Javascript 预检中带有 http 401 的 Ajax CORS 请求
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/44735921/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Ajax CORS Request with http 401 in preflight
提问by lance d?rksen
I am struggling for hours now. I want to make a simple ajax request to another domain, but get http 401 Error all the time:
我现在挣扎了几个小时。我想向另一个域发出一个简单的ajax请求,但一直收到http 401错误:
jQuery(document).ready(function($){
var challengeid = $('#codepressHook').data('challengeid');
var clicked = false;
$('#codepressHook').click(function(){
if(!clicked){
$.ajax({
url: "https://dev.radbonus.com/admin/affiliate-connections/retrieveSingle/"+challengeid+".json",
method: "GET",
dataType: "json",
jsonp: false,
contentType: "application/json",
xhrFields: {
withCredentials: true
},
beforeSend: function(xhr){
xhr.setRequestHeader("Authorization", "Basic "+ btoa(username+":"+password));
},
success: function(data){
$('#codepressHock').html(data.data.code);
},
error: function(error){
alert(error);
}
});
}
});
});
I set all relevant CORS headers on the serverside. Here is the network traffic:
我在服务器端设置了所有相关的 CORS 标头。这是网络流量:
Request URL:https://dev.radbonus.com/admin/affiliate-connections/retrieveSingle/45.json
Request Method:OPTIONS
Status Code:401 Unauthorized
Remote Address:185.102.94.230:443
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Content-Type, X-Requested-With, Authorization, Origin
Access-Control-Allow-Methods:POST, GET, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin:http://radbonus.com
Access-Control-Max-Age:31536000
Content-Length:463
Content-Type:text/html; charset=iso-8859-1
Date:Sat, 24 Jun 2017 11:25:33 GMT
Server:Apache/2.4.18 (Ubuntu)
WWW-Authenticate:Basic realm="Admin"
Request Headers
view source
Accept:*/*
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Access-Control-Request-Headers:authorization,content-type
Access-Control-Request-Method:GET
Connection:keep-alive
Host:dev.radbonus.com
Origin:http://radbonus.com
Referer:http://radbonus.com/plugintest/
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
I know that there are a lot of posts on this topic, but it seems I'm missing something simple. Could anyone help me?
我知道有很多关于这个主题的帖子,但似乎我错过了一些简单的东西。有人可以帮助我吗?
回答by MarSoft
UPDATELooks like I was not right. Authorizationheader is never sent for OPTIONSrequest. Please see comment by sideshowbarker- you need to make sure that your server doesn't respond with 401to OPTIONSrequest.
更新看起来我不对。Authorization标头永远不会发送OPTIONS请求。请参阅的评论sideshowbarker-你需要确保你的服务器不响应401到OPTIONS请求。
I don't know what language is your server written in, but you implemented authorization in the wrong way - OPTIONS method should be excluded from auth. Also see here - OPTIONS request authentication
我不知道您的服务器是用什么语言编写的,但是您以错误的方式实现了授权 - OPTIONS 方法应该从身份验证中排除。另请参见此处 - OPTIONS 请求身份验证
Below is obsolete answer:
以下是过时的答案:
Your serverside requires HTTP Basic authentication for this request. And you don't provide credentials. 401 error has nothing to do with CORS; it just means that the server chose to not authorize your request because you didn't provide auth credentials.
您的服务器端需要对此请求进行 HTTP 基本身份验证。而且您不提供凭据。401错误与CORS无关;这只是意味着服务器选择不授权您的请求,因为您没有提供身份验证凭据。
If you try to open this url (like https://dev.radbonus.com/admin/affiliate-connections/retrieveSingle/1.json) directly in browser, you will be asked to enter login&password, which is how the browser handles 401 error with WWW-Authenticateheader.
如果你尝试直接在浏览器中打开这个 url(比如https://dev.radbonus.com/admin/affiliate-connections/retrieveSingle/1.json),你会被要求输入登录名和密码,这是浏览器处理 401 的方式WWW-Authenticate标题错误。
Please notice that Authorizationheader is actually not included with your request.
So instead of using beforeSendhook, you should probably just include header directly in your call:
请注意Authorization标题实际上不包含在您的请求中。因此,不要使用beforeSend钩子,您应该直接在调用中包含标头:
headers: {
'Authorization': 'Basic ' + btoa(username+':'+password),
},
And make sure that Authorizationheader presents in your request.
并确保Authorization标头出现在您的请求中。
回答by Pramod
Please add cross domain in headers like this:
请在标题中添加跨域,如下所示:
$.ajax({
url: "https://dev.radbonus.com/admin/affiliate-connections/retrieveSingle/"+challengeid+".json",
method: "GET",
dataType: "json",
jsonp: false,
contentType: "application/json",
xhrFields: {
withCredentials: true
},
crossDomain: true,
beforeSend: function(xhr){
xhr.setRequestHeader("Authorization", "Basic "+ btoa(username+":"+password));
xhr.setRequestHeader("Access-Control-Allow-Origin",'*');
},
success: function(data){
$('#codepressHock').html(data.data.code);
},
error: function(error){
alert(error);
}
});
回答by MasterPiece
You should check if you have disabled "Anonymous Authentication" in order to allow any authentication like "Windows Authentication". If you disabled it you will get 401 for any preflight request since they don't send credentials in their request.
您应该检查是否已禁用“匿名身份验证”以允许任何身份验证,例如“Windows 身份验证”。如果您禁用它,您将收到 401 任何预检请求,因为他们不会在他们的请求中发送凭据。
You should enable "Anonymous Authentication" and use "Authorization Rules" section in IIS to avoid anonymous access. in case you don't have it, you can install it in windows features under the section:
您应该启用“匿名身份验证”并使用 IIS 中的“授权规则”部分以避免匿名访问。如果您没有它,您可以将其安装在以下部分的 Windows 功能中:
Internet Information Services(IIS) - World Wide Web Services - Security - URL Authorization
Internet 信息服务 (IIS) - 万维网服务 - 安全 - URL 授权
You can for example set your authorization rules like this:
例如,您可以像这样设置授权规则:
