I have a REST based web service running in my Tomcat Java EE servlet container.
I am writing a jquery client that is from another domain and is therefore using CORS. It hits the login web service, followed by another call. I originally implemented these two calls using getJSON and the calls were working fine, but I wasn't getting the JSESSIONID cookie to stay on the second call, so the web service had an unauthenticated session and threw and error.
After doing research, I ran across doing ajax withCredentials and thought that this is what I needed to do. The AJAX login call failed in preflight.
So, when I sniff the traffic to my webserver, the getJSON calls run as two gets and look fine except that the cookie doesn't e back with the second call. When I run the ajax call, it does an OPTIONS call to my server, gets a 200 status back on the client and then fails inside of jQuery for reasons I can't seem to find.
var jqxhr = jQuery.getJSON(loginUrl, {
xhrFields: {
withCredentials: true
},
crossDomain: true
})
.done(function(response) {
AgileJurySessionKey = response;
AgileJuryLoggedIn = true;
doneCallback();
})
.fail(function() {
failCallback();
});
Here is the AJAX version of the same call:
jQuery.ajax(loginUrl, {
type: "GET",
contentType: "application/json; charset=utf-8",
success: function(data, status, xhr) {
alert(data);
doneCallback;
},
error: function(jqxhr, textStatus, errorThrown) {
alert(errorThrown);
failCallback;
},
xhrFields: {
withCredentials: true
},
crossDomain: true
});
What's different between these two?
Here's the filter I put in to the web server for CORS:
/**
* This filter allows access to our web services from clients that are not on the local domain
*
* @author Xerox
*/
public class CorsFilter extends OncePerRequestFilter {
/* (non-Javadoc)
* @see org.springframework.web.filter.OncePerRequestFilter#doFilterInternal(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.FilterChain)
*/
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
response.addHeader("Access-Control-Allow-Origin", "*");
if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
// CORS "pre-flight" request
response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Set-Cookie");
response.addHeader("Access-Control-Max-Age", "1800");//30 min
}
filterChain.doFilter(request, response);
}
}
I have a REST based web service running in my Tomcat Java EE servlet container.
I am writing a jquery client that is from another domain and is therefore using CORS. It hits the login web service, followed by another call. I originally implemented these two calls using getJSON and the calls were working fine, but I wasn't getting the JSESSIONID cookie to stay on the second call, so the web service had an unauthenticated session and threw and error.
After doing research, I ran across doing ajax withCredentials and thought that this is what I needed to do. The AJAX login call failed in preflight.
So, when I sniff the traffic to my webserver, the getJSON calls run as two gets and look fine except that the cookie doesn't e back with the second call. When I run the ajax call, it does an OPTIONS call to my server, gets a 200 status back on the client and then fails inside of jQuery for reasons I can't seem to find.
var jqxhr = jQuery.getJSON(loginUrl, {
xhrFields: {
withCredentials: true
},
crossDomain: true
})
.done(function(response) {
AgileJurySessionKey = response;
AgileJuryLoggedIn = true;
doneCallback();
})
.fail(function() {
failCallback();
});
Here is the AJAX version of the same call:
jQuery.ajax(loginUrl, {
type: "GET",
contentType: "application/json; charset=utf-8",
success: function(data, status, xhr) {
alert(data);
doneCallback;
},
error: function(jqxhr, textStatus, errorThrown) {
alert(errorThrown);
failCallback;
},
xhrFields: {
withCredentials: true
},
crossDomain: true
});
What's different between these two?
Here's the filter I put in to the web server for CORS:
/**
* This filter allows access to our web services from clients that are not on the local domain
*
* @author Xerox
*/
public class CorsFilter extends OncePerRequestFilter {
/* (non-Javadoc)
* @see org.springframework.web.filter.OncePerRequestFilter#doFilterInternal(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.FilterChain)
*/
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
response.addHeader("Access-Control-Allow-Origin", "*");
if (request.getHeader("Access-Control-Request-Method") != null && "OPTIONS".equals(request.getMethod())) {
// CORS "pre-flight" request
response.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
response.addHeader("Access-Control-Allow-Headers", "X-Requested-With,Origin,Content-Type,Accept,Set-Cookie");
response.addHeader("Access-Control-Max-Age", "1800");//30 min
}
filterChain.doFilter(request, response);
}
}
3 Answers
Reset to default 4jQuery.getJSON(loginUrl, { xhrFields: { withCredentials: true }, crossDomain: true })
The second parameter of $.getJSON is the data you want to send, not an options object. To use those, you will need to call $.ajax directly.
getJSON isn't really a method, it's just a convenience function that is basically a shortcut for:
$.ajax({
dataType: "json",
});
So basically, $.getJSON() should behave the same as $.ajax() with the dataType set to "json"
Due to continual issues with CORS, I finally gave up on this one as intractable and worked the problem from the other end.
I used a session key ing back to track the length of the session and then re-attaching security based on this, which is how I'd designed security to work in the first place.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1745251089a4618681.html
评论列表(0条)