1. 首頁
  2. 問答
  3. 繞過「選項請求」的身份驗證(因此所有頭都在響應中發送)

繞過「選項請求」的身份驗證(因此所有頭都在響應中發送)

2013-10-02 23 views
3

這是在跨源資源共享的上下文中。對於預檢請求,服務器不發送標題集。 當一個有效的cookie沒有通過「選項請求」傳遞時,它的響應中的服務器沒有發送我設置的頭文件,但是它發送的是「200 OK」。我用捲曲檢查這是可以看到下面(很明顯,我代替我有效的cookie與虛擬「xyzabcde」在這裏)繞過「選項請求」的身份驗證(因此所有頭都在響應中發送)

無cookie中的捲曲請求:

curl -H "Origin: app2_url" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: accept, origin, content-type" -X OPTIONS --verbose app1_url/jsonrpc.cgi

(以下發送響應... )

HTTP/1.1 200 OK 
Date: Tue, 01 Oct 2013 11:37:36 GMT 
Server: Apache 
Expires: Tue, 01 Oct 2013 11:37:36 GMT 
Cache-Control: no-store, no-cache, must-revalidate 
Pragma: no-cache 
Expires: Tue, 01 Oct 2013 11:37:36 GMT 
Cache-Control: no-store, no-cache, must-revalidate 
Pragma: no-cache 
Content-Length: 4531 
Content-Type: text/html; charset=utf-8

與 「-H曲奇:xyzabcde」:

curl -H "Origin: app2_url" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: accept, origin, content-type" "-H Cookie:xyzabcde" -X OPTIONS --verbose app1_url/jsonrpc.cgi

(發送響應下面...)

HTTP/1.1 403 Forbidden 
Date: Wed, 02 Oct 2013 18:48:34 GMT 
Server: Apache 
X-frame-options: ALLOW-FROM app2_url 
Access-Control-Allow-Credentials: true 
Access-Control-Allow-Headers: accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With 
Access-Control-Allow-Methods: GET, POST, HEAD, PUT, OPTIONS 
Access-Control-Allow-Origin: app2_url 
Access-Control-Max-Age: 1800 
Transfer-Encoding: chunked 
Content-Type: application/json; charset=UTF-8

Apache的配置看起來像......

<VirtualHost *:443> 
. 
. 
Header always set X-Frame-Options "ALLOW-FROM app2_url" 
Header always set Access-Control-Allow-Credentials "true" 
Header always set Access-Control-Allow-Headers "accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With" 
Header always set Access-Control-Allow-Methods "GET, POST, HEAD, PUT, OPTIONS" 
Header always set Access-Control-Allow-Origin "app2_url" 
Header always set Access-Control-Max-Age "1800" 
. 
. 
. 
<Directory /app1/dir/>  
    Options Includes FollowSymLinks ExecCGI MultiViews 
    AllowOverride None 
    Order allow,deny 
    allow from all 
    AuthType Net 
    PubcookieInactiveExpire -1 
    PubcookieAppID app1.company.com 
    require valid-user 
</Directory> 
. 
. 
</VirtualHost>

我怎樣才能讓所有的頭以響應身份認證的請求被髮送? 我想,選項請求理想情況下應該不需要任何身份驗證。

來源

2013-10-02 Krishna

回答

1

「LimitExcept」指令解決了它。事實上,在發佈問題之前,我嘗試了指令,但是之前的錯誤是在「LimitExcept」塊中包含前兩行(「Options Includes ...」和「Alowoverride ...」)。

<Directory /app1/dir/>  
    Options Includes FollowSymLinks ExecCGI MultiViews 
    AllowOverride None 
    <LimitExcept OPTIONS> 
    Order allow,deny 
    allow from all 
    AuthType Net 
    PubcookieInactiveExpire -1 
    PubcookieAppID app1.company.com 
    require valid-user 
    </LimitExcept> #<- syntax error fixed. 
</Directory>

來源

2013-10-03 08:48:14 Krishna

+0

對我無效.. –

+1

這裏有一個語法錯誤。部分應該用關閉。在這個例子中它缺少「/」。 – user1751825

相關問題

 相關問題