Use Spring Gateway and getting error: 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed

Question

I am using Spring Gateway framework and configured as follows.

 gateway:
  default-filters:
    - DedupeResponseHeader=Access-Control-Allow-Origin
  globalcors:
    cors-configurations:
      '[/**]':
        allowedOrigins: "*"
        allowedMethods: "*"
        allowedHeaders: "*"

But when I try to execute a request on the gateway, I get the following error.

has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.

I do not understand how to configure the configuration to avoid this error

Answer 1

For everybody that that tried:

spring:
  cloud:
    gateway:
      default-filters:
        - DedupeResponseHeader=Access-Control-Allow-Origin Access-Control-Allow-Credentials, RETAIN_UNIQUE
      globalcors:
          cors-configurations:
             '[/**]':
             allowed-origins: "*"
             allowed-methods: "*"
             allowed-headers: "*"
             allow-credentials: true

and got the following error:

Reason: org.springframework.core.convert.ConverterNotFoundException: No converter found capable of converting from type [java.lang.String] to type [org.springframework.web.cors.CorsConfiguration]

I found the solution in the official spring documentation: https://docs.spring.io/spring-cloud-gateway/reference/spring-cloud-gateway/cors-configuration.html

The solution is to indent the following properties by 2 spaces or 1 tab:

• allowed-origins: "*"
• allowed-methods: "*"
• allowed-headers: "*"
• allow-credentials: true

be aware that the following should not be indented any extra: '[/**]':

so then the right way of doing it would be:

spring:
  cloud:
    gateway:
      default-filters:
        - DedupeResponseHeader=Access-Control-Allow-Origin Access-Control-Allow-Credentials, RETAIN_UNIQUE
      globalcors:
          cors-configurations:
            '[/**]':
              allowed-origins: "*"
              allowed-methods: "*"
              allowed-headers: "*"
              allow-credentials: true

Answer 2

Try with this configuration:

spring:
  cloud:
    gateway:
      default-filters:
        - DedupeResponseHeader=Access-Control-Allow-Origin Access-Control-Allow-Credentials, RETAIN_UNIQUE
      globalcors:
          cors-configurations:
             '[/**]':
             allowed-origins: "*"
             allowed-methods: "*"
             allowed-headers: "*"
             allow-credentials: true

Answer 3

In addition to Pablo's answer, make sure downstream services do not have cors configured because they will add their headers to the final response headers. Therefore you only configure cors for your gateway service and you can just close the ports to other services so they can only be accessed from within the server.

Answer 4

The error is similar to others questions on other stacks when sever side cors configuration is not in effect.

Assuming you are using spring 5. Have you tried to "Use applyPermitDefaultValues() to flip the initialization model to start with open defaults that permit all cross-origin requests for GET, HEAD, and POST requests." as stated in the docs:

https://docs.spring.io/spring-framework/docs/5.0.x/javadoc-api/org/springframework/web/cors/CorsConfiguration.html

Best regards.