如何验证apache 允许OPTIONS方法
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了如何验证apache 允许OPTIONS方法相关的知识,希望对你有一定的参考价值。
如何配置apache禁用OPTIONS方法,并如何验证apache是否已禁用允许OPTIONS方法,请高手指点
参考技术A 配置有两种方法如下:在httpd.conf文件中添加
<Location />
<Limit OPTIONS>
Deny from all
</Limit>
</Location>
或者采用rewrite模块后
RewriteEngine on
RewriteCond %REQUEST_METHOD ^(OPTIONS)
RewriteRule .* - [F]
添加后重启
验证方法如下:
$telnet 10.*.*.* 80 <telnet 本机IP apache端口>
Trying 10.*.*.*...
Connected to 10.194.177.187.
Escape character is '^]'.
OPTIONS / HTTP 1.1 <输入后,两次回车,返回如下>
HTTP/1.1 200 OK
Date: Tue, 25 Feb 2014 09:09:31 GMT
Server: IBM_HTTP_Server
Allow: GET,HEAD,POST,OPTIONS,TRACE <显示当前方法/漏洞>
Content-Length: 0
Connection: close
Content-Type: text/html
Connection closed by foreign host.
这个验证方法试过最好用的,成功了一定要好评哦亲
Spring Security Jwt Token在请求表单角度时允许所有Options方法
我不知道出了什么问题,我在网上到处检查,看起来和我一样,但是我遇到了这个问题:
我正在使用HttpClient和Angular拦截器向SetHeader请求My Angular应用程序,因为我的Java Rest API正在使用JWT进行身份验证,并且在标头中需要一个令牌,因此它将获取并验证用户请求,因为Angular拦截器无法正常工作。我在Java端获取null作为标记并出现错误。请帮我解决一下这个。
最后我发现它可能是spring security的问题,因为我调试并发现选项请求所有过滤器并且它没有头,所以它显示令牌并抛出异常,如果选项方法请求绕过并允许那么可能是我的问题将解决
Spring启动安全配置
package com.techprimers.security.jwtsecurity.config;
import com.techprimers.security.jwtsecurity.security.JwtAuthenticationEntryPoint;
import com.techprimers.security.jwtsecurity.security.JwtAuthenticationProvider;
import com.techprimers.security.jwtsecurity.security.JwtAuthenticationTokenFilter;
import com.techprimers.security.jwtsecurity.security.JwtSuccessHandler;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import java.util.Collections;
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
@Configuration
public class JwtSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private JwtAuthenticationProvider authenticationProvider;
@Autowired
private JwtAuthenticationEntryPoint entryPoint;
@Bean
public AuthenticationManager authenticationManager() {
return new ProviderManager(Collections.singletonList(authenticationProvider));
}
@Bean
public JwtAuthenticationTokenFilter authenticationTokenFilter() {
JwtAuthenticationTokenFilter filter = new JwtAuthenticationTokenFilter();
filter.setAuthenticationManager(authenticationManager());
filter.setAuthenticationSuccessHandler(new JwtSuccessHandler());
return filter;
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(HttpMethod.OPTIONS, "/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests().antMatchers("**/rest/**").authenticated()
.and()
.exceptionHandling().authenticationEntryPoint(entryPoint)
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.addFilterBefore(authenticationTokenFilter(), UsernamePasswordAuthenticationFilter.class);
http.headers().cacheControl();
}
}
角度拦截器代码
import { Injectable } from '@angular/core';
import { HttpRequest, HttpHandler, HttpEvent, HttpInterceptor } from '@angular/common/http';
import { Observable } from 'rxjs';
@Injectable()
export class JwtInterceptor implements HttpInterceptor {
intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
// add authorization header with jwt token if available
console.log("i am inside");
request = request.clone({
setHeaders: {
Accept: 'application/json',
Authorization: `Bearer ${localStorage.getItem('token')}`
}
});
return next.handle(request);
}
}
角度服务
import { Injectable } from '@angular/core';
import { HttpClient } from '@angular/common/http';
import { Observable } from 'rxjs';
@Injectable({
providedIn: 'root'
})
export class ServiceService {
constructor(private http: HttpClient) { }
api_user_url = 'http://localhost:8095';
getAllApiUsers(): Observable<any> {
return this.http.get(this.api_user_url + "/allUser");
}
setUserLogin(obj):Observable<any>{
return this.http.post(this.api_user_url +"/login", obj);
}
}
CallIng方法
public getAllUserList() {
console.log("I am calling");
this.service.getAllApiUsers()
.subscribe(data => {
this.alluser = data;
console.log(data);
})
}
浏览器网络
令牌的本地存储
Browser Console错误消息
Spring Boot Java控制台错误
角度拦截器看起来不错,但在浏览器控制台中有CORS policy
错误。您的角应用程序在端口4200
上运行,您的后端在8095
(不同的主机)上运行。
我不知道spring-boot
,但在审阅文档后,您应该在后端应用程序中添加一些cors策略(对于生产和开发环境而言不同):
更多你可以在这里阅读:https://spring.io/guides/gs/rest-service-cors/
现在你的/allUser
请求没有发送...删除CORS问题后,一切都应该正常工作
以上是关于如何验证apache 允许OPTIONS方法的主要内容,如果未能解决你的问题,请参考以下文章
Spring Security Jwt Token在请求表单角度时允许所有Options方法
如何配置 Apache 让 PHP 处理 OPTIONS HTTP 请求? [关闭]