对于&QUOT绕过认证;选项要求" (所以所有标题都在响应发送) [英] Bypassing authentication for "Options request" (so all headers are sent in the response)

查看:207
本文介绍了对于&QUOT绕过认证;选项要求" (所以所有标题都在响应发送)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

这是在跨来源资源共享的环境。对于preflight请求,服务器不发送设置的标头。
当一个有效的cookie不与选项请求获得通过,其中的服务器不发送我设置,但是,它在发送200 OK标题的回应。我用卷曲检查这是可以看到下面(很明显,我代替我有效的cookie与虚拟xyzabcde在这里)

This is in the context of Cross-origin resource sharing. For the preflight request, the server is not sending the headers set. When a valid cookie is not passed with the "Options request", the server in it's response is not sending the headers I set, however, it's sending "200 OK". I checked this with curl as can be seen below (obviously, I replaced my valid cookie with a dummy "xyzabcde" here)

卷曲请求而不饼干:

curl -H "Origin: app2_url"   -H "Access-Control-Request-Method: POST"   -H "Access-Control-Request-Headers: accept, origin, content-type"   -X OPTIONS --verbose   app1_url/jsonrpc.cgi

(以下发送的响应...)

(sends below response...)

HTTP/1.1 200 OK
Date: Tue, 01 Oct 2013 11:37:36 GMT
Server: Apache
Expires: Tue, 01 Oct 2013 11:37:36 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Expires: Tue, 01 Oct 2013 11:37:36 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 4531
Content-Type: text/html; charset=utf-8

与-H曲奇:xyzabcde

with "-H Cookie:xyzabcde": 

curl -H "Origin: app2_url"   -H "Access-Control-Request-Method: POST"   -H "Access-Control-Request-Headers: accept, origin, content-type" "-H Cookie:xyzabcde"  -X OPTIONS --verbose   app1_url/jsonrpc.cgi

(以下发送的响应...)

(sends below response...)

HTTP/1.1 403 Forbidden
Date: Wed, 02 Oct 2013 18:48:34 GMT
Server: Apache
X-frame-options: ALLOW-FROM app2_url
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With
Access-Control-Allow-Methods: GET, POST, HEAD, PUT, OPTIONS
Access-Control-Allow-Origin: app2_url
Access-Control-Max-Age: 1800
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8

Apache的配置看起来像...

The apache config looks something like...

<VirtualHost *:443>
.
.
Header always set X-Frame-Options "ALLOW-FROM app2_url"
Header  always set  Access-Control-Allow-Credentials "true"
Header  always set  Access-Control-Allow-Headers    "accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With"
Header  always set  Access-Control-Allow-Methods    "GET, POST, HEAD, PUT, OPTIONS"
Header  always set  Access-Control-Allow-Origin    "app2_url"
Header  always set  Access-Control-Max-Age  "1800"
.
.
.
<Directory /app1/dir/>      
    Options Includes FollowSymLinks ExecCGI MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
    AuthType Net
    PubcookieInactiveExpire -1
    PubcookieAppID app1.company.com
    require valid-user
</Directory>
.
.
</VirtualHost>

我怎样才能让所有的头回应未认证的请求被发送?
我想,选择理想的请求都应该不需要任何认证。

How can I make all the headers be sent in response to unauthenticated requests? I guess, Options requests ideally are supposed to not require any authentication.

推荐答案

LimitExcept中指令解决它。事实上,之前张贴问题我试过的指令,但是前面的错误是,包括前两行(选项包括...和Alowoverride ...)中的LimitExcept中块中。

"LimitExcept" directive solved it. In fact, prior to posting the question I tried the directive, however the mistake earlier was including the first two lines ("Options Includes..." and "Alowoverride...") within the "LimitExcept" block.

<Directory /app1/dir/>      
  Options Includes FollowSymLinks ExecCGI MultiViews
  AllowOverride None
  <LimitExcept OPTIONS>
    Order allow,deny
    allow from all
    AuthType Net
    PubcookieInactiveExpire -1
    PubcookieAppID app1.company.com
    require valid-user
  <LimitExcept>
</Directory>

这篇关于对于&QUOT绕过认证;选项要求&QUOT; (所以所有标题都在响应发送)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
服务器开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