Spring Cloud Zuul + OAuth CORS Error

I am using Spring's Boot Cloud + OAuth2 Auth system, but I have a problem with the auth method. When I try to authenticate from my server, the Zuul gateway does not send header parameters, but if I try to authenticate directly to my oauth server, I have no problem. The problem only occurs when I try to authenticate through the Zuul gateway.

Answer call:

error_description: "Full authentication is required to access this resource"

Request Header:

Accept:application/json, text/plain, */* Accept-Encoding:gzip, deflate Accept-Language:pt,en-US;q=0.8,en;q=0.6 Authorization:Basic <MySecretToken> Cache-Control:no-cache Connection:keep-alive Content-Length:0 DNT:1 Host:localhost:8181 Origin:http://localhost:9980 Pragma:no-cache Referer:http://localhost:9980/login User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.11 Safari/537.36 

Register an OAuth server with a Zuul request:

 2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] ossecurity.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] ossecurity.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] ossecurity.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter' 2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] osswheader.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se curity.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@ 541da561 2016-03-07 16:41:37.826 DEBUG 31205 --- [nio-9190-exec-5] ossecurity.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter' 2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] osswumatcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/logout' 2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] ossecurity.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' 2016-03-07 16:41:37.827 DEBUG 31205 --- [nio-9190-exec-5] ossecurity.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] ossecurity.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] ossecurity.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] osswaAnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.sprin gframework.security.authentication.AnonymousAuthenticationToken@ 90556c3e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin gframework.security.web.authentication.WebAuthenticationDetails@ 1de6: RemoteIpAddress: 192.168.1.40; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' 2016-03-07 16:41:37.828 DEBUG 31205 --- [nio-9190-exec-5] ossecurity.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter' 2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] ossecurity.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] ossecurity.web.FilterChainProxy : /oauth/token?password=myPassword&grant_type=password&username=system at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] osswumatcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/oauth/token' 2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] osswaiFilterSecurityInterceptor : Secure object: FilterInvocation: URL: /oauth/token?password=myPassword&grant_type=password&username=system; Attributes: [fullyAuthenticated] 2016-03-07 16:41:37.829 DEBUG 31205 --- [nio-9190-exec-5] osswaiFilterSecurityInterceptor : Previously Authenticated: org.sprin gframework.security.authentication.AnonymousAuthenticationToken@ 90556c3e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin gframework.security.web.authentication.WebAuthenticationDetails@ 1de6: RemoteIpAddress: 192.168.1.40; SessionId: null; Granted Authorities: ROLE_ANONYMOUS 2016-03-07 16:41:37.838 DEBUG 31205 --- [nio-9190-exec-5] ossaccess.vote.AffirmativeBased : Voter: org.sp ringframework.security.web.access.expression.WebExpressionVoter@ 59b8fe9, returned: -1 2016-03-07 16:41:37.846 DEBUG 31205 --- [nio-9190-exec-5] osswaExceptionTranslationFilter : Access is denied (user is anonymous); redirecting to authentication entry point 

Note that in a filter of 5 out of 11 the filter must be implemented, but this is not so.

Now look at the log on some server, but without a gateway:

 2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] ossecurity.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] ossecurity.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] ossecurity.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter' 2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] osswheader.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se curity.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@ 541da561 2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] ossecurity.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter' 2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] osswumatcher.AntPathRequestMatcher : Checking match of request : '/oauth/token'; against '/logout' 2016-03-07 16:51:16.641 DEBUG 31205 --- [nio-9190-exec-1] ossecurity.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' 2016-03-07 16:51:16.644 DEBUG 31205 --- [nio-9190-exec-1] osswawww.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'gateway' 2016-03-07 16:51:16.645 DEBUG 31205 --- [nio-9190-exec-1] ossauthentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider 2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] osswawww.BasicAuthenticationFilter : Authentication success: org.springframew ork.security.authentication.UsernamePasswordAuthenticationToken@ b0a7f710: Principal: org.springframework.security.core.userdetails.User@f4ba4644 : Username: gateway; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin gframework.security.web.authentication.WebAuthenticationDetails@ b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER 2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] ossecurity.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] ossecurity.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] ossecurity.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] osswaAnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframew ork.security.authentication.UsernamePasswordAuthenticationToken@ b0a7f710: Principal: org.springframework.security.core.userdetails.User@f4ba4644 : Username: gateway; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin gframework.security.web.authentication.WebAuthenticationDetails@ b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER' 2016-03-07 16:51:16.667 DEBUG 31205 --- [nio-9190-exec-1] ossecurity.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter' 2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.w eb.authentication.session.ChangeSessionIdAuthenticationStrategy@ 727809f6 2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] ossecurity.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 2016-03-07 16:51:16.668 DEBUG 31205 --- [nio-9190-exec-1] ossecurity.web.FilterChainProxy : /oauth/token?grant_type=password&username=system&password=myPassword at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 

Now let's look at the second log, you will see that in the filter 5 out of 11 the filter has been accepted.

Here is the gateway module configuration information:

https://gist.github.com/tiarebalbi/07aaa61f84d3ea3822e0

Update:

Below is the CorsFilter used in the gateway: https://gist.github.com/tiarebalbi/ce5f6fc9691e1a6e3aaa

Debug information:

I noticed that the gateway receives all the header parameters, but the authentication server does not.

Gateway:

OAuth Server:

Decision:

After reviewing the document, I saw a description of the headers of the sensitive elements, and as we can see here and here, Authorization is one of the list, and because of this it was not sent to other services.

Code after update:

 zuul: ignored-services: "*" prefix: /v1 routes: auth-server: path: /auth/** sensitiveHeaders: Cookie,Set-Cookie