RestyGWT 和基本身份验证
RestyGWT and Basic authentication
几天没有任何进展,我需要你的帮助。
使用 GWT,我正在尝试与我的 REST 服务器通信,该服务器位于不同的 URL(需要 CORS)。
我的配置:
服务器
- spring-boot 1.3.3
客户端
- GWT 1.7
-restygwt 2.0.3
服务器端,我觉得还行
当我在 Spring 中禁用安全性时,我可以在我的 GWT 客户端中获取数据。
但是当我启用它时,我总是收到 401 请求。 REST URL 请求直接在 Web 浏览器中工作(使用其身份验证对话框)。
客户端,我已经关注了这个页面:
https://ronanquillevere.github.io/2014/04/11/restygwt-basic-auth.html
这是我的代码:
在 header
中添加凭据的过滤器
public class BasicAuthHeaderDispatcherFilter implements DispatcherFilter {
public static final String AUTHORIZATION_HEADER = "Authorization";
@Override
public boolean filter(Method method, RequestBuilder builder) {
try {
String basicAuthHeaderValue = createBasicAuthHeader(
UserCredentials.INSTANCE.getUserName(),
UserCredentials.INSTANCE.getPassword());
builder.setHeader(AUTHORIZATION_HEADER, basicAuthHeaderValue);
} catch (UnsupportedEncodingException e) {
return false;
}
return true;
}
private String createBasicAuthHeader(String userName, String password)
throws UnsupportedEncodingException {
String credentials = userName + ":" + password;
String encodedCredentials = new String(Base64.encode(credentials
.getBytes()), "UTF-8");
GWT.log("encodedCredentials=["+encodedCredentials+"]");
return " Basic " + encodedCredentials;
}
}
调度员:
public class MyDispatcher extends DefaultFilterawareDispatcher {
public MyDispatcher() {
addFilter(new BasicAuthHeaderDispatcherFilter());
}
}
我的测试电话:
@Override
public void onClick(ClickEvent event) {
Defaults.setDispatcher(new MyDispatcher());
UserCredentials.INSTANCE.setUserName("user");
UserCredentials.INSTANCE.setPassword("psswd");
String url = "http://localhost:8080/race";
Resource resource = new Resource(url);
resource.get().send(new JsonCallback() {
@Override
public void onSuccess(Method method, JSONValue response) {
GWT.log(response.toString());
}
@Override
public void onFailure(Method method, Throwable exception) {
GWT.log("Erreur: ", exception);
}
});
}
现在在 Web 浏览器开发工具中生成 headers。
直接在网络浏览器中:
要求
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Authorization Basic R3V5OnR5Y29vbg==
Cache-Control max-age=0
Connection keep-alive
Host localhost:8080
User-Agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0
回答
Cache-Control no-cache, no-store, max-age=0, must-revalidate
Content-Type application/json;charset=UTF-8
Date Thu, 28 Apr 2016 17:35:31 GMT
Expires 0
Pragma no-cache
Server Apache-Coyote/1.1
Set-Cookie JSESSIONID=A496281DBD6E9B797887B9C34B47DA52; Path=/; HttpOnly
Transfer-Encoding chunked
X-Frame-Options DENY
X-XSS-Protection 1; mode=block
x-content-type-options nosniff
GWT 客户端
要求
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Access-Control-Request-He... authorization,x-http-method-override
Access-Control-Request-Me... GET
Connection keep-alive
Host localhost:8080
Origin http://127.0.0.1:8888
User-Agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0
回答
Access-Control-Allow-Cred... true
Access-Control-Allow-Orig... http://127.0.0.1:8888
Allow GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Cache-Control no-cache, no-store, max-age=0, must-revalidate
Content-Length 0
Date Thu, 28 Apr 2016 17:43:29 GMT
Expires 0
Pragma no-cache
Server Apache-Coyote/1.1
Set-Cookie JSESSIONID=4D80D0C0FA9E27D166F6489CC88C3E45; Path=/; HttpOnly
Vary Origin
WWW-Authenticate Basic realm="Realm"
X-Frame-Options DENY
X-XSS-Protection 1; mode=block
access-control-allow-head... authorization, x-http-method-override
access-control-allow-meth... GET
x-content-type-options nosniff
我注意到两件事:
- 在 gwt header 请求中,我没有授权值。但是在控制台日志中,我有一条跟踪记录,确认我的过滤器已被触发。
- 仅使用 firefox,当我执行请求时,firebug 捕获 2 个网络 paquets,第一个具有授权值但没有答案,第二个是我上面描述的结果。
感谢您的帮助。
已解决。
我的服务器拒绝网络浏览器提交的飞行前请求。
我在我的服务器中添加了一个 CorsFilter,它忽略了 OPTIONS 请求
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletResponse theResponse = (HttpServletResponse) response;
HttpServletRequest theRequest = (HttpServletRequest) request;
theResponse.setHeader("Access-Control-Allow-Origin", theRequest.getHeader("Origin"));
if ("OPTIONS".equalsIgnoreCase(theRequest.getMethod())) {
theResponse.setHeader("Access-Control-Allow-Credentials", "true");
theResponse.setHeader("Access-Control-Allow-Methods", "POST, GET, HEAD, OPTIONS, DELETE");
theResponse.setHeader("Access-Control-Allow-Headers", "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, X-HTTP-Method-Override");
}else{
