小贝子编程

为什么Chrome和Firefox没有相同的行为与基本授权的CORS ajax调用



对于上下文,我试图跨站点调用需要用户使用基本身份验证的API。服务于API的Tomcat(7.0.43)被设置为允许跨域调用和身份验证。

我正在使用jquery。Ajax,传递以下选项:

xhrOtpions = {
        url: "http://localhost:8080/api/v1/ressource",
        dataType: 'json',
        username: "user",
        password: "pass",
        xhrFields: {
          withCredentials: true
        }
      }

使用Chrome(45),请求成功,使用Firefox(41),没有发送请求,错误消息是访问受限URI被拒绝

为了使调用在Firefox上工作,我更改了选项,以应用我从github上的相关jquery问题中读到的内容:

xhrActiveBuilds = {
        url: "http://localhost:8080/api/v1/ressource",
        dataType: 'json',
        username: "user",
        password: "pass",
        xhrFields: {
          withCredentials: true
        },            
        beforeSend: function (xhr) {
          xhr.setRequestHeader ("Authorization",  "Basic <encoded_credentials>")
        }
      }

这对FF没有任何改变,仍然是相同的错误。在Chrome上,现在有一个预飞行选项请求发送,这是一个403禁止响应代码失败。

Tomcat服务器的CORS过滤器配置下面:

 <filter>
    <filter-name>CorsFilter</filter-name>
      <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
      <param-name>cors.allowed.origins</param-name>
      <param-value>http://localhost:1081</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.methods</param-name>
      <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.headers</param-name>
      <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
    </init-param>
    <init-param>
      <param-name>cors.exposed.headers</param-name>
      <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Access-Control-Allow-Authorization</param-value>
    </init-param>
    <init-param>
      <param-name>cors.support.credentials</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>cors.preflight.maxage</param-name>
      <param-value>10</param-value>
    </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

我终于算出了这两个问题。

  • 服务器端:我在cors.allowed.headers
    • 中添加了授权

  • 客户端:我将选项替换为:

    xhrActiveBuilds = {
  url: "http://localhost:8080/api/v1/ressource",
  dataType: 'json',
  xhrFields: { withCredentials: true },
  beforeSend: function (xhr) {
    xhr.setRequestHeader ("Authorization",  "Basic <encoded_credentials>")
  }
}

请注意,我已经删除了用户名和密码,因为它们会导致请求在FF上失败,因为jQuery实现(见)

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium