Chrome Ajax Basic Auth - 再次提交相同的凭据

时间:2016-09-01 08:12:42

标签: jquery ajax google-chrome authentication

使用我们的webapp,

用户提供用户名/密码以与基本身份验证一起使用以使用AJAX连接到第三方Web服务

如果第三方Web服务返回401,因为用户名/密码不正确, 弹出验证对话框。

一切都很好。

用户然后输入正确的凭据并单击“确定”。

但Chrome不使用此正确的凭据,而是重新提交之前输入的旧错误凭据。

有没有人见过这个'错误'? chrome basic auth issue

getLayersFromCapabilities: function() {

    var baseOgcUrl = $('input#ogc-url').val();

    var capabilitiesUrl = this.api.Utilities.appendQueryStringQuestionMarkIfNeeded(baseOgcUrl);

    Spinner && Spinner.show();

    var getCapabilitiesAjaxOptions = {
        url: capabilitiesUrl,            
        dataType: 'xml',
        context: this,
        success: function(xmlDoc) {
            Spinner.hide();
            var capabilities = capabilitiesFormat.read(new XMLSerializer().serializeToString(xmlDoc));

            if( capabilities && capabilities.featureTypeList && capabilities.featureTypeList.featureTypes ) {
                //----------------
                // WFS
                //----------------

                this.displayLayerProperties();
            }

        },
        error: function(jqXHR, textStatus, errorThrown) {
            Spinner.hide();
            console.log("Error retrieving GetCapabilities XML, make sure you are authenticated.");
            return;
        }
    };

    this.addBasicAuthHeadersIfNeeded(getCapabilitiesAjaxOptions);

    $.ajax(getCapabilitiesAjaxOptions);
},


addBasicAuthHeadersIfNeeded: function(wfsAjaxOptions) {

    wfsAjaxOptions.headers = {
        "Authorization": "Basic " + btoa(this.getOgcUsername() + ":" + this.getOgcPassword())
    };
    wfsAjaxOptions.xhrFields = {
        withCredentials: true
    };

},

请求/响应标头

    #1. AJAX Preflight  
OPTIONS https://thirdparty.com/WebApp/Web/SAAS/Api/WFS/v1/WfsServer?&version=1.1.0&request=GetCapabilities&service=wfs HTTP/1.1
Host: thirdparty.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: GET
Origin: http://myserver.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Access-Control-Request-Headers: authorization
Accept: */*
Referer: http://myserver.com/app1/?project=Sample&touch=false&debug=debug
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8

#2. AJAX Preflight Response
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: authorization
Access-Control-Allow-Methods: GET,POST,PUT,PATCH,DELETE,OPTIONS
Access-Control-Allow-Origin: http://myserver.com
Allow: GET,DELETE,POST,PUT,OPTIONS
Cache-Control: private
Content-Encoding: gzip
Date: Thu, 01 Sep 2016 07:37:46 GMT
Server: Microsoft-IIS/8.5
Strict-Transport-Security: max-age=10886400
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 3.0
X-T1-Compressed-By-CompressFilter: gzip
X-UA-Compatible: IE=edge
Content-Length: 0
Connection: keep-alive


#3. AJAX auth request
GET https://thirdparty.com/WebApp/Web/SAAS/Api/WFS/v1/WfsServer?&version=1.1.0&request=GetCapabilities&service=wfs HTTP/1.1
Host: thirdparty.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: application/xml, text/xml, */*; q=0.01
Origin: http://myserver.com
Authorization: Basic dXNlcjpwYXNz
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Referer: http://myserver.com/app1/?project=Sample&touch=false&debug=debug
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Cookie: MaxScreenMode=false; Theme/T2/SAAS=NewYork; RequestingArea=WebServices


#4. AJAX auth response
HTTP/1.1 401 Unauthorized
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://myserver.com
Cache-Control: private
Date: Thu, 01 Sep 2016 07:37:47 GMT
Server: Microsoft-IIS/8.5
Set-Cookie: RequestingArea=WebServices; expires=Fri, 01-Sep-2017 07:37:47 GMT; path=/WebApp/Web/; secure; HttpOnly
Strict-Transport-Security: max-age=10886400
WWW-Authenticate: Basic
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 3.0
X-UA-Compatible: IE=edge
Content-Length: 0
Connection: keep-alive


#5. 2nd AJAX Auth request, user enters different credential in Browser Auth Dialog, but Chrome puts the old Basic Authorization Credential, again
GET https://thirdparty.com/WebApp/Web/SAAS/Api/WFS/v1/WfsServer?&version=1.1.0&request=GetCapabilities&service=wfs HTTP/1.1
Host: thirdparty.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Authorization: Basic dXNlcjpwYXNz
Accept: application/xml, text/xml, */*; q=0.01
Origin: http://myserver.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Referer: http://myserver.com/app1/?project=Sample&touch=false&debug=debug
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Cookie: MaxScreenMode=false; Theme/T2/SAAS=NewYork; RequestingArea=WebServices


#6. 2nd AJAX auth response, unauthorized, because it was using the incorrect credential entered in step #3 above
HTTP/1.1 401 Unauthorized
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://myserver.com
Cache-Control: private
Date: Thu, 01 Sep 2016 07:37:59 GMT
Server: Microsoft-IIS/8.5
Set-Cookie: RequestingArea=WebServices; expires=Fri, 01-Sep-2017 07:38:00 GMT; path=/WebApp/Web/; secure; HttpOnly
Strict-Transport-Security: max-age=10886400
WWW-Authenticate: Basic
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 3.0
X-UA-Compatible: IE=edge
Content-Length: 0
Connection: keep-alive

0 个答案:

没有答案