对于上下文,我试图跨站点调用需要用户使用基本身份验证的API。服务于API的Tomcat(7.0.43)被设置为允许跨域调用和身份验证。
我正在使用jquery。Ajax,传递以下选项:
xhrOtpions = {
url: "http://localhost:8080/api/v1/ressource",
dataType: 'json',
username: "user",
password: "pass",
xhrFields: {
withCredentials: true
}
}
使用Chrome(45),请求成功,使用Firefox(41),没有发送请求,错误消息是访问受限URI被拒绝
为了使调用在Firefox上工作,我更改了选项,以应用我从github上的相关jquery问题中读到的内容:
xhrActiveBuilds = {
url: "http://localhost:8080/api/v1/ressource",
dataType: 'json',
username: "user",
password: "pass",
xhrFields: {
withCredentials: true
},
beforeSend: function (xhr) {
xhr.setRequestHeader ("Authorization", "Basic <encoded_credentials>")
}
}
这对FF没有任何改变,仍然是相同的错误。在Chrome上,现在有一个预飞行选项请求发送,这是一个403禁止响应代码失败。
Tomcat服务器的CORS过滤器配置下面:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>http://localhost:1081</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Access-Control-Allow-Authorization</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
我终于算出了这两个问题。
- 服务器端:我在cors.allowed.headers 中添加了授权
客户端:我将选项替换为:
xhrActiveBuilds = { url: "http://localhost:8080/api/v1/ressource", dataType: 'json', xhrFields: { withCredentials: true }, beforeSend: function (xhr) { xhr.setRequestHeader ("Authorization", "Basic <encoded_credentials>") } }
请注意,我已经删除了用户名和密码,因为它们会导致请求在FF上失败,因为jQuery实现(见)