我想了解科尔是如何运作的。 如果我使用未在我的web.xml cors配置中配置的origin,则tomat cors过滤器将抛出403状态。有效的cors响应如下:
$ curl -H "Origin: http://test.de" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: X-Requested-With" -X OPTIONS --verbose http://localhost:8080/static
/
* Adding handle: conn: 0x20830d8
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x20830d8) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 8080 (#0)
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> OPTIONS /static/ HTTP/1.1
> User-Agent: curl/7.30.0
> Host: localhost:8080
> Accept: */*
> Origin: http://test.de
> Access-Control-Request-Method: POST
> Access-Control-Request-Headers: X-Requested-With
>
< HTTP/1.1 200 OK
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< Access-Control-Allow-Origin: http://test.de
< Access-Control-Allow-Credentials: true
< Access-Control-Max-Age: 1800
< Access-Control-Allow-Methods: POST
< Access-Control-Allow-Headers: content-type,access-control-request-headers,access-control-request-method,accept,origin,x-requested-with
< Content-Length: 0
< Date: Fri, 27 Mar 2015 09:55:38 GMT
<
* Connection #0 to host localhost left intact
无效的cors响应如下:
$ curl -H "Origin: http://test2.de" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: X-Requested-With" -X OPTIONS --verbose http://localhost:8080/stati
c/
* Adding handle: conn: 0x8a30d8
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x8a30d8) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 8080 (#0)
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> OPTIONS /static/ HTTP/1.1
> User-Agent: curl/7.30.0
> Host: localhost:8080
> Accept: */*
> Origin: http://test2.de
> Access-Control-Request-Method: POST
> Access-Control-Request-Headers: X-Requested-With
>
< HTTP/1.1 403 Forbidden
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< Content-Type: text/plain
< Content-Length: 0
< Date: Fri, 27 Mar 2015 10:04:09 GMT
<
* Connection #0 to host localhost left intact
至少,我有点困惑,tomcat cors过滤器只查看原始标头。如果我没有添加任何原始标题,则使用响应状态代码200处理请求,并获得整个内容。
换句话说,对于每个请求发送原点的浏览器来说,相同的原始策略只是一个问题吗?
啊,最后一个问题,预检请求是&#34;可选&#34;请求?如果我使用curl在没有预检请求的情况下发出cors请求,我也会得到200响应。正确的吗?
答案 0 :(得分:2)
我的第一步是官方Tomcat CORS Filter文档。在那里我注意到两件事:
org.apache.catalina.filters.CorsFilter 首先,我检查了Tomcat CORS Filter FlowChart并执行了很多CURL请求以找到“问题”的解决方案。没有进展。
其次,我检查了Tomcat CORS Filter类的源代码 - &gt; GrepCode.com: org.apache.catalina.filters.CorsFilter。在那里,我注意到HTTP POST请求以某种方式需要填充Content-Type HTTP标头。所以我只需将其设置为text/plain。然后,Tomcat服务器应用程序开始正确返回HTTP CORS标头,也用于HTTP 403(禁止访问)和HTTP 200(OK)返回状态。
示例:
$ curl -v -c c.txt -b c.txt -H "Origin: http://example.com" -H "Content-Type: text/plain" -X POST http://some-server.com:8080/trunk/rest/some/thingHTTP请求:
POST /trunk/rest/some/thing HTTP/1.1
User-Agent: curl/7.35.0
Host: some-server.com:8080
Accept: */*
Cookie: JSESSIONID=SOMEID
Origin: http://example.com
Content-Type: text/plainHTTP响应:
< HTTP/1.1 200 OK
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< Access-Control-Allow-Origin: http://example.com
< Access-Control-Allow-Credentials: true
< Access-Control-Expose-Headers: Set-Cookie,X-JSessionId
< Content-Length: 0
< Date: Wed, 22 Apr 2015 08:04:49 GMT据说org.apache.catalina.filters.CorsFilter类是根据W3C CORS规范实现的。也许这个问题的真正答案隐藏在那里。
希望这有助于某人...
答案 1 :(得分:0)
由于CORS用于启用跨源访问,因此浏览器(http客户端)必须通知服务器有关要访问服务的代码的来源,以便服务器可以决定服务器端的配置是否允许访问服务的起源。 Origin标头通知服务器它是CORS的请求;如果Origin头不存在,那么它被视为相同的原始访问,因此不添加CORS响应头并返回200响应。
对于未在web.xml中配置的所有Origin,将返回403响应;这是一种预期的行为。无法找到允许的来源列表。