CORS 在使用 OWIN 身份验证的 web api 中不起作用 [英] CORS is not working in web api with OWIN authentication
问题描述
在我的应用程序中,我使用带有 CORS 支持的基于令牌的身份验证的 web api,但是当客户端请求令牌时,由于 CORS(跨源请求被阻止:同源策略不允许读取远程资源)而发生错误(我的站点名称).这可以通过将资源移动到同一个域或启用 CORS 来解决.)
In my application i am using web api with token based authentication with CORS support, but when client request for the token, an error occured due to CORS (Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at (my site name) . This can be fixed by moving the resource to the same domain or enabling CORS.)
我已经配置了 CORS 支持所需的一切(我认为是这样).这是我的配置
I had configured everything required for CORS support ( i think so). here my configuration
Owin 创业班
public class Startup
{
public void Configuration(IAppBuilder app)
{
var config = new HttpConfiguration
{
DependencyResolver = new StructureMapWebApiDependencyResolver(container)
};
WebApiConfig.Register(config); // registering web api configuration
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); // cors for owin token pipeline
app.UseWebApi(config);
ConfigureOAuth(app);
}
public void ConfigureOAuth(IAppBuilder app)
{
var oAuthAuthorizationServerOptions = new OAuthAuthorizationServerOptions()
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
Provider = new SimpleAuthorizationServerProvider()
};
// Token Generation
app.UseOAuthAuthorizationServer(oAuthAuthorizationServerOptions);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}
}
还有我的 webapi 配置
And my webapi configuration
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
config.EnableCors(); // Corse support for Web api
config.MapHttpAttributeRoutes(); // attribute based urls
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
}
}
这里在web.config中配置
here configuration in web.config
<system.webserver>
<httpProtocol>
<customHeaders>
<!-- Adding the following custom HttpHeader will help prevent CORS from stopping the Request-->
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS, PUT, DELETE" />
</customHeaders>
</httpProtocol>
</system.webserver>
和我来自 mozilla 的请求头
and my request header from mozilla
Accept application/json, text/plain, */*
Accept-Encoding gzip, deflate
Accept-Language en-US,en;q=0.5
Content-Length 67
Content-Type application/x-www-form-urlencoded; charset=UTF-8
Host talenterp
Origin http://192.168.1.11:85
Referer http://192.168.1.11:85/
User-Agent Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
应用的网址是
服务器应用(应该支持 CORS)
Server app (which should support CORS)
{http://talenterp}
令牌终点:
{http://talenterp/token}
客户端应用
{http://talentmvc:85}
注意:我已经添加了
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
在我的 AuthorizationServerProvider 的 GrantResourceOwnerCredentials() 方法中
in GrantResourceOwnerCredentials() method of my AuthorizationServerProvider
推荐答案
确保你只有
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
已配置,并且不是还有 Global.asax 或 WebApiConfig 中的旧样式config.EnableCors()".此外:将上述语句作为您自己的 Startup 类中的第一个.是的,这确实有影响,稍后设置也会导致 cors 无法工作.
configured, and not also the old style 'config.EnableCors()' in your Global.asax or WebApiConfig. Furthermore: place the above statement as the first one in your owin Startup class. Yes that really makes a difference, setting it later can also cause cors to not work.
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
... etc
这篇关于CORS 在使用 OWIN 身份验证的 web api 中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!