[英]Azure API Management - CORS issue
在 Azure API 管理的最頂層提供以下 CORS 策略:
<policies>
<inbound>
<cors>
<allowed-origins>
<origin>*</origin>
</allowed-origins>
<allowed-methods>
<method>*</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>
</inbound>
<backend>
<forward-request />
</backend>
<outbound />
</policies>
使用時:
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://mydomain.azure-api.net/calc/add?a=5&b=5');
xhr.send();
原始請求:
GET https://mydomain.azure-api.net/calc/add?a=5&b=5 HTTP/1.1
Host: mydomain.azure-api.net
Connection: keep-alive
Origin: https://any.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
Accept: */*
Referer: https://any.com/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8,de;q=0.6,pl;q=0.4
我收到錯誤消息:
XMLHttpRequest cannot load https://mydomain.azure-api.net/calc/add?a=5&b=5. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://any.com' is therefore not allowed access. The response had HTTP status code 401.
原始回復:
HTTP/1.1 401 Access Denied
Content-Length: 152
Content-Type: application/json
WWW-Authenticate: AzureApiManagementKey realm="https://mydomain.azure-api.net/calc",name="Ocp-Apim-Subscription-Key",type="header"
Date: Fri, 04 Nov 2016 09:31:15 GMT
{ "statusCode": 401, "message": "Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API." }
只要我使用正確的 api 密鑰:
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://mydomain.azure-api.net/calc/add?a=5&b=5');
xhr.setRequestHeader('Ocp-Apim-Subscription-Key', '**********************');
xhr.send();
原始請求:
GET https://mydomain.azure-api.net/calc/add?a=5&b=5 HTTP/1.1
Host: mydomain.azure-api.net
Connection: keep-alive
Origin: https://any.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
Ocp-Apim-Subscription-Key: **********************
Accept: */*
Referer: https://any.com/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8,de;q=0.6,pl;q=0.4
我收到成功消息。
原始回復:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 123
Content-Type: application/xml; charset=utf-8
Expires: -1
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Date,Server,X-AspNet-Version,X-Powered-By
Date: Fri, 04 Nov 2016 09:34:44 GMT
<result><value>10</value><broughtToYouBy>Azure API Management - http://azure.microsoft.com/apim/ </broughtToYouBy></result>
問題:
在我看來,CORS 問題僅在提供不正確/未提供 API 密鑰時才會發生,這是 Azure API 管理的預期行為嗎?
簡而言之,是的,我不確定顯示的是正確的錯誤消息,但是 API 管理解決方案像普通 API 一樣基於訂閱 ID 和密鑰,因此當您未傳遞所需信息時,我不希望它起作用通過。
這也發生在不同的實例中。 我試圖訪問錯誤的端點,但仍然在瀏覽器上收到相同的 CORS 問題。 當我通過 Postman 嘗試相同的調用時,它給了我 Resource not found 異常。 資源未找到/無效的 JWT/JWT 驗證失敗都在 console.logs 中給出了 CORS 錯誤。 它確實正確地給出了未經授權的錯誤或正確地給出了 500 個內部錯誤。 我驗證了 Postman 上的實際響應,然后嘗試修復它。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.