERVICE_HOST
> accept: */*
> origin: http://localhost:8080
> access-control-request-method: GET
对我可能做错了什么有什么想法吗?
我还根据我在上面 CORSFilter.java 的代码中发现的内容尝试了不同的变体,以在 origin 中添加内容
对于 1.,wildCardOrigin 应该完全跳过 !allowsOrigin 检查,但它仍然失败,日志状态为“Invalid origin http://localhost:8080”,我认为是第 153 行。
2.第146行应该触发true“|| isOriginAllowedByRegex(allowedOriginsRegex, origin)”,但我实际上看到第147行和isSameOrigin中的日志条目,这是不应该发生的。但这里有一个问题,如果我将 origin 作为 * 或 http://localhost:8080 发送,则不会记录 147,但如果我使用 https://www.google.com.
则会记录 147我还明确地将 https://www.google.com 添加到 cors.origin 中,并且结果相同, isSameOrigin 行被记录,如果我正确的话,那么通过匹配和惰性评估就不应该发生这种情况。
出于某种原因,这让我认为 http 与 https 方案上使用了不同的 CORSFilter。
编辑 3(添加额外的日志记录)
{
"@timestamp": "2024-09-10T14:10:23.790612802Z",
"sequence": 198,
"loggerClassName": "org.jboss.logging.Logger",
"logger_name": "io.quarkus.vertx.http.runtime.cors.CORSFilter",
"level": "DEBUG",
"message": "Same origin check has failed, the host values do not match. Request URI: https://msg-dex.myhost.com/api/portal/resources, origin: https://localhost:8080",
"thread_name": "vert.x-eventloop-thread-1",
"threadId": 23,
"mdc": {},
"ndc": "",
"hostName": "99c748b91cb6",
"processName": "/usr/lib/jvm/java-17-amazon-corretto/bin/java",
"processId": 1,
"sourceClassName": "io.quarkus.vertx.http.runtime.cors.CORSFilter",
"sourceFileName": "CORSFilter.java",
"sourceMethodName": "isSameOriginSlowPath",
"sourceLineNumber": 259,
"sourceModuleName": null,
"sourceModuleVersion": null,
"application": "msg-dex-api"
}
{
"@timestamp": "2024-09-10T14:10:23.79163831Z",
"sequence": 199,
"loggerClassName": "org.jboss.logging.Logger",
"logger_name": "io.quarkus.vertx.http.runtime.cors.CORSFilter",
"level": "DEBUG",
"message": "Invalid origin https://localhost:8080",
"thread_name": "vert.x-eventloop-thread-1",
"threadId": 23,
"mdc": {},
"ndc": "",
"hostName": "99c748b91cb6",
"processName": "/usr/lib/jvm/java-17-amazon-corretto/bin/java",
"processId": 1,
"sourceClassName": "io.quarkus.vertx.http.runtime.cors.CORSFilter",
"sourceFileName": "CORSFilter.java",
"sourceMethodName": "handle",
"sourceLineNumber": 153,
"sourceModuleName": null,
"sourceModuleVersion": null,
"application": "msg-dex-api"
}
{
"@timestamp": "2024-09-10T14:10:23.793910859Z",
"sequence": 200,
"loggerClassName": "org.jboss.logging.Logger",
"logger_name": "io.quarkus.http.access-log",
"level": "INFO",
"message": "OPTIONS HTTP_1_1XXX.XXX.136.209 X-Forwarded-For: XXX.XXX.136.209\nX-Forwarded-Proto: https\nX-Forwarded-Port: 443\nX-Amzn-Trace-Id: Root=1-66e0534f-506363231c716dc1753f91ba\norigin: https://localhost:8080\naccess-control-request-method: GET\nhost: msg-dex.myhost.com",
"thread_name": "vert.x-eventloop-thread-1",
"threadId": 23,
"mdc": {},
"ndc": "",
"hostName": "99c748b91cb6",
"processName": "/usr/lib/jvm/java-17-amazon-corretto/bin/java",
"processId": 1,
"sourceClassName": "io.quarkus.vertx.http.runtime.filters.accesslog.JBossLoggingAccessLogReceiver",
"sourceFileName": "JBossLoggingAccessLogReceiver.java",
"sourceMethodName": "logMessage",
"sourceLineNumber": 44,
"sourceModuleName": null,
"sourceModuleVersion": null,
"application": "msg-dex-api"
}
发现我的问题。 在过去的某个时刻我已经设定 QUARKUS_HTTP_CORS_ORIGINS 作为 AWS 任务定义的一部分。
环境变量胜过application.properties。
我从任务中删除了该变量,它现在可以按我的预期工作。 所以上面是很好的工作配置,只是不要覆盖它并忘记。 嚯!