Spring Cloud Gateway commercial route filters act on the incoming request or outgoing response matched by a predicate. You can use filters in adding an HTTP header, or denying access based on an authorization token, for example.

Spring Cloud Gateway OSS includes a number of GatewayFilter factories used to create filters for routes. For a complete list of these factories, see the Spring Cloud Gateway OSS documentation.

Spring Cloud Gateway for VMware Tanzu also provides a number of custom filters in addition to those included in the OSS project.

Available filters

Filter Description
AddRequestHeader Adds a header to a request
AddRequestParameter Adds a request parameter to a request query string
AddResponseHeader Adds a header to a matching response
AllowedRequestCookieCount Determines if a matching request is allowed to proceed based on the number of cookies
AllowedRequestHeadersCount Determines if a matching request is allowed to proceed based on the number of headers
AllowedRequestQueryParamsCount Determines if a matching request is allowed to proceed based on the number of query parameters
CircuitBreaker Wraps routes in a circuit breaker
ClaimHeader Copies data from a JWT claim into an HTTP Header
ClientCertificateHeader Validate X-Forwarded-Client-Cert header certificate (optional fingerprint)
DeDupeResponseHeader Removes duplicates of certain headers
FallbackHeaders Adds circuit breaker exception to a header
LocalResponseCache Adds specific cache to the route.
MapRequestHeader Maps a header from another one
PrefixPath Adds a prefix to a matching request path
PreserveHostHeader Preserves original host header when sending a request
RateLimit Determines if a matching request is allowed to proceed base on volume
RedirectTo Redirects a matching request with certain HTTP code to a certain URL
RemoveJsonAttributesResponseBody Removes JSON attributes and its value from a JSON content
RemoveRequestHeader Removes a header from a matching request
RemoveRequestParameter Removes a query parameter from a matching request
RemoveResponseHeader Removes a header from a response
RequestHeaderSize Limit the size of a request header
RequestSize Constrains a matching request with a certain request size
Retry Retries a matching request
RewriteAllResponseHeaders Removes a query parameter from a matching request
RewriteLocationResponseHeader Modifies the value of the location response header
RewritePath Similar to RewriteResponseHeader, but applies transformation to all headers
RewriteResponseBody Rewrite the response body from a matching request
RewriteResponseHeader Rewrite the response header value
Roles List authorized roles needed to access route
SaveSession Save the current WebSession before executing the rest of the GatewayFilterChain
Scopes List scopes needed to access route
SecureHeaders Adds some headers to a response per a security recommendation
SetPath Manipulates a matching request path
SetRequestHeader Replaces the value of all headers matching the given name
SetRequestHostHeader Overrides host header value of a matching request
SetResponseHeader Replaces a certain response header
SetStatus Sets HTTP status of a response
SsoLogin Redirects to authenticate if no valid Authorization token is found.
StripPrefix Strips parts from a path of a matching request (default: 1)
TokenRelay Forwards OAuth2 access token to downstream resources

AllowedRequestCookieCount

Determines if a matching request is allowed to proceed based on the number of cookies.

Configuration parameters:

  • amount: number of allowed cookies.
    AllowedRequestCookieCount=2

AllowedRequestHeadersCount

Determines if a matching request is allowed to proceed based on the number of headers.

Configuration parameters:

  • amount: number of allowed headers.
    AllowedRequestHeadersCount=4

AllowedRequestQueryParamsCount

Determines if a matching request is allowed to proceed based on the number query params.

Configuration parameters:

  • amount: number of allowed parameters.
    AllowedRequestQueryParamsCount=3

CircuitBreaker

Wraps routes in a circuit breaker.

Configuration parameters:

  • name: circuit breaker name.
  • fallbackUri: reroute url, can be a local route or external handler.
  • status codes: (optional) colon-separated list of status codes to match, in number or text format.
  • failure rate: (optional) threshold above which the circuit breaker will be opened (default 50%).
  • duration: (optional) time to wait before closing again (default 60s).
    CircuitBreaker=myCircuitBreaker,forward:/inCaseOfFailureUseThis,401:NOT_FOUND:500,10,30s

ClaimHeader

Copies data from a JWT claim into an HTTP header.

Configuration parameters:

  • Claim name: case sensitive name of the claim to pass.
  • Header name: name of the HTTP header.
    ClaimHeader=sub,X-Claim-Sub

ClientCertificateHeader

Validate X-Forwarded-Client-Cert header certificate.

Configuration parameters:

  • domain pattern: X-Forwarded-Client-Cert value
  • certificate fingerprint: (optional) SSL certificate's fingerprint.
    ClientCertificateHeader=*.example.com,sha-1:aa:bb:00:99

FallbackHeaders

Adds any circuit breaker exception to a header. Requires the use of the CircuitBreaker filter in another route.

No parameters required.

    FallbackHeaders

LocalResponseCache

Overrides local response cache configuration for specific routes if global cache is activated.

Configuration parameters:

  • size: maximum allowed size of the cache entries for this route before cache eviction begins (in KB, MB and GB).
  • timeToLive: allowed lifespan of a cache entry before expiration (use the duration suffix s for seconds, m for minutes, or h for hours).
    LocalResponseCache=3m,1MB

RateLimit

Determines if a matching request is allowed to proceed based on request volume.

Configuration parameters:

  • request limit: maximum number of requests accepted during the window.
  • window duration: window duration in milliseconds. Alternatively the s, m or h suffixes can be used to specify the duration in seconds, minutes or hours.
  • partition source: (optional) location of the partition key ('claim', 'header' or 'IPs').
  • partition key: (optional) value used to partition request counters.
    RateLimit=1,10s
    RateLimit=1,10s,{claim:client_id}
    RateLimit=1,10s,{header:client_id}
    RateLimit=2,10s,{IPs:2;127.0.0.1;192.168.0.1}

RemoveJsonAttributesResponseBody

Removes JSON attributes and their values from JSON response bodies.

Configuration parameters:

  • attribute names: comma-separated list of the names of attributes to remove from a JSON response.
  • delete recursively: (optional, boolean) configures the removal of attributes only at root level (false), or recursively (true) (default, false).
    RemoveJsonAttributesResponseBody=origin,foo,true

RewriteAllResponseHeaders

Rewrite multiple response headers at once.

Configuration parameters:

  • pattern to match: regular expression to match against header values.
  • replacement: replacement value.
    RewriteAllResponseHeaders=\d,0

RewriteResponseBody

Modifies the body of a response.

Configuration parameters are organized as a comma-separated list of key-value pairs, where each pair takes the form pattern to match:replacement:

  • pattern to match: regular expression to match against text in the response body.
  • replacement: replacement value.
    RewriteResponseBody=foo:bar,/path-one/:/path-two/

Roles

Authorizes requests whose authorization contains one of the configured roles.

Configuration parameters:

  • roles: comma-separated list of authorized roles.
    Roles=role_01,role_02

Scopes

Authorizes requests whose authorization contains one of the configured scopes.

Configuration parameters:

  • scopes: comma-separated list of authorized scopes.
    Scopes=api.read,api.write,user

SsoLogin

Redirects to authenticate if no valid Authorization token is found.

No parameters required.

    SsoLogin

TokenRelay

Forwards OAuth2 access token to downstream resources.

No parameters required.

    TokenRelay
check-circle-line exclamation-circle-line close-line
Scroll to top icon