CORS - 如何在 Apache 的 httpd.conf 中忽略 OPTIONS 预检请求的身份验证? [英] CORS - how to ignore authentication for OPTIONS preflight request in Apache's httpd.conf?

问题描述

我是 CORS 的新手，了解到浏览器发送的 OPTIONS 预检请求不包括用户凭据.如何让过滤器(在 httpd.conf 中)以不同的方式响应 OPTIONS 请求，即绕过身份验证?

I'm new to CORS and have learnt that the OPTIONS preflight request sent by the browser excludes user credentials. How do I get the filter (in httpd.conf) to respond to OPTIONS requests differently, i.e bypassing the authentication ?

这是我当前的配置:

<LocationMatch /api>
SetEnvIfNoCase Origin "https://(www\.)?(domain1\.com|domain2\.com)(:\d+)?$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Methods "GET,POST,DELETE,OPTIONS"
Header set Access-Control-Allow-Headers "Accept, Authorization, Origin, Content-Type"
AuthFormProvider ldap
AuthLDAPURL "ldap://localhost:10889/ou=Users,dc=work,dc=com?uid"
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
Require valid-user
ErrorDocument 401 /login.html
ErrorDocument 500 /error.html
AuthType form
AuthName realm
Session On
SessionMaxAge 1800
SessionDBDCookieName session path=/
ProxyPass  http://localhost:8080 timeout=31536000
AuthFormFakeBasicAuth On
</LocationMatch>

以及发出请求的 javascript :

And the javascript which makes the request :

$.ajax({
        type : "DELETE",
        url : "https://www.domain1.com/api",
        xhrFields: {
            withCredentials: true,
        },
        success : function(data){

        },
});

我已经尝试了以下但没有运气:

I've tried the follwoing but with no luck :

(一)

RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]

(b)

<Limit OPTIONS>
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Credentials "false"
Header always set Access-Control-Allow-Headers "Accept, Authorization, Origin, Content-Type"
Header always set Access-Control-Allow-Methods "GET,POST,DELETE,OPTIONS,PUT"
</Limit>

(c)

<Limit OPTIONS>
Allow for all
</Limit>

(d)

SetEnvIfNoCase Request_Method OPTIONS allowed

有什么想法吗?请帮忙！

Any idea ? Please help !

推荐答案

我今天在 这个问题.基本上你的选择 c.

I had the same issue which I solved today with the help of this question. Basically your option c.

我的配置结构是:

conf/httpd.conf <- normal stuff   
conf.d/ssl.conf <- set up ssl stuff  
conf.d/api.conf <- set specific stuff to api like Auth  
/var/www/.htaccess <- set specific stuff to api again   

这允许限制除 OPTIONS 之外的所有内容

This allows for limiting everything except for OPTIONS

/conf.d/api.conf 文件:

<Directory "/var/www/api">
  AllowOverride All
  Options FollowSymLinks

  <LimitExcept OPTIONS>
    Auth stuff here
    Mainly your Require statements
  </LimitExcept>
</Directory>

然后在我的 .htaccess 文件中设置标题.

Then in my .htaccess file I set the headers.

Apache 手册在 require 指令中指出访问以这种方式应用的控制对所有方法都有效.这是通常所希望的.如果您希望仅对特定方法应用访问控制，而让其他方法不受保护，则将 Require 语句放入 <限制> [或 ] 部分."

The Apache manual in the require directive states "Access controls which are applied in this way are effective for all methods. This is what is normally desired. If you wish to apply access controls only to specific methods, while leaving other methods unprotected, then place the Require statement into a <Limit> [or <LimitExcept>] section."

我必须确保我的应用程序可以处理 OPTIONS，因为此设置不会自动返回.此处 或此处可以看到如何重定向可能起作用，而不是让应用程序中的某些东西来处理它.

I had to make sure my application could handle OPTIONS as this setup is not doing an automatic return. Here or here one can see how to redirect which may work instead of having something in the application handle it.

这篇关于CORS - 如何在 Apache 的 httpd.conf 中忽略 OPTIONS 预检请求的身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！