java - Spring Oauth2 CORS 问题

Question

我将 CORS 设置为允许少量自定义 header 。以下是响应 header -

Response Headers { "Date": "Mon, 14 Mar 2016 10:11:59 GMT",
"Server": "Apache-Coyote/1.1", "Transfer-Encoding": "chunked",
"Access-Control-Max-Age": "3600", "Access-Control-Allow-Methods": "POST, GET, OPTIONS, DELETE, PUT", "Content-Type": "application/json", "Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Credentials": "true",
"Access-Control-Allow-Headers": "X-Requested-With, Authorization, Content-Type, Authorization_Code, User_Credentials, Client_Credentials" }

上述响应 header 应该意味着可以从具有以下 header 的所有来源使用 API:Authorization、Content-Type、Authorization_Code、User_Credentials、Client_Credentials

我可以传递所有 header 并使用来自所有来源的 API。

问题 -

不允许使用授权 API 的请求。授权是 Oauth token 传递的 header ，如下所示 - Authorizatio = Bearer ct45tg4g3rf3rfr5freg34gerfgr3gf (承载 token )。

corsclient.js:609 OPTIONS http://54.200.113.97:8080/supafit-api/users sendRequest @ corsclient.js:609(anonymous function) @ corsclient.js:647b.event.dispatch @ jquery-1.9.1.min.js:3v.handle @ jquery-1.9.1.min.js:3 /client#?client_method=GET&client_credentials=false&client_headers=Authoriz…nable=true&server_status=200&server_credentials=false&server_tabs=remote:1 XMLHttpRequest cannot load http://54.200.113.97:8080/supafit-api/users. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://client.cors-api.appspot.com' is therefore not allowed access. The response had HTTP status code 401.

编辑:

这是该 API 的 Rest 客户端测试 -

响应 header -

Server: Apache-Coyote/1.1 
Cache-Control: no-cache, no-store, max-age=0, must-revalidate 
Pragma: no-cache 
Expires: 0
X-XSS-Protection: 1; mode=block 
X-Frame-Options: DENY
X-Content-Type-Options: nosniff 
Access-Control-Allow-Origin: http://client.cors-api.appspot.com 
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT 
Access-Control-Max-Age: 3600
Access-Control-Allow-Credentials: true 
Access-Control-Allow-Headers: X-Requested-With 
Access-Control-Allow-Headers: Authorization
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Headers: Authorization_Code
Access-Control-Allow-Headers: User_Credentials
Access-Control-Allow-Headers: Client_Credentials 
Content-Type: application/json 
Transfer-Encoding: chunked 
Date: Mon, 14 Mar 2016 11:19:42 GMT Raw JSON

JSON 响应正文 -

{ "id":78, "userId":"3465434567", "coachId":null,
"name":"XDCDSC", "dob":null, "email":"puneetpandey37@gmail.com", "imageURL":"https://lh5.googleusercontent.com/-TcTQeitAvag/AAAAAAAAAAI/AAA/4pamurzO1a4/photo.jpg", "gender":null, "userPhysic":null, "userTypeId":1,
"dietitanId":null, "alternateEmailId":null,
"yearsOfExperience":null, "lastExperience":null,
"languagesKnown":null, "aboutYourself":null,
"coreCompetence":null, "fieldOfWork":null, "userAddresses":[
{
"id":1, "userId":78, "locationId":1, "address":"EC", "landmark":"Near BN", "phoneNumber":null, "addressType":"Home" } ], "phoneNumbers":[

] }

Answer 1

The response had HTTP status code 401.

您的服务器需要 Preflight Request 的身份验证，但客户端将凭据删除为 CORS specification说:

Otherwise, make a preflight request. Fetch the request URL from origin source origin using referrer source as override referrer source with the manual redirect flag and the block cookies flag set, using the method OPTIONS, and with the following additional constraints:

Include an Access-Control-Request-Method header with as header field value the request method (even when that is a simple method).

If author request headers is not empty include an Access-Control-Request-Headers header with as header field value a comma-separated list of the header field names from author request headers in lexicographical order, each converted to ASCII lowercase (even when one or more are a simple header).

• Exclude the author request headers.

• Exclude user credentials.

• Exclude the request entity body.

您必须更改您的服务器，以允许匿名访问预检请求。