Angular JS-Rest API-从浏览器发送但未在服务器中收到授权

时间:2019-03-22 05:47:33

标签: angularjs rest spring-boot basic-authentication

我有一个启用了基本Spring Security的Spring Boot应用程序。我有一个用Angular JS编写的Web应用程序

当我进行休息呼叫时,我可以清楚地看到正在传递Authorization标头。但是在服务器中,它将标头显示为Null。

P.S (仅在我的机器上(是相同的旧故事)发生,但似乎在其他地方都起作用。

请求标头 

Accept: application/json, text/plain, */*
Authorization: Basic YWRtaW5Ac211LmVkdS5zZzpleUXXXXXXXXXXXSmhaRzFwYmtCemJYVXVaV1IxTG5ObkXXXXXXXXXXXXTmpReGZRLnXXXXXXOExJNF80MjBjMTZMUTFWX2JLR1p1VjM5SmZ3dllXbkxVTmc4LWhEeGJhdXhlMjljc3l5dWVka0w=
Content-Type: application/json
Origin: http://localhost:9000
Referer: http://localhost:9000/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36

响应标题 

Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials
Connection: Keep-Alive
Content-Length: 68
Content-Type: application/json;charset=UTF-8
Date: Fri, 22 Mar 2019 05:38:23 GMT
Server: NA
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

服务器密码 服务器组件是使用骆驼和maven restlet构建的。

from(reslet://routeName)
.log("${in.headers}"; // the auth header is completely ignored.

该应用程序已部署在tomcat中,并且web.xml具有以下过滤器

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
      <param-name>cors.allowed.origins</param-name>
      <param-value>*</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.methods</param-name>
      <param-value>GET,POST,PUT,DELETE</param-value>
    </init-param>
    <init-param>
      <param-name>cors.allowed.headers</param-name>
      <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization, Cache-Control</param-value>
    </init-param>
    <init-param>
      <param-name>cors.exposed.headers</param-name>
      <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
    </init-param>

  <init-param>
    <param-name>cors.preflight.maxage</param-name>
    <param-value>10</param-value>
  </init-param>
</filter>
<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
 </filter>
 <filter>
        <filter-name>envHttpHeaders</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
 </filter>

 <filter-mapping> 
    <filter-name>envHttpHeaders</filter-name> 
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping> 
    <filter-name>httpHeaderSecurity</filter-name> 
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

我也是企业代理的幕后黑手。是否会剥夺Auth标头

1 个答案:

答案 0 :(得分:0)

解决方案是我问题的最后一行

我也是企业代理的幕后黑手。是否会剥夺Auth标头

确信,在具有开放Internet连接的个人计算机中测试了相同的应用程序之后,出于安全原因,企业代理实际上正在删除一些标头。

相关问题
最新问题