选项获取401 - 预检请求未通过Apache

时间:2018-01-08 18:36:17

标签: angular apache cors

正在使用的服务器是为基本身份验证配置的Apache 

<LocationMatch "^/login/(.*)$">
    AllowMethods POST OPTIONS

    <LimitExcept OPTIONS>
            Require valid-user
            Header always set Access-Control-Allow-Origin "*"
            Header always set Access-Control-Allow-Headers "authorization,content-type"
            Header always set Access-Control-Allow-Method "POST,OPTIONS"           
    </LimitExcept>

    AuthType basic
    AuthName "Authentication Required"
    AuthBasicProvider file
    AuthUserFile    "/etc/sec/.secret-file"
    LogLevel debug
    Require valid-user
    ErrorDocument 401 "Authorization Failure"
    RequestHeader set X-Authenticated-User %{REMOTE_USER}s
    ProxyPass "http://127.0.0.1:8080/$1"
</LocationMatch>

Angular 2代码如下 - 

public login = (resrc: string, item: any): Observable<any> => {
    this.headers.append('Authorization', 'Basic ' + btoa(item['userName']+':'+item['password']));
    let options = new RequestOptions({ headers: this.headers, withCredentials: true });
    return this._http.post(this.serverUrl+"login/"+this.apiUrl+resrc,{}, options)
        .timeoutWith(5000, Observable.throw(new Error('Request timed out.')))
        .map((response: Response) => { return response; })
        .catch(this.handleError);
}

请求标头PDU - 

OPTIONS /login/api/system/sessions/ HTTP/1.1
Host: domain
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://localhost:3010
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Access-Control-Request-Headers: authorization,content-type
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

响应标头PDU - 

HTTP/1.1 401 Unauthorized
Date: Mon, 08 Jan 2018 14:00:48 GMT
Server: Apache
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: authorization,content-type
Access-Control-Allow-Method: POST,OPTIONS
WWW-Authenticate: Basic realm="Authentication Required"
Content-Length: 21
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

我收到401(未经授权的错误),其中包含以下详细信息 -

zone.js:1981 OPTIONS https://domain/login/api/system/sessions/ 401(未经授权)

:3010 /#/ login:1无法加载https://domain/login/api/system/sessions/:对预检请求的响应未通过访问控制检查:响应中的“Access-Control-Allow-Origin”标头的值必须当请求的凭据模式为“include”时,不是通配符'*'。因此,不允许原点“http://localhost:3010”访问。 XMLHttpRequest发起的请求的凭证模式由withCredentials属性控制。

任何人都可以帮我解决这个问题。

2 个答案:

答案 0 :(得分:2)

来自@ vipul-goyal的帖子评论几乎肯定是正确的答案 - 您的服务器正在检查OPTIONS预检请求中的有效授权请求标头。

最简单的解决方案是绕过对OPTIONS请求的授权检查。这实际上并不是一个安全漏洞,特别是如果您只为预检OPTIOSN请求执行此旁路(通过检查plot(0, xlab="", ylab="") mtext(side=1, text=expression(frac(italic(dy), italic(dx))), line=4) text(0.45,0, labels=expression(frac(italic(dy), italic(dx))), srt=0, xpd=TRUE) method==OPTIONS请求标头的存在)。对于任何其他OPTIONS请求,继续进行授权检查。

答案 1 :(得分:0)

在这种情况下,从身份验证中绕过OPTIONS会有所帮助。 我用过 - 

<Limit OPTIONS>
 Require all Granted
</Limit>
相关问题
最新问题