Chrome:如果尚未通过身份验证，如何获取Ajax请求以与kerberos一起使用 [英] Chrome: How to get ajax request to work with kerberos if not already authenticated

问题描述

我们有一个使用Kerberos保护的REST API.在其他地方托管的是一个调用此API的Web应用.

We have a REST API secured using Kerberos. Hosted elsewhere is a webapp that calls this API.

如果直接导航到API，则身份验证可以正常工作并返回cookie.然后，由于有一个API根URI的cookie，因此webapp可以正常工作.

If you navigate directly to the API, then the authentication works fine and a cookie is returned. Then the webapp works just fine since it has a cookie for API's root URI.

但是，如果您导航到该Web应用程序，并且它使用AJAX向API发出了HTTP GET请求，则该请求将返回401: Unauthorized和WWW-Authenticate:Negotiate.如果我导航到相同的地址，chrome将进行协商并获得身份验证，但在这种情况下，它会在此时停止.

However if you navigate to the webapp and it makes an HTTP GET request to the API using AJAX, then the request returns 401: Unauthorized as well as WWW-Authenticate:Negotiate. If I navigate to the same address, chrome would negotiate and get authenticated, but in this case it stops at this point.

有很多丑陋的技巧可以解决该问题，例如创建一个IFRAME来获取API的某些部分，或者将用户重定向到API并使用307使其反弹，但这显然不是最佳选择

There are various ugly hacks to get around the problem, like creating an IFRAME that sources some part of the API, or redirecting the user to the API and having it bounce the user back using a 307, but these are clearly not optimal.

在IE7中正常工作.

解决这个问题的正确方法是什么?

What is the correct way to deal with this?

推荐答案

我发现了问题所在. REST API具有一个附加的身份验证层，该身份验证层使用"Authorization" http标头设置api密钥.删除此安全层后，一切正常.

I figured out the issue. The REST API had an additional authentication layer that used the "Authorization" http header to set an api-key. After removing this security layer, everything worked fine.

如果其他人犯同样的错误，我将不提这个问题.

I'm going to leave this question up in case anybody else makes the same mistake.

这篇关于Chrome:如果尚未通过身份验证，如何获取Ajax请求以与kerberos一起使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！