从JavaScript我用过:
xhr.setRequestHeader("Authorization",make_base_auth(username,password));
但是,HTTP请求没有Authorization标头:
OPTIONS /restService/index?_=1362589672203 HTTP/1.1 Host: myappinheroku.herokuapp.com User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-MX,es-ES;q=0.8,es-AR;q=0.7,es;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip,deflate Origin: http://127.0.0.1:8081 Access-Control-Request-Method: GET Access-Control-Request-Headers: authorization,content-type Connection: keep-alive
似乎完全忽略了身份验证.哪里不对?我们如何为CORS启用身份验证?
这是服务器对上述请求的响应:
HTTP/1.1 401 Full authentication is required to access this resource Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: origin,authorization,accept,content-type,x-requested- with Access-Control-Allow-Methods: GET,HEAD,POST,PUT,DELETE,TRACE,OPTIONS Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 Server: Jetty(7.x.y-SNAPSHOT) Set-Cookie: JSESSIONID=6smxjnlqelmc1lg98ain16wv7;Path=/ WWW-Authenticate: Basic realm="Ralph's Bait and Tackle" Transfer-Encoding: chunked Connection: keep-alive
解决方法
当Access-Control-Allow-Credentials为true时,值*不能用于Access-Control-Allow-Origin标头.您需要将Access-Control-Allow-Origin设置为Origin本身的值(在本例中为http://127.0.0.1:8081).
另请注意,预检请求不会发送身份验证凭据.它们仅根据实际要求发送.预检仅用于验证是否允许CORS请求,它本身不应进行任何身份验证.
