Angularjs Yii2休息时间+;角跨域CORS
我开发了Angular&Yii2休息服务。有跨领域的问题。 下面添加我的angular&Yii2 REST代码 AngularJs:(像“”,“”,…) 我的角度控制器请求:Angularjs Yii2休息时间+;角跨域CORS,angularjs,rest,yii2,yii2-advanced-app,yii-components,Angularjs,Rest,Yii2,Yii2 Advanced App,Yii Components,我开发了Angular&Yii2休息服务。有跨领域的问题。 下面添加我的angular&Yii2 REST代码 AngularJs:(像“”,“”,…) 我的角度控制器请求: apiURL = 'http://api.example.com'; $http.get(apiURL + '/roles') .success(function (roles) { }) .error(function () { }); use yii\filters\Cors; ... publi
apiURL = 'http://api.example.com';
$http.get(apiURL + '/roles')
.success(function (roles) { })
.error(function () { });
use yii\filters\Cors;
...
public function behaviors()
{
return array_merge([
'cors' => [
'class' => Cors::className(),
#special rules for particular action
'actions' => [
'your-action-name' => [
#web-servers which you alllow cross-domain access
'Origin' => ['*'],
'Access-Control-Request-Method' => ['POST'],
'Access-Control-Request-Headers' => ['*'],
'Access-Control-Allow-Credentials' => null,
'Access-Control-Max-Age' => 86400,
'Access-Control-Expose-Headers' => [],
]
],
#common rules
'cors' => [
'Origin' => [],
'Access-Control-Request-Method' => [],
'Access-Control-Request-Headers' => [],
'Access-Control-Allow-Credentials' => null,
'Access-Control-Max-Age' => 0,
'Access-Control-Expose-Headers' => [],
]
],
], parent::behaviors());
}
use yii\filters\auth\HttpBasicAuth;
public function behaviors()
{
$behaviors = parent::behaviors();
// remove authentication filter
$auth = $behaviors['authenticator'];
unset($behaviors['authenticator']);
// add CORS filter
$behaviors['corsFilter'] = [
'class' => \yii\filters\Cors::className(),
];
// re-add authentication filter
$behaviors['authenticator'] = $auth;
// avoid authentication on CORS-pre-flight requests (HTTP OPTIONS method)
$behaviors['authenticator']['except'] = ['options'];
return $behaviors;
}
Yii2.htaccess:(RESTURL类似“”)
我的行为:
public function behaviors() {
$behaviors = parent::behaviors();
$behaviors['corsFilter'] = [
'class' => Cors::className(),
'cors' => [
'Origin' => ['*'],
'Access-Control-Expose-Headers' => [
'X-Pagination-Per-Page',
'X-Pagination-Total-Count',
'X-Pagination-Current-Page',
'X-Pagination-Page-Count',
],
],
];
$behaviors['authenticator'] = [
'class' => HttpBearerAuth::className(),
'except' => ['options'],
];
$behaviors['contentNegotiator'] = [
'class' => ContentNegotiator::className(),
'formats' => [
'application/json' => Response::FORMAT_JSON,
],
];
return $behaviors;
}
问题
从我的角度来看,请求是'GET'方法,但它将使用'OPTIONS'方法并返回401个未授权错误(CORS)。因为请求授权标头未发送。在控制器中:
apiURL = 'http://api.example.com';
$http.get(apiURL + '/roles')
.success(function (roles) { })
.error(function () { });
use yii\filters\Cors;
...
