OPTIONS请求身份验证 [英] OPTIONS request authentication

问题描述

我正在开发一个Web应用程序。它使用基本身份验证。它必须处理OPTIONS请求。这些是Web浏览器预检请求以及来自WebDAV客户端的功能支持请求。

I am developing a web application. It is using Basic authentication. It must process OPTIONS requests. These are web browser preflight requests as well as feature-support requests from WebDAV clients.

据我所知，OPTIONS请求必须在不请求身份验证的情况下处理（即我的服务器不应该响应401 Unauthorized），它必须给出如下的响应：

As far as I understand OPTIONS request must be processed without requesting authentication (that is my server should not respond with 401 Unauthorized), it must give the response such as the following:

OPTIONS https://localhost:44305/path/file.ext HTTP/1.1
Connection: Keep-Alive
User-Agent: some app
Host: localhost:44305

HTTP/1.1 200 OK
Content-Length: 0
DAV: 1, 2, 3
Date: Fri, 27 Dec 2013 17:10:21 GMT

我的问题是：我是否应始终对OPTIONS请求提供相同的响应，无论URL如何，还是应该依赖于URL。

My question is: Should I always provide the same response to OPTIONS request, regardless of the URL or should it depend on the URL.

例如，如果找不到上例中的file.ext，我应该回复'404 Not found'还是'200 OK'？

For example if the file.ext in the above example is not found, should I respond with '404 Not found' or with '200 OK'?

推荐答案

来自 http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html ：

OPTIONS方法表示对Request-URI标识的请求/响应链上可用的通信选项的信息的请求。此方法允许客户端确定与资源相关的选项和/或要求，或服务器的功能，而不会暗示资源操作或启动资源检索。

The OPTIONS method represents a request for information about the communication options available on the request/response chain identified by the Request-URI. This method allows the client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action or initiating a resource retrieval.

因此，OPTIONS可能是特定于服务器的，也可能是特定于资源的，具体取决于您的应用程序。
如果您使用跨源资源共享（CORS，例如尝试将XMLHttpRequest发送到另一台服务器），它将发送OPTIONS请求以检查服务器是否需要针对特定​​资源的跨源请求 在跟随POST请求之前。因此，在这种情况下，OPTIONS应该具有特定于资源的行为。
对于WebDAV，服务器特定的OPTIONS可能就足够了，因为客户端只会检查允许的方法（例如，如果支持WebDAV方法）。

So OPTIONS might be specific to the server or might be specific to a resource, it depends on your application. If you use cross-origin resource sharing (CORS, e.g. trying an XMLHttpRequest to another server) it will send an OPTIONS request to check if the server expects cross-origin requests for the specific resource before following with a POST request. So in this case OPTIONS should behave resource-specific. For WebDAV a server-specific OPTIONS might be enough because the client does it only to check the allowed methods (e.g. if WebDAV methods are supported).

这篇关于OPTIONS请求身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！