RestyGWT和基本身份验证

在几天没有任何进展之后，我需要你的帮助。

使用GWT，我试图与我的REST服务器通信，服务器位于不同的URL上（需要CORS）
我的配置：
服务器
-弹簧套1.3.3

客户端
-GWT 1.7
-restygwt 2.0.3

服务器端，我认为可以。
当我在Spring中禁用安全性时，我可以在GWT客户端中获取数据
但当我启用它时，我总是会收到401个请求。RESTURL请求直接在web浏览器中工作（带有身份验证对话框）。

客户端，我关注了此页面：
https://ronanquillevere.github.io/2014/04/11/restygwt-basic-auth.html

这是我的代码：

在标头中添加凭据的筛选器

public class BasicAuthHeaderDispatcherFilter implements DispatcherFilter {
    public static final String AUTHORIZATION_HEADER = "Authorization";
    @Override
    public boolean filter(Method method, RequestBuilder builder) {
        try {
            String basicAuthHeaderValue = createBasicAuthHeader(
                    UserCredentials.INSTANCE.getUserName(),
                    UserCredentials.INSTANCE.getPassword());
            builder.setHeader(AUTHORIZATION_HEADER, basicAuthHeaderValue);
        } catch (UnsupportedEncodingException e) {
            return false;
        }
        return true;
    }
    private String createBasicAuthHeader(String userName, String password)
            throws UnsupportedEncodingException {
        String credentials = userName + ":" + password;
        String encodedCredentials = new String(Base64.encode(credentials
                .getBytes()), "UTF-8");
        GWT.log("encodedCredentials=["+encodedCredentials+"]");
        return " Basic " + encodedCredentials;
    }
}

显示器：

public class MyDispatcher extends DefaultFilterawareDispatcher {
    public MyDispatcher() {
        addFilter(new BasicAuthHeaderDispatcherFilter());
    }
}

我的测试电话：

@Override
            public void onClick(ClickEvent event) {
                Defaults.setDispatcher(new MyDispatcher());
                UserCredentials.INSTANCE.setUserName("user");
                UserCredentials.INSTANCE.setPassword("psswd");
                String url = "http://localhost:8080/race";
                Resource resource = new Resource(url);
                resource.get().send(new JsonCallback() {
                    @Override
                    public void onSuccess(Method method, JSONValue response) {
                        GWT.log(response.toString());
                    }
                    @Override
                    public void onFailure(Method method, Throwable exception) {
                        GWT.log("Erreur: ", exception);
                    }
                });
            }

现在是web浏览器开发工具中的结果头。

直接在web浏览器中：
请求

Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Authorization   Basic R3V5OnR5Y29vbg==
Cache-Control   max-age=0
Connection  keep-alive
Host    localhost:8080
User-Agent  Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0

回答

Cache-Control   no-cache, no-store, max-age=0, must-revalidate
Content-Type    application/json;charset=UTF-8
Date    Thu, 28 Apr 2016 17:35:31 GMT
Expires 0
Pragma  no-cache
Server  Apache-Coyote/1.1
Set-Cookie  JSESSIONID=A496281DBD6E9B797887B9C34B47DA52; Path=/; HttpOnly
Transfer-Encoding   chunked
X-Frame-Options DENY
X-XSS-Protection    1; mode=block
x-content-type-options  nosniff

GWT客户端
请求

Accept  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Access-Control-Request-He...    authorization,x-http-method-override
Access-Control-Request-Me...    GET
Connection  keep-alive
Host    localhost:8080
Origin  http://127.0.0.1:8888
User-Agent  Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0

回答

Access-Control-Allow-Cred...    true
Access-Control-Allow-Orig...    http://127.0.0.1:8888
Allow   GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Cache-Control   no-cache, no-store, max-age=0, must-revalidate
Content-Length  0
Date    Thu, 28 Apr 2016 17:43:29 GMT
Expires 0
Pragma  no-cache
Server  Apache-Coyote/1.1
Set-Cookie  JSESSIONID=4D80D0C0FA9E27D166F6489CC88C3E45; Path=/; HttpOnly
Vary    Origin
WWW-Authenticate    Basic realm="Realm"
X-Frame-Options DENY
X-XSS-Protection    1; mode=block
access-control-allow-head...    authorization, x-http-method-override
access-control-allow-meth...    GET
x-content-type-options  nosniff

我注意到两件事：
-在gwt头请求中，我没有Authorization值。然而，在控制台日志中，我有一个跟踪，它确认我的过滤器被触发了
-只有在firefox中，当我请求时，firebug捕获了两个网络包，第一个有Authorization值但没有答案，第二个是我上面描述的结果。

谢谢你的帮助。

@Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        HttpServletResponse theResponse = (HttpServletResponse) response;
        HttpServletRequest theRequest = (HttpServletRequest) request;
        theResponse.setHeader("Access-Control-Allow-Origin", theRequest.getHeader("Origin"));
        if ("OPTIONS".equalsIgnoreCase(theRequest.getMethod())) {
            theResponse.setHeader("Access-Control-Allow-Credentials", "true");
            theResponse.setHeader("Access-Control-Allow-Methods", "POST, GET, HEAD, OPTIONS, DELETE");
            theResponse.setHeader("Access-Control-Allow-Headers", "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, X-HTTP-Method-Override");
        }else{
            chain.doFilter(request, response);
        }
    }