问题描述
我们有一个使用spring 4的websocket服务器端实现。它已配置为对auth / authz使用spring安全性。在客户端,我们使用sockJS,当客户端与服务器在同一个域中时,它工作得很好。
调用websocket是这样的...
socket = new SockJS()
最后调用来决定要使用的传输。所有这些都是好的。
但是,当使用来自不同域的客户端时,我看到凭据被剥离。因此,当此客户端位于不同的域时,我看到正在进行的调用是:
。我看不到凭据通过。由于这个,我得到一个401错误(未授权的)用户。我们在服务器端具有CORS配置,并且还具有:
访问控制允许凭证真
即使 XmlHttpRequest.withCredentials = true
(由SockJS客户端执行)和 Access-Control- Credentials = true
,您无法在跨网域请求的网址中传递用户名和密码。
为了使用基本身份验证需要创建自己 Authorization
头,但似乎SockJS客户端不允许这个目前。有一个问题要求这样的支持,我已经添加了,说明我们需要基本验证支持。
由于授权标题不是 ,则将在实际请求之前发送。但Spring Framework目前,因此即使在客户端设置了授权头,您也需要在Spring Framework中启用OPTIONS请求分派。
使用 web.xml
:
< servlet>
< servlet-name> dispatcherServlet< / servlet-name>
< servlet-class> org.springframework.web.servlet.DispatcherServlet< / servlet-class>
< init-param>
< param-name> dispatchOptionsRequest< / param-name>
< param-value> true< / param-value>
< / init-param>
< load-on-startup> 1< / load-on-startup>
3没有 web.xml
,将此添加到扩展 AbstractAnnotationConfigDispatcherServletInitializer
的类中:
@Override
protected void customizeRegistration(动态注册){
registration.setInitParameter(dispatchOptionsRequest,true);
}
We have a websocket server side implementation using spring 4. It has been configured to use spring security for auth/authz. On the client side, we use sockJS which works perfectly when the client is in the same domain as the server.
Call to websocket is made this way…
socket = new SockJS("http://guest:[email protected]/MyWebSocketApp/tracker")
This eventually makes a call to http://guest:[email protected]/MyWebSocketApp/tracker/info to decide the transport to use. All this is good.
However, when using client from a different domain, I see that the credentials get stripped out. So, when this client is on a different domain, I see that the call being made is:http://myinterestingdomain.com/MyWebSocketApp/tracker/info. I do not see the credentials being passed. Due to this, I get a 401 error (unauthorized) user. We have the CORS configuration on the server side and also have:
Access-Control-Allow-Credentials "true"
Can someone please help me? I am out of options and I don’t understand why the credentials are getting stripped out? Could this be related to CORS?
Even if XmlHttpRequest.withCredentials=true
(done by the SockJS client) and Access-Control-Allow-Credentials=true
, you can't pass username and password in the URL for cross domain requests.
In order to use basic authentication, you need to create yourself the Authorization
header, but it seems SockJS client does not allow this currently. There is an issue asking for such support, I have added a new comment explaining we need this for Basic Authentication support.
Since Authorization header is not a simple header, a CORS preflight request will be sent before the actual request. But Spring Framework currently does not dispatch OPTIONS requests by default, so even with the Authorization header set on client side, you will also need to enable OPTIONS requests dispatching in Spring Framework.
With web.xml
:
<servlet>
<servlet-name>dispatcherServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>dispatchOptionsRequest</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
Or if you are using Servlet 3 without web.xml
, add this to your class that extends AbstractAnnotationConfigDispatcherServletInitializer
:
@Override
protected void customizeRegistration(Dynamic registration) {
registration.setInitParameter("dispatchOptionsRequest", "true");
}
这篇关于当在不同的域(CORS)时SockJS不传递凭据信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!