我如何配置tomcat不对CORS OPTIONS请求执行身份验证或授权 [英] how do i configure tomcat NOT to perform authentication or authorization on CORS OPTIONS requests
问题描述
我正在尝试向Tomcat托管的Web应用程序发出CORS请求(详细信息如下).
I am attempting to make a CORS request to a Tomcat-hosted web-app (details below).
我已经设置了CORS标头(在Apache httpd.conf中),并且似乎可以正常工作,但是Chrome(正确地没有auth标头)生成的(我认为)飞行前OPTIONS请求失败了,错误401.
I have set up the CORS header stuff (in Apache httpd.conf) and it appears to be working, but the pre-flight OPTIONS request generated (I assume) by Chrome, which rightfully has no auth header, is failing with error 401.
我认为我需要说服Apache或Tomcat不要对OPTIONS请求进行任何身份验证,而要用200来完成该请求.
I think I need to convince Apache or Tomcat not to do any auth for the OPTIONS request, but rather, to complete it with 200.
1)我在叫正确的树吗?
2)是否应该在Tomcat(web.xml)中放置一个CORS过滤器,而不是在Apache(httpd.conf)中放置一组标头集?
3)我找不到如何配置Apache来做到这一点-任何指针?我发现的最接近的提示是@Thomas Broyer,去年四月回复因此,为具有凭据支持的tomcat应用程序启用CORS :
1) am I barking up the right tree?
2) Should I put a CORS filter in Tomcat (web.xml) instead of a set of Header Sets in Apache (httpd.conf)?
3) I can't find how to config apache to do that - any pointers? Closest hint I've found is @Thomas Broyer in April last year responding to Enable CORS for tomcat applications with credentials support thus:
you have to declare a <security-constraint> with <http-method>OPTIONS</http-method> and no <auth-constraint>."
任何帮助将不胜感激!我花了好几天试图解决这个问题...
Any help is greatly appreciated! I'm into multiple days trying to solve this...
==================
===================
当前比赛状态:
请求:
Remote Address:54.245.121.9:80
Request URL:http://ec2-54-245-121-9.us-west-2.compute.amazonaws.com/v1/plant
Request Method:OPTIONS
Status Code:401 Unauthorized
Request Headersview parsed
OPTIONS /v1/plant HTTP/1.1
Host: ec2-54-245-121-9.us-west-2.compute.amazonaws.com
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://ec2-54-245-121-9.us-west-2.compute.amazonaws.com:8084
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Access-Control-Request-Headers: accept, authorization, content-type
Accept: */*
Referer: http://ec2-54-245-121-9.us-west-2.compute.amazonaws.com:8084/add
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,de;q=0.6
响应:
Headersview parsed
HTTP/1.1 401 Unauthorized
Date: Thu, 29 Jan 2015 23:00:34 GMT
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
WWW-Authenticate: Basic realm="Realm"
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 1104
Access-Control-Allow-Origin: http://ec2-54-245-121-9.us-west-2.compute.amazonaws.com:8084
Vary: Origin
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: origin, accept, authorization, content-type, x-requested-with
Access-Control-Allow-Credentials: true
Connection: close
=============================
==============================
有关我的应用的更多信息:
More about my app:
我有一个运行在:8084上的node.js服务器的MEAN网络应用.
I have a MEAN web-app with the node.js server running on :8084.
有一个现有的Tomcat/Java Web应用程序,其REST API运行在:80上(由Apache前端)...
There is an existing Tomcat/Java web-app with a REST API running on :80 (front-ended by Apache)...
客户端(在我的测试中为Chrome)中基于Angular.js的js代码正在调用REST API.
The Angular.js-based js code in the client (in Chrome in my testing) is calling the REST API.
因为端口8084!=端口80,这是CORS请求.
Because port 8084 != port 80, it's a CORS request.
推荐答案
Maybe this answer can help. In short:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<!-- no auth-constraint here -->
</security-constraint>
这篇关于我如何配置tomcat不对CORS OPTIONS请求执行身份验证或授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
