启用访问控制允许的凭据中的Azure网站标题(Azure的应用程序服务) [英] Enable Access-Control-Allow-Credentials header in Azure website (Azure App Services)
问题描述
我们最近迁移从Azure的云服务Azure的网站的API应用程序,而有些客户仍在使用我们的认证传统协议,它使用的cookies(而不是通常的授权:承载 HTTP头)。我们需要支持这种认证协议为稍长的客户端将不能马上迁移。
We recently migrated an API application from Azure Cloud Services to Azure Websites, and some clients are still using our legacy protocol for authentication, which uses cookies (instead of the usual Authorization: Bearer HTTP header). We need to support this authentication protocol for a little longer as the clients will not be able to migrate right away.
要支持cookie在针对API一个跨域Ajax请求,客户端需要设置 withCredentials 设置为真正在XMLHtt prequest,服务器需要与访问控制允许的凭据头repond以及任何CORS请求。
To support cookies in a cross-origin ajax request directed to the API, the client needs to set the withCredentials setting to true in the XMLHttpRequest, and the server needs to repond with the Access-Control-Allow-Credentials header as well to any CORS request.
我们所面对的问题是,天青网站管理CORS所有的本身,并使用其自己的配置(其被限制为允许起源的列表)的响应,即不允许该头被设置...从而打破了我们所有的Ajax客户端应用程序!
The problem we face is that the Azure Website manages CORS all by itself, and uses its own configuration (which is limited to a list of allowed origins) for the response, which does not allow this header to be set... thus breaking the application for all our Ajax clients!
有没有办法在响应(临时)添加此头?
Is there a way to (temporarily) add this header in the responses?
推荐答案
我们终于设法了解Azure的应用CORS中间件的行为。要禁用它,你要清楚你的web应用程序的CORS刀片的每一个允许进入原产地(包括 * )。然后你可以自己或者使用Web阿比2的功能或使用的web.config管理CORS。
We finally managed to understand the behavior of the Azure Apps CORS middleware. To disable it, you have to clear every single allowed origin entry in the CORS blade of your web app (including *). Then you can manage CORS by yourself, either using the Web Api 2 functionality or using the web.config.
中的信息是,即使在<一个可用href=\"https://azure.microsoft.com/en-gb/documentation/articles/app-service-api-cors-consume-javascript/#app-service-cors-versus-web-api-cors\"相对=nofollow>文档:
不要试图在一个API的应用程序同时使用的Web API CORS和App服务CORS。应用服务CORS将采取precedence和Web API CORS将没有任何效果。例如,如果你的应用程序服务启用一个原始域,并启用您的Web API code所有原始域,您的Azure API的应用程序将只接受来自您在Azure中指定的域的呼叫。
Don't try to use both Web API CORS and App Service CORS in one API app. App Service CORS will take precedence and Web API CORS will have no effect. For example, if you enable one origin domain in App Service, and enable all origin domains in your Web API code, your Azure API app will only accept calls from the domain you specified in Azure.
所以,最后的答案是:如果你的应用程序并不需要一个很具体的CORS管理,你可以使用Azure的应用服务CORS。否则,你就需要自己处理,并禁用所有CORS配置的Web应用程序。
So the final answer is: If your application does not need a very specific CORS management, you can use Azure App Service CORS. Otherwise you will need to handle it yourself and disable all CORS configuration in the web app.
这篇关于启用访问控制允许的凭据中的Azure网站标题(Azure的应用程序服务)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
