Filters are used in your SpringCloudGatewayRouteConfig to act on the incoming request or outgoing response to a matching route configuration.

Example uses for a filter could be in adding an HTTP header, or denying access based on an authorization token.

Spring Cloud Gateway OSS includes a number of GatewayFilter factories used to create filters for routes. For a complete list of these factories, see the Spring Cloud Gateway OSS documentation.

Spring Cloud Gateway for Kubernetes also provides a number of custom filters in addition to those included in the OSS project.

NoteSpring Cloud Gateway for Kubernetes sets StripPrefix=1 by default on every route. To deactivate it, set StripPrefix=0 in your configuration.

Available filters

Filter Description
AddRequestHeader Adds a header to a request
AddRequestHeadersIfNotPresent Adds headers if not present in the original request
AddRequestParameter Adds a request parameter to a request query string
AddResponseHeader Adds a header to a matching response
AllowedRequestCookieCount Determines if a matching request is allowed to proceed based on the number of cookies
AllowedRequestHeadersCount Determines if a matching request is allowed to proceed based on the number of headers
AllowedRequestQueryParamsCount Determines if a matching request is allowed to proceed based on the number of query parameters
ApiKey Validate API keys from X-API-Key header against those stored in Hashicorp Vault
BasicAuth Adds BasicAuth credentials as header to requests
CircuitBreaker Wraps routes in a circuit breaker
ClaimHeader Copies data from a JWT claim into an HTTP Header
ClientCertificateHeader Validate X-Fowarded-Client-Cert header certificate, and optionally its fingerprint
Cors DEPRECATED, see Configuring per-route Cross-Origin Resource Sharing (CORS) behavior via metadata below.
DeDupeResponseHeader Removes duplicates of certain headers
FallbackHeaders Adds circuit breaker exception to a header
JSONToGRPC Converts a JSON payload to a gRPC request
JwtKey Adds multiple client JWT token validation
JsonToXml Transforms Json body response into XML body response
LocalResponseCache Adds specific cache to the route. If the global cache is active, then the filter will override the default configuration
MapRequestHeader Maps a header from another one
PrefixPath Adds a prefix to a matching request path
PreserveHostHeader Preserves the original host header when sending a request
RateLimit Determines if a matching request is allowed to proceed based on request volume
RedirectTo Redirects a matching request to a given URL, returning a specified 3xx status code
RemoveJsonAttributesResponseBody Removes JSON attributes and their values from a JSON response body
RemoveRequestHeader Removes a header from a matching request
RemoveResponseHeader Removes a header from a response
RemoveRequestParameter Removes a query parameter from a matching request
RequestSize Rejects requests which are above a certain size (in bytes)
RestrictGraphQLOperationCount Rejects excessively large GraphQL queries
RestrictGraphQLOperationDepth Rejects excessively nested GraphQL operations
RestrictGraphQLType Denies access to GraphQL operations based on user role
RestrictRequestHeaders Determines if a matching request is allowed to proceed based on the headers
Retry Retries a matching request
RewriteAllResponseHeaders Transforms response headers using regular expression match and replace
RewritePath Transforms the request path using regular expression match and replace
RewriteLocationResponseHeader Modifies the value of the location response header
RewriteResponseHeader Rewrite a response header value
RewriteResponseBody Modifies the response body of a request
RewriteJsonAttributesResponseBody Rewrite JSON attributes using JSONPath notation
Roles Authorizes requests whose authorization contains one of the configured roles
Scopes Authorizes requests whose authorization contains one of the configured scopes
SecureHeaders Adds best-practice security headers
SetPath Sets the request path
SetRequestHostHeader Overrides the host header value of matching requests
SetResponseHeader Sets a certain response header
SetStatus Sets the HTTP status of the response
SSO Login Redirects to authenticate if no valid Authorization token
StoreIpAddress Store IP address value in the context of the application
StoreHeader Store a header value in the context of the application
StripPrefix Strips a number of segments from the path of a matching request. By default it has value 1 on every configured route.
SsoAutoAuthorize Adds a fake SSO authorization for development purposes
TokenRelay Forwards the OAuth2 access token to downstream resources
XmlToJson Transforms XML body response into Json body response

AddRequestHeadersIfNotPresent

Adds headers if not present in the original request.