chain.doFilter(request, response);
}
}
几天没有任何进展,我需要你的帮助。
使用 GWT,我正在尝试与我的 REST 服务器通信,该服务器位于不同的 URL(需要 CORS)。
我的配置:
服务器
- spring-boot 1.3.3
客户端
- GWT 1.7
-restygwt 2.0.3
服务器端,我觉得还行
当我在 Spring 中禁用安全性时,我可以在我的 GWT 客户端中获取数据。
但是当我启用它时,我总是收到 401 请求。 REST URL 请求直接在 Web 浏览器中工作(使用其身份验证对话框)。
客户端,我已经关注了这个页面:
https://ronanquillevere.github.io/2014/04/11/restygwt-basic-auth.html
这是我的代码:
在 header
中添加凭据的过滤器public class BasicAuthHeaderDispatcherFilter implements DispatcherFilter {
public static final String AUTHORIZATION_HEADER = "Authorization";
@Override
public boolean filter(Method method, RequestBuilder builder) {
try {
String basicAuthHeaderValue = createBasicAuthHeader(
UserCredentials.INSTANCE.getUserName(),
UserCredentials.INSTANCE.getPassword());
builder.setHeader(AUTHORIZATION_HEADER, basicAuthHeaderValue);
} catch (UnsupportedEncodingException e) {
return false;
}
return true;
}
private String createBasicAuthHeader(String userName, String password)
throws UnsupportedEncodingException {
String credentials = userName + ":" + password;
String encodedCredentials = new String(Base64.encode(credentials
.getBytes()), "UTF-8");
GWT.log("encodedCredentials=["+encodedCredentials+"]");
return " Basic " + encodedCredentials;
}
}
调度员:
public class MyDispatcher extends DefaultFilterawareDispatcher {
public MyDispatcher() {
addFilter(new BasicAuthHeaderDispatcherFilter());
}
}
我的测试电话:
@Override
public void onClick(ClickEvent event) {
Defaults.setDispatcher(new MyDispatcher());
UserCredentials.INSTANCE.setUserName("user");
UserCredentials.INSTANCE.setPassword("psswd");
String url = "http://localhost:8080/race";
Resource resource = new Resource(url);
resource.get().send(new JsonCallback() {
@Override
public void onSuccess(Method method, JSONValue response) {
GWT.log(response.toString());
}
@Override
public void onFailure(Method method, Throwable exception) {
GWT.log("Erreur: ", exception);
}
});
}
现在在 Web 浏览器开发工具中生成 headers。
直接在网络浏览器中:
要求
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Authorization Basic R3V5OnR5Y29vbg==
Cache-Control max-age=0
Connection keep-alive
Host localhost:8080
User-Agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0
回答
Cache-Control no-cache, no-store, max-age=0, must-revalidate
Content-Type application/json;charset=UTF-8
Date Thu, 28 Apr 2016 17:35:31 GMT
Expires 0
Pragma no-cache
Server Apache-Coyote/1.1
Set-Cookie JSESSIONID=A496281DBD6E9B797887B9C34B47DA52; Path=/; HttpOnly
Transfer-Encoding chunked
X-Frame-Options DENY
X-XSS-Protection 1; mode=block
x-content-type-options nosniff
GWT 客户端
要求
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Access-Control-Request-He... authorization,x-http-method-override
Access-Control-Request-Me... GET
Connection keep-alive
Host localhost:8080
Origin http://127.0.0.1:8888
User-Agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0
回答
Access-Control-Allow-Cred... true
Access-Control-Allow-Orig... http://127.0.0.1:8888
Allow GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH
Cache-Control no-cache, no-store, max-age=0, must-revalidate
Content-Length 0
Date Thu, 28 Apr 2016 17:43:29 GMT
Expires 0
Pragma no-cache
Server Apache-Coyote/1.1
Set-Cookie JSESSIONID=4D80D0C0FA9E27D166F6489CC88C3E45; Path=/; HttpOnly
Vary Origin
WWW-Authenticate Basic realm="Realm"
X-Frame-Options DENY
X-XSS-Protection 1; mode=block
access-control-allow-head... authorization, x-http-method-override
access-control-allow-meth... GET
x-content-type-options nosniff
我注意到两件事:
- 在 gwt header 请求中,我没有授权值。但是在控制台日志中,我有一条跟踪记录,确认我的过滤器已被触发。
- 仅使用 firefox,当我执行请求时,firebug 捕获 2 个网络 paquets,第一个具有授权值但没有答案,第二个是我上面描述的结果。
感谢您的帮助。
已解决。
我的服务器拒绝网络浏览器提交的飞行前请求。
我在我的服务器中添加了一个 CorsFilter,它忽略了 OPTIONS 请求
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletResponse theResponse = (HttpServletResponse) response;
HttpServletRequest theRequest = (HttpServletRequest) request;
theResponse.setHeader("Access-Control-Allow-Origin", theRequest.getHeader("Origin"));
if ("OPTIONS".equalsIgnoreCase(theRequest.getMethod())) {
theResponse.setHeader("Access-Control-Allow-Credentials", "true");
theResponse.setHeader("Access-Control-Allow-Methods", "POST, GET, HEAD, OPTIONS, DELETE");
theResponse.setHeader("Access-Control-Allow-Headers", "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization, X-HTTP-Method-Override");
}else{
chain.doFilter(request, response);
}
}