为具有凭据支持的 tomcat 应用程序启用 CORS [英] Enable CORS for tomcat applications with credentials support

问题描述

我的服务器上有一个从 IIS 运行的简单 GWT 应用程序.我正在尝试测试对在同一服务器上运行的 tomcat 的 HTTP 请求.但是，由于两个应用程序服务器都在不同的端口上运行，因此我的浏览器(chrome 和 firefox)将这些请求视为 CORS 请求.

I have a simple GWT application running from IIS on my server. I am trying to test HTTP requests to tomcat running on the same server. However, since both the application servers are running on different ports, my browser (chrome and firefox) treats the requests as a CORS request.

为了让 tomcat 能够接受 CORS 请求，我将其更新为 Tomcat 7.0.52 并在全局 web.xml 配置中启用了 CORS 过滤器.我测试了这个简单的设置，它似乎有效.这是 GWT 中的代码:

To enable tomcat to accept CORS request, I updated it to Tomcat 7.0.52 and enabled the CORS filter in the global web.xml configuration. I tested this simple setup and it seems to work. Here is the code in GWT:

        String url = "http://bavarians:8080/";
        RequestBuilder rb = new RequestBuilder(RequestBuilder.GET, url);
        box.setText(url);
        try
        {
            rb.sendRequest("", new RequestCallback(){

                @Override
                public void onResponseReceived(Request request, Response response)
                {
                    Window.alert(response.getStatusCode() + response.getStatusText());
                }

                @Override
                public void onError(Request request, Throwable exception)
                {
                    Window.alert("Request failed");

                }});
        }
        catch (RequestException e)
        {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

这是与之关联的 CORS 过滤器:

Here is the CORS filter associated with it:

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>http://bavarians</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers, Authorization</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials, Authorization</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

通过这个设置，我得到了来自 tomcat 的 200 OK 响应.因此可以安全地假设 CORS 过滤器正在工作.为了支持这一点，我做了一个提琴手的踪迹，一切看起来都很好.

With this setup, I get a 200 OK response from tomcat. So its safe to assume that CORS filter is working. To back this up, I took a fiddler trace and all looked good.

现在，由于我想访问 tomcat(solr) 的应用程序之一，我需要对我的 CORS 请求进行基本身份验证.这带来了预检请求.由于我设置了 CORS 过滤器以启用凭据使用，因此我不需要对其进行任何更改.所以，我对我的代码进行了以下更改

Now, since I want to access one of the apps of tomcat(solr), I need basic authentication with my CORS request. This brings a preflight request into picture. Since I setup my CORS filter to enable credential use, I didn't need any changes to it. So, I made the following change to my code

        String url = "http://bavarians:8080/solr/select?wt=xml&q=tag_name:abcd&username=domain\userid";
        RequestBuilder rb = new RequestBuilder(RequestBuilder.GET, url);
        box.setText(url);
        rb.setHeader("Authorization", "Basic YWRtaW46YWRtaW4=");
        rb.setIncludeCredentials(true);

现在，当我尝试使用此代码时，它会进入 onResponseReceived 代码块并给出一个值为0"的警报框.当我进行提琴手跟踪时，我得到了这个:

Now, when I try to use this code, it gets inside the onResponseReceived code block and gives an alert box with "0" value. When I took a fiddler trace, I get this:

浏览器发送预检请求是有意义的，因为我将自定义标头添加到请求中.但我不明白为什么尽管在其 CORS 过滤器配置中添加了授权标头，tomcat 仍然以 401 代码响应.

It makes sense for the browser to send a preflight request since I am adding the custom header to the request. But I don't understand why tomcat responds with a 401 code despite adding the authorization header to its CORS filter configuration.

希望得到任何帮助或回复

I'd appreciate any help or response

我注意到的另一件事 - 如果我的 URL 只是bavarians:8080/solr/";，tomcat 成功授权预检请求，并且下一个请求将作为带有 200 OK 响应的普通 GET 请求.但是如果我输入函数名并用URL查询，我又得到401.从浏览器访问上述 URL 需要基本身份验证.所以 CORSFilter 确实可以工作到某个时刻

One more thing that I have noticed- if my URL is just "bavarians:8080/solr/";, tomcat successfully authorizes the preflighted request and the immediate next request is processed as a normal GET request with a 200 OK response. But if I enter the function name and query with the URL, I get 401 again. Accessing the above URL from browser requires Basic Authentication. So CORSFilter does work until some point

推荐答案

Credentials 不会在 preflight 请求中发送，所以你必须配置 Tomcat 让请求到达 CorsFilter 即使在未经认证.也就是说，你必须声明一个 和 OPTIONS 而没有 .

Credentials won't be sent in the preflight request, so you have to configure Tomcat to let the request reach the CorsFilter even when unauthenticated. That is, you have to declare a <security-constraint> with <http-method>OPTIONS</http-method> and no <auth-constraint>.

这篇关于为具有凭据支持的 tomcat 应用程序启用 CORS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！