为什么我的服务器忽略了ajax请求的身份validation标头?
从JavaScript我用过:
xhr.setRequestHeader("Authorization", make_base_auth(username,password)); 但是,HTTP请求没有Authorization标头:
OPTIONS /restService/index?_=1362589672203 HTTP/1.1 Host: myappinheroku.herokuapp.com User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-MX,es-ES;q=0.8,es-AR;q=0.7,es;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Origin: http://127.0.0.1:8081 Access-Control-Request-Method: GET Access-Control-Request-Headers: authorization,content-type Connection: keep-alive
似乎完全忽略了身份validation。 怎么了? 我们如何为CORS启用身份validation?
这是服务器对上述请求的响应:
HTTP/1.1 401 Full authentication is required to access this resource Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: origin, authorization, accept, content-type, x-requested- with Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 Server: Jetty(7.xy-SNAPSHOT) Set-Cookie: JSESSIONID=6smxjnlqelmc1lg98ain16wv7;Path=/ WWW-Authenticate: Basic realm="Ralph's Bait and Tackle" Transfer-Encoding: chunked Connection: keep-alive
当Access-Control-Allow-Credentials为true时,值*不能用于Access-Control-Allow-Origin标头。 您需要将Access-Control-Allow-Origin设置为Origin本身的值(在本例中为http://127.0.0.1:8081 )。
另请注意,预检请求不会发送身份validation凭据。 它们仅根据实际要求发送。 预检仅用于validation是否允许CORS请求,它本身不应进行任何身份validation。