问题:
我正在尝试通过跨域 ajax请求(CORS)加载受基本身份验证保护的页面(securePage.html)。
基本身份验证(自定义标头)+ CORS =预检OPTIONS-Request!
虽然凭证是根据实际请求提供的,但预检请求并不发送!
回复:401未经授权!
Snapshot of the 401 Unauthorized error
乐环境:
服务器:IIS 8.5托管我的securePage.html。这是我的web.config。
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="http://localhost:4444" />
<add name="Access-Control-Allow-Credentials" value="true" />
<add name="Access-Control-Allow-Methods" value="GET,POST" />
<add name="Access-Control-Allow-Headers" value="Origin, Content-Type, Accept, Authorization" />
</customHeaders>
</httpProtocol>
// **Authorization rules: only Bob is allowed to view the page, everyone is allowed to send an OPTIONS request.**
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="*" verbs="OPTIONS" />
<add accessType="Allow" users="Bob" />
</authorization>
</security>
</system.webServer>
</configuration>
从我的本地电脑(http://localhost:4444)发送ajax请求。
function load(){
$.ajax({
type: "GET",
cache: false,
url: "http://[MY_DOMAIN]/secureContent/securePage.html",
contentType: "text/plain; charset=UTF-8", /* Note: For cross-domain requests, setting the content type to anything other than application/x-www-form-urlencoded, multipart/form-data, or text/plain will trigger the browser to send a preflight OPTIONS request to the server.*/
xhrFields: {
withCredentials: true
},
headers:{
'Authorization': 'Basic ' + btoa('Bob:[MY_PASSWORD]') /*Setting custom headers to XHR triggers a preflight request*/
},
success: function(data){
console.log('success');
alert(data);
},
error: function(jqXhr, textStatus, errorThrown){
console.log('error');
alert(jqXhr.responseText);
},
});
}
问题:
显然授权规则没有做任何事情!为什么? 我试过了:
- setting a request filtering (allow OPTIONS);
- giving read access to OPTINOSVerbHanlder;
没有成功!
这个问题有解决办法吗?我在这里错过了什么吗?
Le Solution:
//TODO...