当在不同的域(CORS)时SockJS不传递凭据信息 [英] SockJS not passing credential information when on a different domain(CORS)

查看:1827
本文介绍了当在不同的域(CORS)时SockJS不传递凭据信息的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我们有一个使用spring 4的websocket服务器端实现。它已配置为对auth / authz使用spring安全性。在客户端,我们使用sockJS,当客户端与服务器在同一个域中时,它工作得很好。



调用websocket是这样的...



socket = new SockJS( http:// guest: guest@mydomain.org/MyWebSocketApp/tracker



最后调用 http:// guest:guest@myinterestingdomain.org/MyWebSocketApp/tracker/info 来决定要使用的传输。所有这些都是好的。



但是,当使用来自不同域的客户端时,我看到凭据被剥离。因此,当此客户端位于不同的域时,我看到正在进行的调用是:
http ://myinterestingdomain.com/MyWebSocketApp/tracker/info 。我看不到凭据通过。由于这个,我得到一个401错误(未授权的)用户。我们在服务器端具有CORS配置,并且还具有:



访问控制允许凭证真


有人可以帮助我吗?我不在选项,我不明白为什么凭据被剥离? >解决方案

即使 XmlHttpRequest.withCredentials = true (由SockJS客户端执行)和 Access-Control- Credentials = true ,您无法在跨网域请求的网址中传递用户名和密码。



为了使用基本身份验证需要创建自己 Authorization 头,但似乎SockJS客户端不允许这个目前。有一个问题要求这样的支持,我已经添加了新的评论,说明我们需要基本验证支持。



由于授权标题不是简单标题 ,则将在实际请求之前发送 CORS预检请求。但Spring Framework目前在默认情况下不发送OPTIONS请求,因此即使在客户端设置了授权头,您也需要在Spring Framework中启用OPTIONS请求分派。



使用 web.xml

 < servlet> 
< servlet-name> dispatcherServlet< / servlet-name>
< servlet-class> org.springframework.web.servlet.DispatcherServlet< / servlet-class>
< init-param>
< param-name> dispatchOptionsRequest< / param-name>
< param-value> true< / param-value>
< / init-param>
< load-on-startup> 1< / load-on-startup>



3没有 web.xml ,将此添加到扩展 AbstractAnnotationConfigDispatcherServletInitializer 的类中:

  @Override 
protected void customizeRegistration(动态注册){
registration.setInitParameter(dispatchOptionsRequest,true);
}


We have a websocket server side implementation using spring 4. It has been configured to use spring security for auth/authz. On the client side, we use sockJS which works perfectly when the client is in the same domain as the server.

Call to websocket is made this way…

socket = new SockJS("http://guest:guest@mydomain.org/MyWebSocketApp/tracker")

This eventually makes a call to http://guest:guest@myinterestingdomain.org/MyWebSocketApp/tracker/info to decide the transport to use. All this is good.

However, when using client from a different domain, I see that the credentials get stripped out. So, when this client is on a different domain, I see that the call being made is: http://myinterestingdomain.com/MyWebSocketApp/tracker/info. I do not see the credentials being passed. Due to this, I get a 401 error (unauthorized) user. We have the CORS configuration on the server side and also have:

Access-Control-Allow-Credentials "true"

Can someone please help me? I am out of options and I don’t understand why the credentials are getting stripped out? Could this be related to CORS?

解决方案

Even if XmlHttpRequest.withCredentials=true (done by the SockJS client) and Access-Control-Allow-Credentials=true, you can't pass username and password in the URL for cross domain requests.

In order to use basic authentication, you need to create yourself the Authorization header, but it seems SockJS client does not allow this currently. There is an issue asking for such support, I have added a new comment explaining we need this for Basic Authentication support.

Since Authorization header is not a simple header, a CORS preflight request will be sent before the actual request. But Spring Framework currently does not dispatch OPTIONS requests by default, so even with the Authorization header set on client side, you will also need to enable OPTIONS requests dispatching in Spring Framework.

With web.xml:

<servlet>
<servlet-name>dispatcherServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
  <param-name>dispatchOptionsRequest</param-name>
  <param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>

Or if you are using Servlet 3 without web.xml, add this to your class that extends AbstractAnnotationConfigDispatcherServletInitializer:

@Override
protected void customizeRegistration(Dynamic registration) {
    registration.setInitParameter("dispatchOptionsRequest", "true");
}

这篇关于当在不同的域(CORS)时SockJS不传递凭据信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