Angular JS - Rest API - 从浏览器发送但未在服务器中接收的授权
Angular JS - Rest API - Authorization sent from browser but not received in server
我有一个 spring 启动应用程序,启用了基本 spring 安全性。我有一个用 Angular JS
编写的 Web 应用程序
当我进行休息呼叫时,我可以清楚地看到正在通过的授权 header。但在服务器中,它将 header 显示为 Null。
P.S 这只发生在我的机器上(是的,同样的老故事)但似乎在其他任何地方都有效。
请求Header
Accept: application/json, text/plain, */*
Authorization: Basic YWRtaW5Ac211LmVkdS5zZzpleUXXXXXXXXXXXSmhaRzFwYmtCemJYVXVaV1IxTG5ObkXXXXXXXXXXXXTmpReGZRLnXXXXXXOExJNF80MjBjMTZMUTFWX2JLR1p1VjM5SmZ3dllXbkxVTmc4LWhEeGJhdXhlMjljc3l5dWVka0w=
Content-Type: application/json
Origin: http://localhost:9000
Referer: http://localhost:9000/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
回复Header
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials
Connection: Keep-Alive
Content-Length: 68
Content-Type: application/json;charset=UTF-8
Date: Fri, 22 Mar 2019 05:38:23 GMT
Server: NA
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
服务器组件
服务器组件是使用camel和maven restlet构建的。
from(reslet://routeName)
.log("${in.headers}"; // the auth header is completely ignored.
该应用程序部署在 tomcat 并且 web.xml 具有如下过滤器
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,PUT,DELETE</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization, Cache-Control</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter>
<filter-name>envHttpHeaders</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>envHttpHeaders</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
我也是公司代理人。它是否撕掉 Auth header
答案是我问题的最后一行
我也有公司代理。它是否扯掉 Auth header
在打开互联网连接的个人计算机上测试相同的应用程序后,我确信,出于安全原因,公司代理实际上删除了几个 headers。
我有一个 spring 启动应用程序,启用了基本 spring 安全性。我有一个用 Angular JS
编写的 Web 应用程序当我进行休息呼叫时,我可以清楚地看到正在通过的授权 header。但在服务器中,它将 header 显示为 Null。
P.S 这只发生在我的机器上(是的,同样的老故事)但似乎在其他任何地方都有效。
请求Header
Accept: application/json, text/plain, */*
Authorization: Basic YWRtaW5Ac211LmVkdS5zZzpleUXXXXXXXXXXXSmhaRzFwYmtCemJYVXVaV1IxTG5ObkXXXXXXXXXXXXTmpReGZRLnXXXXXXOExJNF80MjBjMTZMUTFWX2JLR1p1VjM5SmZ3dllXbkxVTmc4LWhEeGJhdXhlMjljc3l5dWVka0w=
Content-Type: application/json
Origin: http://localhost:9000
Referer: http://localhost:9000/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
回复Header
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials
Connection: Keep-Alive
Content-Length: 68
Content-Type: application/json;charset=UTF-8
Date: Fri, 22 Mar 2019 05:38:23 GMT
Server: NA
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
服务器组件 服务器组件是使用camel和maven restlet构建的。
from(reslet://routeName)
.log("${in.headers}"; // the auth header is completely ignored.
该应用程序部署在 tomcat 并且 web.xml 具有如下过滤器
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,PUT,DELETE</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Authorization, Cache-Control</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter>
<filter-name>envHttpHeaders</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>envHttpHeaders</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
我也是公司代理人。它是否撕掉 Auth header
答案是我问题的最后一行
我也有公司代理。它是否扯掉 Auth header
在打开互联网连接的个人计算机上测试相同的应用程序后,我确信,出于安全原因,公司代理实际上删除了几个 headers。