Configuration parameters:

  • headers: comma-separated list of key-value pairs (header name, header value)
    AddRequestHeadersIfNotPresent=Content-Type:application/json,Connection:keep-alive

AllowedRequestCookieCount

Determines if a matching request is allowed to proceed based on the number of cookies.

Configuration parameters:

  • cookieCount: number of allowed cookies.
    AllowedRequestCookieCount=2

AllowedRequestHeadersCount

Determines if a matching request is allowed to proceed based on the number of headers.

Configuration parameters:

  • headerCount: number of allowed headers.
    AllowedRequestHeadersCount=4

AllowedRequestQueryParamsCount

Determines if a matching request is allowed to proceed based on the number query params.

Configuration parameters:

  • paramsCount: number of allowed parameters.
    AllowedRequestQueryParamsCount=3

ApiKey

Validate API keys from the X-API-Key header against those stored in Hashicorp Vault.

Activated on the Gateway resource, see ApiKey in "Commercial Route filters for Authentication for SCG for K8s" for full details on configuration.

   filters:
      apiKey:
        enabled: true

BasicAuth

Adds a BasicAuth Authorization header to requests.

No parameters required.

    BasicAuth

CircuitBreaker

Wraps routes in a circuit breaker.

Configuration parameters:

  • name: circuit breaker name.
  • fallbackUri: reroute url, can be a local route or external handler.
  • statusCodes: (optional) colon-separated list of status codes to match, in number or text format.
  • failureRateThreshold: (optional) threshold above which the circuit breaker will be opened (default 50%).
  • waitIntervalInOpenState: (optional) time to wait before closing again (default 60s).
    CircuitBreaker=myCircuitBreaker,forward:/inCaseOfFailureUseThis,401:NOT_FOUND:500,10,30s

ClaimHeader

Copies data from a JWT claim into an HTTP header.

Configuration parameters:

  • claim: case sensitive name of the claim to pass.
  • headerName: name of the HTTP header.
    ClaimHeader=sub,X-Claim-Sub

ClientCertificateHeader

Validate X-Forwarded-Client-Cert header certificate.

Configuration parameters:

  • domain: X-Forwarded-Client-Cert value according to Kubernetes's ability to recognize client certificate's CA.
  • certificateFingerprint: (optional) SSL certificate's fingerprint.
    ClientCertificateHeader=*.example.com,sha-1:aa:bb:00:99

Cors

Activates CORS validations on a route.

Configuration parameters are organized as key-value pairs for CORS options:

  • allowedOrigins
  • allowedMethods
  • allowedHeaders
  • maxAge
  • allowCredentials
  • allowedOriginPatterns
    Cors=[allowedOrigins:https://origin-1,allowedMethods:GET;POST;DELETE,allowedHeaders:*,maxAge:400,allowCredentials:true,allowedOriginPatterns:https://*.test.com:8080]

FallbackHeaders

Adds any circuit breaker exception to a header. Requires the use of the CircuitBreaker filter in another route.

No parameters required.

    FallbackHeaders

JwtKey

Adds multiple client JSON Web Token validation.

Activated on the Gateway resource, see JwtKey in "Commercial Route filters for Authentication for SCG for K8s" for full details on configuration.

   filters:
      jwtKey:
        enabled: true

JsonToXml

Transforms JSON response body into XML response body

Configuration parameters:

  • wrapper: root tag name for the XML response, default root tag is response if an additional root tag is required to generate valid XML.

See JsonToXml in "Commercial Route filters for Authentication for SCG for K8s" for full details and examples.

    JsonToXml=custom-response

LocalResponseCache

Overrides local response cache configuration for specific routes if global cache is activated.

Configuration parameters:

  • size: maximum allowed size of the cache entries for this route before cache eviction begins (in KB, MB and GB).
  • timeToLive: allowed lifespan of a cache entry before expiration (use the duration suffix s for seconds, m for minutes, or h for hours).
    LocalResponseCache=3m,1MB

RateLimit

Determines if a matching request is allowed to proceed based on request volume.

