为凭证支持的tomcat应用程序启用CORS [英] Enable CORS for tomcat applications with credentials support

问题描述

我有一个简单的GWT应用程序从我的服务器上的IIS运行。我试图测试HTTP请求到运行在同一服务器上的tomcat。但是，由于两个应用程序服务器都在不同的端口上运行，我的浏览器（chrome和firefox）会将请求视为CORS请求。

I have a simple GWT application running from IIS on my server. I am trying to test HTTP requests to tomcat running on the same server. However, since both the application servers are running on different ports, my browser (chrome and firefox) treats the requests as a CORS request.

启用tomcat接受CORS请求，我将其更新到Tomcat 7.0.52并在全局web.xml配置中启用了CORS过滤器。我测试了这个简单的设置，它似乎工作。这是GWT中的代码：

To enable tomcat to accept CORS request, I updated it to Tomcat 7.0.52 and enabled the CORS filter in the global web.xml configuration. I tested this simple setup and it seems to work. Here is the code in GWT:

        String url = "http://bavarians:8080/";
        RequestBuilder rb = new RequestBuilder(RequestBuilder.GET, url);
        box.setText(url);
        try
        {
            rb.sendRequest("", new RequestCallback(){

                @Override
                public void onResponseReceived(Request request, Response response)
                {
                    Window.alert(response.getStatusCode() + response.getStatusText());
                }

                @Override
                public void onError(Request request, Throwable exception)
                {
                    Window.alert("Request failed");

                }});
        }
        catch (RequestException e)
        {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

这是与其相关联的CORS过滤器：

Here is the CORS filter associated with it:

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>http://bavarians</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
  </init-param>
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers, Authorization</param-value>
  </init-param>
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials, Authorization</param-value>
  </init-param>
  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

使用此设置，我从tomcat获得200 OK响应。所以它安全地假设CORS过滤器是工作。为了支持这一点，我采取了一个提琴的痕迹，一切看起来不错。

With this setup, I get a 200 OK response from tomcat. So its safe to assume that CORS filter is working. To back this up, I took a fiddler trace and all looked good.

现在，由于我想访问tomcat（solr）的一个应用程序，我需要使用我的CORS请求的基本身份验证。这将预检请求带入图片。因为我设置我的CORS过滤器以启用凭证使用，我不需要任何更改。因此，我对我的代码进行了以下更改。

Now, since I want to access one of the apps of tomcat(solr), I need basic authentication with my CORS request. This brings a preflight request into picture. Since I setup my CORS filter to enable credential use, I didn't need any changes to it. So, I made the following change to my code

        String url = "http://bavarians:8080/solr/select?wt=xml&q=tag_name:abcd&username=domain\\userid";
        RequestBuilder rb = new RequestBuilder(RequestBuilder.GET, url);
        box.setText(url);
        rb.setHeader("Authorization", "Basic YWRtaW46YWRtaW4=");
        rb.setIncludeCredentials(true);

现在，当我尝试使用这个代码时，它会进入 onResponseReceived 代码块，并给出带有0值的警报框。当我拿到一个提琴的痕迹，我得到这个：

Now, when I try to use this code, it gets inside the onResponseReceived code block and gives an alert box with "0" value. When I took a fiddler trace, I get this:

自从我向请求添加自定义头之后，浏览器发送预检请求是有意义的。但我不明白为什么tomcat回应401代码，尽管添加授权头到其CORS过滤器配置。

It makes sense for the browser to send a preflight request since I am adding the custom header to the request. But I don't understand why tomcat responds with a 401 code despite adding the authorization header to its CORS filter configuration.

我会感谢任何帮助或响应

I'd appreciate any help or response

EDIT：我注意到的另一件事 - 如果我的网址只是bavarians：8080 / solr /; tomcat成功授权预检请求，并将立即下一个请求作为具有200 OK响应的普通GET请求处理。但是如果我输入函数名和查询URL，我再次获得401。从浏览器访问上述URL需要基本身份验证。因此 CORSFilter 一直有效

One more thing that I have noticed- if my URL is just "bavarians:8080/solr/";, tomcat successfully authorizes the preflighted request and the immediate next request is processed as a normal GET request with a 200 OK response. But if I enter the function name and query with the URL, I get 401 again. Accessing the above URL from browser requires Basic Authentication. So CORSFilter does work until some point

推荐答案

凭据不会在预检请求中发送，所以你必须配置Tomcat让请求到达 CorsFilter ，即使未经身份验证。也就是说，您必须使用< http-method> OPTIONS< / http-method> < security-constraint> c $ c>且不包含< auth-constraint> 。

Credentials won't be sent in the preflight request, so you have to configure Tomcat to let the request reach the CorsFilter even when unauthenticated. That is, you have to declare a <security-constraint> with <http-method>OPTIONS</http-method> and no <auth-constraint>.

这篇关于为凭证支持的tomcat应用程序启用CORS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！