CORS - 如何忽略OPTIONS preflight请求验证Apache中的httpd.conf？ [英] CORS - how to ignore authentication for OPTIONS preflight request in Apache's httpd.conf?

问题描述

我是新来的CORS，并了解到，由浏览器发送的选项preflight请求排除用户凭据。 如何获得的过滤器（在httpd.conf）响应OPTIONS请求不同，即绕过身份验证？

I'm new to CORS and have learnt that the OPTIONS preflight request sent by the browser excludes user credentials. How do I get the filter (in httpd.conf) to respond to OPTIONS requests differently, i.e bypassing the authentication ?

这是我目前的配置：

<LocationMatch /api>
SetEnvIfNoCase Origin "https://(www\.)?(domain1\.com|domain2\.com)(:\d+)?$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Methods "GET,POST,DELETE,OPTIONS"
Header set Access-Control-Allow-Headers "Accept, Authorization, Origin, Content-Type"
AuthFormProvider ldap
AuthLDAPURL "ldap://localhost:10889/ou=Users,dc=work,dc=com?uid"
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
Require valid-user
ErrorDocument 401 /login.html
ErrorDocument 500 /error.html
AuthType form
AuthName realm
Session On
SessionMaxAge 1800
SessionDBDCookieName session path=/
ProxyPass  http://localhost:8080 timeout=31536000
AuthFormFakeBasicAuth On
</LocationMatch>

以及JavaScript提出请求：

And the javascript which makes the request :

$.ajax({
        type : "DELETE",
        url : "https://www.domain1.com/api",
        xhrFields: {
            withCredentials: true,
        },
        success : function(data){

        },
});

我已经试过了follwoing，但没有运气：

I've tried the follwoing but with no luck :

（一）

RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]

（二）

<Limit OPTIONS>
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Credentials "false"
Header always set Access-Control-Allow-Headers "Accept, Authorization, Origin, Content-Type"
Header always set Access-Control-Allow-Methods "GET,POST,DELETE,OPTIONS,PUT"
</Limit>

（三）

<Limit OPTIONS>
Allow for all
</Limit>

（四）

SetEnvIfNoCase Request_Method OPTIONS allowed

你知道吗？请帮帮忙！

Any idea ? Please help !

推荐答案

我有我的今天解决了的<一的帮助下同样的问题href="http://serverfault.com/questions/684855/disable-authentication-for-http-options-method-$p$pflight-request">this问题。基本上，你的选项C。

I had the same issue which I solved today with the help of this question. Basically your option c.

我的conf结构为：

conf/httpd.conf <- normal stuff   
conf.d/ssl.conf <- set up ssl stuff  
conf.d/api.conf <- set specific stuff to api like Auth  
/var/www/.htaccess <- set specific stuff to api again   

这使得限制一切除了选项

This allows for limiting everything except for OPTIONS

/conf.d/api.conf 文件：

<Directory "/var/www/api">
  AllowOverride All
  Options FollowSymLinks

  <LimitExcept OPTIONS>
    Auth stuff here
    Mainly your Require statements
  </LimitExcept>
</Directory>

然后在我的的.htaccess 文件我设置了头。

Then in my .htaccess file I set the headers.

的要求指令Apache手册规定访问它们可被用于以这种方式控制是有效的所有方法。这就是通常需要的，如果你想申请的访问控制只对具体的方法，同时保持其他方法不受保护，然后将需要的语句成＆LT;限制＆GT; [或者＆LT; LimitExcept中＆GT; ]部分。

The Apache manual in the require directive states "Access controls which are applied in this way are effective for all methods. This is what is normally desired. If you wish to apply access controls only to specific methods, while leaving other methods unprotected, then place the Require statement into a <Limit> [or <LimitExcept>] section."

我必须确保我的应用程序可以处理选项，这个设置是不是做一个自动返回。 <一href="http://benjaminhorn.io/$c$c/setting-cors-cross-origin-resource-sharing-on-apache-with-correct-response-headers-allowing-everything-through/"相对=nofollow>这里或这里人们可以看到如何重定向它可以工作，而不必在应用程序中的东西处理它。

I had to make sure my application could handle OPTIONS as this setup is not doing an automatic return. Here or here one can see how to redirect which may work instead of having something in the application handle it.

这篇关于CORS - 如何忽略OPTIONS preflight请求验证Apache中的httpd.conf？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！