困惑如何处理CORS OPTIONS preflight请求 [英] Confused about how to handle CORS OPTIONS preflight requests

问题描述

我是新来与跨源资源共享工作，并试图让我的web应用程序对CORS请求。我的web应用程序是在Tomcat 7.0.42运行春季3.2的应用程序。

I'm new to working with Cross Origin Resource Sharing and trying to get my webapp to respond to CORS requests. My webapp is a Spring 3.2 app running on Tomcat 7.0.42.

在我的web应用程序的web.xml，我已经启用Tomcat的CORS过滤器：

In my webapp's web.xml, I have enabled the Tomcat CORS filter:

<!-- Enable CORS (cross origin resource sharing) -->
<!-- http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter -->
<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>   

我的客户（与AngularJS 1.2.12写的）正试图访问一个REST端点启用基本身份验证。当它使得它的GET请求，Chrome是第一preflighting请求，但接收来自服务器的403禁止响应：

My client (written with AngularJS 1.2.12) is trying to access a REST endpoint with Basic Authentication enabled. When it makes it's GET request, Chrome is first preflighting the request, but is receiving a 403 Forbidden response from the server:

Request URL:http://dev.mydomain.com/joeV2/users/listUsers
Request Method:OPTIONS
Status Code:403 Forbidden
Request Headers:
   OPTIONS /joeV2/users/listUsers HTTP/1.1
   Host: dev.mydomain.com
   Connection: keep-alive
   Cache-Control: max-age=0
   Access-Control-Request-Method: GET
   Origin: http://localhost:8000
   User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
   Access-Control-Request-Headers: accept, authorization
   Accept: */*
   Referer: http://localhost:8000/
   Accept-Encoding: gzip,deflate,sdch
   Accept-Language: en-US,en;q=0.8
Response Headers:
   HTTP/1.1 403 Forbidden
   Date: Sat, 15 Feb 2014 02:16:05 GMT
   Content-Type: text/plain; charset=UTF-8
   Content-Length: 0
   Connection: close

我不完全知道如何着手。 Tomcat的过滤器，默认情况下，接受选项头访问资源。

I'm not entirely sure how to proceed. The Tomcat filter, by default, accepts the OPTIONS header to access the resource.

问题，我相信，我的资源（请求的URL）<一个href=\"http://dev.mydomain.com/joeV2/users/listUsers\">http://dev.mydomain.com/joeV2/users/listUsers被配置为只接受GET方法：

The problem, I believe, is that my resource (the request URL) http://dev.mydomain.com/joeV2/users/listUsers is configured to only accept GET methods:

@RequestMapping( method=RequestMethod.GET, value="listUsers", produces=MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public List<User> list(){
    return userService.findAllUsers();
}

这是否意味着我必须作出这样的方法/端点接受OPTIONS方法呢？如果是这样，这是否意味着我必须明确地使每一个REST端点接受OPTIONS方法？除了搞乱code，我很困惑，将如何连工作。从我了解的选项preflight是浏览器，以验证该浏览器应该能够访问指定的资源。我的理解意味着我控制器的方法甚至不应该在preflight期间调用。因此，指定选项为接受的方法是适得其反。

Does this mean that I must make that method/endpoint accept OPTIONS method as well? If so, does that mean I have to explicitly make every REST endpoint accept the OPTIONS method? Apart from cluttering code, I'm confused how that would even work. From what I understand the OPTIONS preflight is for the browser to validate that the browser should have access to the specified resource. Which I understand to mean that my controller method should not even be called during the preflight. So specifying OPTIONS as an accepted method would be counter-productive.

应该被Tomcat的响应OPTIONS请求的情况下直接甚至访问我的code？如果是这样，有东西在我的配置中缺少？

Should Tomcat be responding to the OPTIONS request directly without even accessing my code? If so, is there something missing in my configuration?

推荐答案

我坐了下来，并通过调试的 org.apache.catalina.filters.CorsFilter 找出原因请求正在被禁止。希望这可以帮助别人的未来。

I sat down and debugged through the org.apache.catalina.filters.CorsFilter to figure out why the request was being forbidden. Hopefully this can help someone out in the future.

按照 W3 CORS规范第6.2 preflight 的请求中，preflight必须拒绝该请求，如果提交的任何头不匹配所允许的头。

According to the W3 CORS Spec Section 6.2 Preflight Requests, the preflight must reject the request if any header submitted does not match the allowed headers.

对于CorsFilter的默认配置 CORS .allowed.headers （这是你的）不包括授权与该请求提交的头。

The default configuration for the CorsFilter cors.allowed.headers (as is yours) does not include the Authorization header that is submitted with the request.

我更新了 cors.allowed.headers 过滤器设置接受授权报头和preflight请求已经成功了。

I updated the cors.allowed.headers filter setting to accept the authorization header and the preflight request is now successful.

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization</param-value>
    </init-param>     
</filter>

当然，我不知道为什么授权头并不完全是由CORS过滤允许的。

Of course, I'm not sure why the authorization header is not by default allowed by the CORS filter.

这篇关于困惑如何处理CORS OPTIONS preflight请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！