Configuration parameters:

  • limit: maximum number of requests accepted during the window.
  • duration: window duration in milliseconds. Alternatively the s, m or h suffixes can be used to specify the duration in seconds, minutes or hours.
  • keyLocation: (optional) location of the partition key (claim, header, or IPs) and value used to partition request counters
    RateLimit=1,10s
    RateLimit=1,10s,{claim:client_id}
    RateLimit=1,10s,{header:client_id}
    RateLimit=2,10s,{IPs:2;127.0.0.1;192.168.0.1}

RemoveJsonAttributesResponseBody

Removes JSON attributes and their values from JSON response bodies.

Configuration parameters:

  • fieldList: comma-separated list of the names of attributes to remove from a JSON response.
  • deleteRecursively: (optional) boolean that configures the removal of attributes only at root level (false, default value), or recursively (true)
    RemoveJsonAttributesResponseBody=origin,foo,true

RestrictRequestHeaders

Determines if a matching request is allowed to proceed based on the headers. If there are any HTTP headers that are not in the headerList configuration (case insensitive) then a response of 403 Forbidden error will be returned to client.

Configuration parameters:

  • headerList: list of names of allowed headers (case insensitive).
    RestrictRequestHeaders=Content-Type,x-request-temp

Note If any load balancers or network gateways add extra request headers, they need to be included in the list or the request will return an error.

RewriteAllResponseHeaders

Rewrite multiple response headers at once.

Configuration parameters:

  • regexp: regular expression to match against header values.
  • replacement: replacement value.
    RewriteAllResponseHeaders=\d,0

RewriteResponseBody

Modifies the body of a response.

Configuration parameters are organized as a comma-separated list of key-value pairs, where each pair takes the form pattern to match:replacement:

  • keyValues: list of regular expression to match against text in the response body and replacement value separated by commas.
    RewriteResponseBody=foo:bar,/path-one/:/path-two/

RewriteJsonAttributesResponseBody

Rewrite JSON attributes using JSONPath notation.

Configuration parameters are organized as a comma-separated list of key-value pairs, where each pair takes the form jsonpath:replacement:

  • keyValues: list of JSONPath expression to match against the response body and replacement value separated by commas.
    RewriteJsonAttributesResponseBody=slides[1].title:Welcome,date:11-11-2022

Roles

Authorizes requests whose authorization contains one of the configured roles.

Configuration parameters:

  • roles: comma-separated list of authorized roles.
    Roles=role_01,role_02

Scopes

Authorizes requests whose authorization contains one of the configured OAuth scopes.

Configuration parameters:

  • scopes: comma-separated list of authorized OAuth scopes.
    Scopes=api.read,api.write,user

StoreIpAddress

Store IP address value in the context of the application. For extension development only.

Configuration parameters:

  • parameterName: name used to store the IP as an exchange attribute.
    StoreIpAddress=ip

SSO login

Redirects to authenticate if no valid Authorization token is found.

Configured per route via a boolean flag in SpringCloudGatewayRouteConfig. See Single sign-on for Spring Cloud Gateway for K8s for full details on configuration.

    routes:
      - ssoEnabled: true

StoreHeader

Store a header value in the context of the application. For extension development only.

Configuration parameters:

  • tracingHeaders: list of headers to check (the first one found is used); the latest parameter of the list will be used to store the header value as an exchange attribute.
    StoreHeader=X-Tracing-Header,Custom-Id,X-Custom-Id,myTracingParam

SsoAutoAuthorize

For development only. Adds a fake SSO authorization for development purposes.

Configuration parameters:

  • headers: list of roles or scopes to set.
    SsoAutoAuthorize=SCOPE_test,ROLE_test

TokenRelay

Forwards OAuth2 access token to downstream resources.

Configured per route via a boolean flag in SpringCloudGatewayRouteConfig.

See TokenRelay in "Commercial Route filters for Authentication for SCG for K8s" for full details on configuration.

    routes:
      - tokenRelay: true

XmlToJson

Transforms XML response body into JSON response body

No parameters required.

See XmlToJson in "Commercial Route filters for Authentication for SCG for K8s" for full details and examples.

    XmlToJson
check-circle-line exclamation-circle-line close-line
Scroll to top icon