使用相同的配置时,将为一个域设置CORS标头,而不为另一个域设置

时间:2019-01-04 14:58:33

标签: angular spring spring-boot cors apache2

我的www域中的任何请求都没有设置CORS'Access-Control-Allow- *'标头,但是对于具有相同配置的beta域,它可以正常工作。

我有一个在Apache2上托管的Angular 7前端,与在Apache Tomcat上托管的Java Spring后端进行了交谈。我还使用了Cloudflare CDN,但目前暂时不使用该缓存。

版本:

@angular/http@~7.1.0
rxjs@~6.3.3
spring-boot-starter-parent@2.0.4.RELEASE
Tomcat 8.5.14

出于登台的目的,我在Apache2服务器上运行了两个域:https://beta.example.comhttps://www.example.com。这两个都有相同的虚拟主机配置(显然,除了DocumentRoot / Directory之外),并且包含以下代码块:-

<IfModule mod_headers.c>

  Header unset Access-Control-Allow-Origin
  Header unset Access-Control-Allow-Headers
  Header unset Access-Control-Allow-Methods

  Header always set Access-Control-Allow-Origin "https://beta.server.com"
  Header always append Access-Control-Allow-Origin "https://www.server.com"
  Header always set Access-Control-Allow-Headers "Authorization,Content-Type,Origin"
  Header always set Access-Control-Allow-Methods "POST,GET,PUT,DELETE"
</IfModule>

RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

在Java Spring应用程序中,我具有以下配置文件:

@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {

  @Override
  public void addCorsMappings(CorsRegistry registry) {

    registry.addMapping("/**")
      .allowedOrigins("https://www.server.com", "https://beta.server.com")
      .allowedMethods("POST", "GET", "PUT", "DELETE")
      .allowedHeaders("Authorization", "Content-Type", "Origin");

  }

}

如您所见,在我指定了原点的任何地方,我都同时指定了两个原点,因此它们的行为应相同。

最后,我像这样从Angular进行HTTP调用:

this.headers = new HttpHeaders({
  'Authorization': 'Bearer ' + this.getAccessToken(),
  'Content-Type': 'application/json'
});

getUser(): Promise<any> {
  return this.http.get(this.apiUrl + '/user', { headers: this.headers }).toPromise();
}

当我访问https://beta.example.com时,所有预检请求都会成功,并且所有内容都会正常加载。所有CORS标头都显示在预检响应中,因为它们是在虚拟主机配置中设置的。一切都很棒!

HTTP/2.0 200 OK
date: Fri, 04 Jan 2019 14:52:40 GMT
set-cookie: __cfduid=d5fcc5cd672befaae80920288ee1527fc1546613559; expires=Sat, 04-Jan-20 14:52:39 GMT; path=/; domain=.server.com; HttpOnly
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
access-control-allow-origin: https://beta.server.com
access-control-allow-methods: POST,GET,PUT,DELETE
access-control-allow-headers: authorization, content-type
access-control-max-age: 1800
allow: GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 493e87bdb89dc2d3-FRA
X-Firefox-Spdy: h2

但是,在https://www.example.com上,OPTIONS返回了200 OK,但是在Web控制台中输出了以下错误:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.myserver.com:8443/api/v2/user. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.myserver.com:8443/api/v2/user. (Reason: CORS request did not succeed).

以下是Response标头:

HTTP/2.0 200 OK
date: Fri, 04 Jan 2019 14:54:55 GMT
set-cookie: __cfduid=d90819c09242b1c78140a54a7c8a2e5fb1546613695; expires=Sat, 04-Jan-20 14:54:55 GMT; path=/; domain=.server.com; HttpOnly
allow: GET, HEAD, POST, PUT, DELETE, OPTIONS, PATCH
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 493e8b0c9936c2d3-FRA
X-Firefox-Spdy: h2

0 个答案:

没有答案
相关问题
最新问题