IE11将覆盖在Intranet环境承载授权头 [英] IE11 overrides Bearer authorization header in intranet environment
问题描述
我在遇到一个IE11 pretty奇怪的问题,浏览器正在重写Authorization头在我的请求,即使我通过AngularJS设置它。
I'm encountering a pretty strange issue in IE11 where the browser is overriding the Authorization header in my requests even though I am setting it via AngularJS.
基本上,我有一个看起来像这样的请求注册的HTTP拦截器:
Basically, I have an HTTP interceptor registered for all requests that looks like this:
AuthInterceptorService.request = function (config) {
config.headers.Authorization = "Bearer " + bearerToken;
}
这在所有的浏览器(在一定条件下甚至IE)大。我有我的应用程序在IIS中设置为允许匿名身份验证和我对这个子网站基本/集成身份验证被禁用,但是,父配置有eabled Windows身份验证。
This works great in all browsers (even IE under certain conditions). I have my app set up in IIS as allowing anonymous authentication and I have basic/integrated authentication disabled for this subsite, however, the parent configuration has windows authentication eabled.
什么是偶然发生的是,浏览器将对根URL的请求一个静态文件(例如, /favicon.ico )。该请求被拒绝了401浏览器与协商的身份验证响应并得到图标。在这一点上,其他所有浏览器还是让我的code设置授权头,但是一旦这种集成的身份验证在IE中发生的,授权头似乎卡住 - 不管我的code做什么,授权头球始终使用集成身份验证。这将导致所有请求我的API失败,因为不记名令牌是present。
What is happening occasionally is that the browser will make a request to the root URL for a static file (say, /favicon.ico). This request is denied with a 401. The browser responds with negotiated authentication and gets the favicon. At this point, all other browsers still let my code set the Authorization header, but once this integrated authentication happens in IE, the authorization header seems to get stuck - no matter what my code does, the authorization header is always using integrated authentication. This causes all requests to my API to fail because no Bearer token is present.
我能够通过指定更多的本地图标(其中静态文件可以匿名提供)来解决该图标的问题,但我想知道是否有一个不太哈克解决这个问题。我能以某种方式说服IE让我设置即使Windows身份验证已经发生在previous请求的Authorization头?
I was able to work around the favicon issue by specifying a more local favicon (where static files can be served anonymously), but I am wondering if there is a less hacky solution to this issue. Can I somehow convince IE to let me set the Authorization header even if Windows authentication has taken place on a previous request?
请注意:我发现<一个href=\"https://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header\">this问题这似乎是相关的(也许是相同的根本原因)。
Note: I found this question which seems to be related (maybe the same underlying cause).
推荐答案
如果你看的 RFC 4559文档,它涉及使用IE浏览器与IIS进行身份验证时协商安全的选择伪机制。
If you look at the Negotiate Operation Example of the RFC 4559 document, it involves a pseudo mechanism used by IE to negotiate the choice of security when authenticating with IIS.
第一次客户端请求的文件,没有授权结果
头被发送,因此服务器响应
The first time the client requests the document, no Authorization
header is sent, so the server responds with
S: HTTP/1.1 401 Unauthorized
S: WWW-Authenticate: Negotiate
客户端将获得使用SPNEGO GSSAPI用户凭据
机构类型来标识生成一个GSSAPI消息被发送到搜索
用一个新的请求,其中包括下列授权结果,在服务器
标题:
The client will obtain the user credentials using the SPNEGO GSSAPI
mechanism type to identify generate a GSSAPI message to be sent to
the server with a new request, including the following Authorization
header:
C: GET dir/index.html
C: Authorization: Negotiate a87421000492aa874209af8bc028
服务器将取消code中的GSSAPI数据,并把它传递给SPNEGO结果
GSSAPI机制在gss_accept_security_context功能。如果
上下文不完整,服务器会返回一个401状态响应搜索
code与包含GSSAPI数据一个WWW-Authenticate头。
The server will decode the gssapi-data and pass this to the SPNEGO
GSSAPI mechanism in the gss_accept_security_context function. If the
context is not complete, the server will respond with a 401 status
code with a WWW-Authenticate header containing the gssapi-data.
S: HTTP/1.1 401 Unauthorized
S: WWW-Authenticate: Negotiate 749efa7b23409c20b92356
客户端将取消code中的GSSAPI数据,通过这个入结果
Gss_Init_security_context,和新的GSSAPI数据返回到结果
服务器。
The client will decode the gssapi-data, pass this into
Gss_Init_security_context, and return the new gssapi-data to the
server.
所以,我不认为它可能为你而交融的谈判发生的过程是内部
So, I don't think its possible for you to intermingle while the negotiation takes place as the process is internal
这篇关于IE11将覆盖在Intranet环境承载授权头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
