浏览器 OPTIONS 请求方法和 windows 授权
Browser OPTIONS request method and windows authorization
我正在尝试 POST 来自我的 Angular 2 服务的数据到 ASP.NET 5 API 使用 windows 身份验证并托管在 IIS 上.
对 angular 进行一些修改后,创建的请求为:
var request = new XMLHttpRequest();
request.withCredentials = true;
这解决了我授权 GET 请求的问题,现在对于第一个 GET 请求,服务器 returns 401 响应 headers:
WWW-Authenticate:Negotiate
WWW-Authenticate:NTLM
然后 angular 客户端发送另一个请求,但这次使用包含 NTLM 令牌的授权 header 并且它有效。
对于 POST 请求,我将 "Content-Type: application/json" 添加到请求的 header,因此浏览器发送第一个请求,如下所示:
OPTIONS /api/reservation/ HTTP/1.1
Host: localhost:82
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: POST
Origin: http://localhost:81
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Referer: http://localhost:81/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
服务器响应:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 13 Jan 2016 11:54:56 GMT
Content-Length: 6394
但是这一次,不是像 GET 请求中的另一个授权请求,而是一个错误:
XMLHttpRequest cannot load http://localhost:82/api/reservation/. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:81' is therefore not allowed access. The response had HTTP status code 401.
对于 CORS,我在 ASP.NET 5:
中使用此配置
services.AddCors(options => options.AddPolicy("AllowAll", p => p.AllowAnyOrigin().AllowAnyMethod().WithHeaders("accept", "authorization", "content-type", "origin", "x-custom-header").AllowCredentials()));
我能否以某种方式禁用 IIS 中 OPTIONS 请求的 windows 身份验证?
或者也许有一些方法可以强制浏览器跟进授权?
好的,我找到了在 IIS Express 或 IIS 8.5 上运行的方法,ASP.NET 5.
我们需要像这样修改wwwroot/web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="httpPlatformHandler" path="*" verb="*" modules="httpPlatformHandler" resourceType="Unspecified" />
</handlers>
<httpPlatform processPath="%DNX_PATH%" arguments="%DNX_ARGS%" stdoutLogEnabled="false" startupTimeLimit="3600" forwardWindowsAuthToken="true"></httpPlatform>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Request-Headers" value="Content-Type,Authorization" />
<add name="Access-Control-Allow-Headers" value="Content-Type,Authorization" />
<add name="Access-Control-Allow-Origin" value="http://localhost:5814" />
<add name="Access-Control-Allow-Credentials" value="true" />
</customHeaders>
</httpProtocol>
<security>
<authorization>
<!--<remove users="*" roles="" verbs="" /> Uncomment for IIS-->
<add accessType="Allow" users="*" verbs="GET,POST,PUT" />
<add accessType="Allow" users="?" verbs="OPTIONS" />
<add accessType="Deny" users="?" verbs="GET,POST,PUT" />
</authorization>
</security>
</system.webServer>
<system.web>
<authorization>
<allow users="*" verbs="GET,POST,PUT" />
<allow users="?" verbs="OPTIONS" />
</authorization>
</system.web>
</configuration>
在launchSettings.json中设置:
"iisSettings": {
"windowsAuthentication": true,
"anonymousAuthentication": true,
"iisExpress": {
"applicationUrl": "http://localhost:4402/",
"sslPort": 0
}
在Startup.cs中:
services.AddCors(options => options.AddPolicy("AllowAll", p => p.AllowAnyMethod().WithHeaders("accept", "authorization", "content-type", "origin", "x-custom-header").AllowCredentials()));
其中一些设置可能不是必需的。
对于 IIS,我们需要安装 Windows 身份验证和 URL 授权。
我正在尝试 POST 来自我的 Angular 2 服务的数据到 ASP.NET 5 API 使用 windows 身份验证并托管在 IIS 上. 对 angular 进行一些修改后,创建的请求为:
var request = new XMLHttpRequest();
request.withCredentials = true;
这解决了我授权 GET 请求的问题,现在对于第一个 GET 请求,服务器 returns 401 响应 headers:
WWW-Authenticate:Negotiate
WWW-Authenticate:NTLM
然后 angular 客户端发送另一个请求,但这次使用包含 NTLM 令牌的授权 header 并且它有效。
对于 POST 请求,我将 "Content-Type: application/json" 添加到请求的 header,因此浏览器发送第一个请求,如下所示:
OPTIONS /api/reservation/ HTTP/1.1
Host: localhost:82
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: POST
Origin: http://localhost:81
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Referer: http://localhost:81/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
服务器响应:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Wed, 13 Jan 2016 11:54:56 GMT
Content-Length: 6394
但是这一次,不是像 GET 请求中的另一个授权请求,而是一个错误:
XMLHttpRequest cannot load http://localhost:82/api/reservation/. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:81' is therefore not allowed access. The response had HTTP status code 401.
对于 CORS,我在 ASP.NET 5:
中使用此配置services.AddCors(options => options.AddPolicy("AllowAll", p => p.AllowAnyOrigin().AllowAnyMethod().WithHeaders("accept", "authorization", "content-type", "origin", "x-custom-header").AllowCredentials()));
我能否以某种方式禁用 IIS 中 OPTIONS 请求的 windows 身份验证? 或者也许有一些方法可以强制浏览器跟进授权?
好的,我找到了在 IIS Express 或 IIS 8.5 上运行的方法,ASP.NET 5.
我们需要像这样修改wwwroot/web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="httpPlatformHandler" path="*" verb="*" modules="httpPlatformHandler" resourceType="Unspecified" />
</handlers>
<httpPlatform processPath="%DNX_PATH%" arguments="%DNX_ARGS%" stdoutLogEnabled="false" startupTimeLimit="3600" forwardWindowsAuthToken="true"></httpPlatform>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Request-Headers" value="Content-Type,Authorization" />
<add name="Access-Control-Allow-Headers" value="Content-Type,Authorization" />
<add name="Access-Control-Allow-Origin" value="http://localhost:5814" />
<add name="Access-Control-Allow-Credentials" value="true" />
</customHeaders>
</httpProtocol>
<security>
<authorization>
<!--<remove users="*" roles="" verbs="" /> Uncomment for IIS-->
<add accessType="Allow" users="*" verbs="GET,POST,PUT" />
<add accessType="Allow" users="?" verbs="OPTIONS" />
<add accessType="Deny" users="?" verbs="GET,POST,PUT" />
</authorization>
</security>
</system.webServer>
<system.web>
<authorization>
<allow users="*" verbs="GET,POST,PUT" />
<allow users="?" verbs="OPTIONS" />
</authorization>
</system.web>
</configuration>
在launchSettings.json中设置:
"iisSettings": {
"windowsAuthentication": true,
"anonymousAuthentication": true,
"iisExpress": {
"applicationUrl": "http://localhost:4402/",
"sslPort": 0
}
在Startup.cs中:
services.AddCors(options => options.AddPolicy("AllowAll", p => p.AllowAnyMethod().WithHeaders("accept", "authorization", "content-type", "origin", "x-custom-header").AllowCredentials()));
其中一些设置可能不是必需的。
对于 IIS,我们需要安装 Windows 身份验证和 URL 授权。