在Interceptor中设置JWT授权标头不起作用

时间:2016-08-02 13:32:52

标签: angularjs

这里的拦截器。令牌看起来不错,但是当我查看chrome调试器中的请求标头时,标题仍为空。

function httpInterceptor($q, $rootScope, $location, $localStorage) {
    return {
        'request': function(config) {
            if ($localStorage.authToken) {
                config.headers.Authorization = 'Bearer ' + $localStorage.authToken; // SET HEADER HERE!!!
            }
            console.debug('intercepting request to url: ' + config.url);
            return config;
        },
        'response': function(response) {
            console.debug('intercepting response');
            return response;
        },
        'responseError': function(response) {
            console.debug('intercepting response error');
            if (response.status === 401 && $location.path().indexOf('login') == -1) {
                console.debug('authentification required redirecting to login page.');
                response.data = '';
                if ($location.path().indexOf('login') == -1) {
                    $rootScope.preLoginUrl = $location.path();
                }
                $location.path('/login');
                return {};
            } else {
                console.debug(response.config.method + ' on ' + response.config.url + ' failed with status ' + response.status);
            }
            return $q.reject(response);
        }
    };
}

angular.module('hop').service('httpInterceptor', httpInterceptor);

我无法弄清楚问题到底是什么......也许我是盲目的: - )

enter image description here

1 个答案:

答案 0 :(得分:0)

好的,解决方案......

就像我在上一篇评论中写作一样,原因在于浏览器处理它的设置和性质。在我的情况下,UI应用程序作为后端休息服务在不同的服务器/域上运行。每当UI现在尝试通过REST请求资源时,浏览器隐式地使用请求方法“OPTIONS”进行预调用。对于非安全端点,这不是问题。但是,只要端点期望设置验证头以便授权客户端请求,那么这将失败,因为浏览器生成的请求超出了应用程序范围并且没有设置头。要绕过这个,您只需要在服务器端捕获OPTIONS类型的请求,然后向客户提供“OK”。

在我的情况下,我在同一个类中执行了此操作,我也启用了CORS - 只是在应用程序中增强了我的servlet过滤器:

  import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class CORSFilter implements Filter {
    private static final String OPTIONS = "OPTIONS";

    public void destroy() {
    }

    public static String VALID_METHODS = "DELETE, HEAD, GET, OPTIONS, POST, PUT";

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws ServletException, IOException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;
        httpResponse.setHeader("Access-Control-Allow-Origin", "*");
        httpResponse.setHeader("Access-Control-Allow-Methods", VALID_METHODS);
        httpResponse.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, Authorization");
        httpResponse.setHeader("Access-Control-Max-Age", "3600");

        if (OPTIONS.equals(httpRequest.getMethod())) {
            httpResponse.setStatus(HttpServletResponse.SC_OK);
        } else {
            chain.doFilter(request, response);
        }
    }

    public void init(FilterConfig config) throws ServletException {
    }

}