javascript 尝试为 SharePoint 实施 CORS 时出现 401
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16549583/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
401 when trying to implement CORS for SharePoint
提问by Ray
I would like to access listdata.svc (a sharepoint service) located on domainA.contoso.com from a web application located on domainB.contoso.com - Authentication seems to be an issue.
我想从位于 domainB.contoso.com 上的 Web 应用程序访问位于 domainA.contoso.com 上的 listdata.svc(共享点服务) - 身份验证似乎是一个问题。
When attempting to access ListData.svc via a JQuery Ajax call, with CORS enabled, the server returns 401. If I run the same Query from an .htm page which I execute from inside of SharePoint, the call works fine, since the domain is the same.
当尝试通过 JQuery Ajax 调用访问 ListData.svc 并启用 CORS 时,服务器返回 401。相同。
SharePoint is using NTLM with anonymous authentication turned off - I presume that the 401 is a result of windows credentials not being passed to the SharePoint server - but I am at a loss of how to add these credentials properly to the header. I have set xhrFields: { withCredentials: true }, but this does not seem to correct the authentication issue.
SharePoint 正在使用关闭匿名身份验证的 NTLM - 我认为 401 是 Windows 凭据未传递到 SharePoint 服务器的结果 - 但我不知道如何将这些凭据正确添加到标题中。 我已经设置了 xhrFields: { withCredentials: true },但这似乎并没有纠正身份验证问题。
To enabled CORS, I have set the following HTTP Response Headers on SharePoint in IIS:
为了启用 CORS,我在 IIS 中的 SharePoint 上设置了以下 HTTP 响应标头:
- Access-Control-Allow-Credentials: true
- Access-Control-Allow-Headers:Origin, Content-Type, Accept
- Access-Control-Allow-Origin: *
- Access-Control-Request-Methods: POST, GET, HEAD, OPTIONS
- 访问控制允许凭据:true
- Access-Control-Allow-Headers:Origin, Content-Type, Accept
- 访问控制允许来源:*
- 访问控制请求方法:POST、GET、HEAD、OPTIONS
Windows Authentication is enabled in IIS for my web application, and I did not set the "OPTIONSVerbHandler" HTTP Handler in IIS. Turning it to read doesn't seem to make a difference.
在 IIS 中为我的 Web 应用程序启用了 Windows 身份验证,并且我没有在 IIS 中设置“OPTIONSVerbHandler”HTTP 处理程序。把它变成阅读似乎没有什么区别。
JQuery Ajax call (from application on subdomainB.contoso.com):
JQuery Ajax 调用(来自 subdomainB.contoso.com 上的应用程序):
$.ajax({
type: "GET",
contentType: "application/json; charset=utf-8",
url: listUrl,
xhrFields: { withCredentials: true },
crossDomain:true,
processData: false,
async: true,
dataType: "json",
converters: {
// WCF Data Service .NET 3.5 incorrectly escapes singles quotes, which is clearly
// not required (and incorrect) in JSON specs.
// http://bugs.jquery.com/ticket/8320?cversion=0&cnum_hist=1
"text json": function (textValue) {
return jQuery.parseJSON(textValue.replace(/(^|[^\])\'/g, "'"));
}
},
success: function (data, status, xhr) {
//successFunc(data.d.results);
alert("working!");
},
error: function (xhr, status, error) {
alert("failure!");
}
});
HTTP Header and 401 Response:
HTTP 标头和 401 响应:
Key Value
Request OPTIONS /_vti_bin/ListData.svc/Contacts HTTP/1.1
Accept */*
Origin http://domainB.contoso.com
Access-Control-Request-Method GET
Access-Control-Request-Headers content-type, accept
Accept-Encoding gzip, deflate
User-Agent Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host domainA.contoso.com
Content-Length 0
DNT 1
Connection Keep-Alive
Cache-Control no-cache
Key Value
Response HTTP/1.1 401 Unauthorized
Server Microsoft-IIS/7.5
SPRequestGuid 1e33061c-f555-451b-9d69-0d83eff5f5ea
WWW-Authenticate NTLM
X-Powered-By ASP.NET
MicrosoftSharePointTeamServices 14.0.0.4762
Access-Control-Allow-Headers Origin, Content-Type, Accept
Access-Control-Allow-Origin *
Access-Control-Request-Methods POST, GET, HEAD, OPTIONS
Access-Control-Allow-Credentials true
Date Wed, 15 May 2013 15:04:51 GMT
Content-Length 0
采纳答案by LarryDavid
Late response, but I found another thread herewhich has an easy solution for IIS and which worked for me.
迟到的回复,但我在这里找到了另一个线程,它为 IIS 提供了一个简单的解决方案,并且对我有用。
Basically the CORS standard specifies that a preflight request should not send any authentication information, thus the 401. In that thread there's an example of restricting anonymous requests to the OPTIONS verb which allows a 200 response to the preflight (OPTIONS verb) request but still requires the authentication for the others.
基本上,CORS 标准指定预检请求不应发送任何身份验证信息,因此 401。在该线程中有一个示例,将匿名请求限制为 OPTIONS 动词,它允许对预检(OPTIONS 动词)请求做出 200 响应,但仍然需要其他人的身份验证。
回答by frenchone
You can't use wildcard (*) for Access-Control-Allow-Origin on the server when client sends "withCredentials: true".
You must set the domain explicitely.
CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true
当客户端发送“withCredentials: true”时,您不能在服务器上对 Access-Control-Allow-Origin 使用通配符 (*)。
您必须明确设置域。
CORS:当凭据标志为真时,不能在 Access-Control-Allow-Origin 中使用通配符
回答by robertklep
I'm not sure what you mean by "anonymous authentication is disabled", but it sounds like that's exactly the reason you're getting a 401 (Unauthorized) response. It's not related to CORS, but the server is telling the client it requires a username and a password before it will allow access.
我不确定您所说的“禁用匿名身份验证”是什么意思,但听起来这正是您收到 401 ( Unauthorized) 响应的原因。它与 CORS 无关,但服务器告诉客户端它需要用户名和密码才能允许访问。
Try passing a username and password to $.ajax()(WARNING: it's just to test if that solves your problem, hardcoding such details in your JS code is a Bad Idea):
尝试将用户名和密码传递给$.ajax()(警告:这只是为了测试这是否能解决您的问题,在您的 JS 代码中硬编码此类细节是一个坏主意):
$.ajax({
crossDomain:true,
url: listUrl,
username: VALID_USERNAME,
password: VALID_PASSWORD,
success: function(data){alert("hello json!") },
error: function() {
alert("epic fail");
},
dataType:'json'
});
