apache - 绕过 "Options request"的身份验证(因此所有 header 都在响应中发送)

Question

这是在跨域资源共享的背景下。对于预检请求，服务器不会发送 header 集。
当“选项请求”未传递有效 cookie 时，其响应中的服务器不会发送我设置的 header ，但是，它会发送“200 OK”。我用 curl 检查了这个，如下所示(显然，我在这里用一个虚拟的“xyzabcde”替换了我的有效cookie)

没有 cookie 的 curl 请求:

curl -H "Origin: app2_url"   -H "Access-Control-Request-Method: POST"   -H "Access-Control-Request-Headers: accept, origin, content-type"   -X OPTIONS --verbose   app1_url/jsonrpc.cgi

(发送以下回复...)

HTTP/1.1 200 OK
Date: Tue, 01 Oct 2013 11:37:36 GMT
Server: Apache
Expires: Tue, 01 Oct 2013 11:37:36 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Expires: Tue, 01 Oct 2013 11:37:36 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 4531
Content-Type: text/html; charset=utf-8

使用“-H Cookie:xyzabcde”:

curl -H "Origin: app2_url"   -H "Access-Control-Request-Method: POST"   -H "Access-Control-Request-Headers: accept, origin, content-type" "-H Cookie:xyzabcde"  -X OPTIONS --verbose   app1_url/jsonrpc.cgi

(发送以下回复...)

HTTP/1.1 403 Forbidden
Date: Wed, 02 Oct 2013 18:48:34 GMT
Server: Apache
X-frame-options: ALLOW-FROM app2_url
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With
Access-Control-Allow-Methods: GET, POST, HEAD, PUT, OPTIONS
Access-Control-Allow-Origin: app2_url
Access-Control-Max-Age: 1800
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8

apache 配置看起来像......

<VirtualHost *:443>
.
.
Header always set X-Frame-Options "ALLOW-FROM app2_url"
Header  always set  Access-Control-Allow-Credentials "true"
Header  always set  Access-Control-Allow-Headers    "accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With"
Header  always set  Access-Control-Allow-Methods    "GET, POST, HEAD, PUT, OPTIONS"
Header  always set  Access-Control-Allow-Origin    "app2_url"
Header  always set  Access-Control-Max-Age  "1800"
.
.
.
<Directory /app1/dir/>      
    Options Includes FollowSymLinks ExecCGI MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
    AuthType Net
    PubcookieInactiveExpire -1
    PubcookieAppID app1.company.com
    require valid-user
</Directory>
.
.
</VirtualHost>

如何使所有 header 都发送以响应未经身份验证的请求？
我想，理想情况下，Options 请求应该不需要任何身份验证。

Answer 1

我们用不同的配置解决了这个问题。下面是来自/usr/local/apache/conf/extra 的 myApplication.conf 文件的片段

    <Location "/myService">
      SetEnvIf Request_URI "/healthCheck" REDIRECT_noauth=1
      SetEnvIf Request_Method "OPTIONS" REDIRECT_noauth=1
      AuthType Basic
      AuthName "myService"
      AuthUserFile /usr/local/apache/conf/passwd/passwords
      AuthGroupFile /usr/local/apache/conf/passwd/groups
      Require group GroupName
      Order allow,deny
      Allow from env=REDIRECT_noauth
      Satisfy any
   </Location>

因此，我们可以绕过身份验证:

基于特定的 URI，在上面的例子中/healthCheck 被绕过

基于 HTTP 方法，在上面的例子中 OPTIONS 被绕过，其他 HTTP 方法会提示 auth

希望它可以帮助某人解决问题。