public function behaviors()
{
return array_merge([
'cors' => [
'class' => Cors::className(),
#special rules for particular action
'actions' => [
'your-action-name' => [
#web-servers which you alllow cross-domain access
'Origin' => ['*'],
'Access-Control-Request-Method' => ['POST'],
'Access-Control-Request-Headers' => ['*'],
'Access-Control-Allow-Credentials' => null,
'Access-Control-Max-Age' => 86400,
'Access-Control-Expose-Headers' => [],
]
],
#common rules
'cors' => [
'Origin' => [],
'Access-Control-Request-Method' => [],
'Access-Control-Request-Headers' => [],
'Access-Control-Allow-Credentials' => null,
'Access-Control-Max-Age' => 0,
'Access-Control-Expose-Headers' => [],
]
],
], parent::behaviors());
}
use yii\filters\auth\HttpBasicAuth;
public function behaviors()
{
$behaviors = parent::behaviors();
// remove authentication filter
$auth = $behaviors['authenticator'];
unset($behaviors['authenticator']);
// add CORS filter
$behaviors['corsFilter'] = [
'class' => \yii\filters\Cors::className(),
];
// re-add authentication filter
$behaviors['authenticator'] = $auth;
// avoid authentication on CORS-pre-flight requests (HTTP OPTIONS method)
$behaviors['authenticator']['except'] = ['options'];
return $behaviors;
}
更新: 正如@jlaputre所指出的,这一点现在得到了很好的描述: 将跨源资源共享筛选器添加到控制器是一项复杂的任务 比添加上述其他过滤器更复杂, 因为认证之前必须应用CORS筛选器 方法,因此与其他方法相比,需要稍微不同的方法 过滤器。还必须为CORS飞行前禁用身份验证 请求,以便浏览器可以安全地确定请求是否可以 无需发送身份验证就可以提前完成 资格证书下面显示了添加 yii\filters\Cors筛选器到扩展自 yii\rest\ActiveController:
apiURL = 'http://api.example.com';
$http.get(apiURL + '/roles')
.success(function (roles) { })
.error(function () { });
use yii\filters\Cors;
...
public function behaviors()
{
return array_merge([
'cors' => [
'class' => Cors::className(),
#special rules for particular action
'actions' => [
'your-action-name' => [
#web-servers which you alllow cross-domain access
'Origin' => ['*'],
'Access-Control-Request-Method' => ['POST'],
'Access-Control-Request-Headers' => ['*'],
'Access-Control-Allow-Credentials' => null,
'Access-Control-Max-Age' => 86400,
'Access-Control-Expose-Headers' => [],
]
],
#common rules
'cors' => [
'Origin' => [],
'Access-Control-Request-Method' => [],
'Access-Control-Request-Headers' => [],
'Access-Control-Allow-Credentials' => null,
'Access-Control-Max-Age' => 0,
'Access-Control-Expose-Headers' => [],
]
],
], parent::behaviors());
}
use yii\filters\auth\HttpBasicAuth;
public function behaviors()
{
$behaviors = parent::behaviors();
// remove authentication filter
$auth = $behaviors['authenticator'];
unset($behaviors['authenticator']);
// add CORS filter
$behaviors['corsFilter'] = [
'class' => \yii\filters\Cors::className(),
];
// re-add authentication filter
$behaviors['authenticator'] = $auth;
// avoid authentication on CORS-pre-flight requests (HTTP OPTIONS method)
$behaviors['authenticator']['except'] = ['options'];
return $behaviors;
}
旧答案(已弃用) 与
parent::behaviors()
合并时存在排序问题。全部细节
我建议在与父数组合并时不要定义键:
public function behaviors()
{
return \yii\helpers\ArrayHelper::merge([
[
'class' => \yii\filters\Cors::className(),
'cors' => [...],
],
[
'class' => \yii\filters\auth\HttpBearerAuth::className(),
'except' => ['options'],
],
[
'class' => ContentNegotiator::className(),
'formats' => [...],
]
], parent::behaviors());
}
问题与您的代码,您并没有取消身份验证在一开始
public function behaviors() {
$behaviors = parent::behaviors();
/*unset here*/
unset($behaviors['authenticator']);
$behaviors['corsFilter'] = [
'class' => Cors::className(),
'cors' => [
'Origin' => ['*'],
'Access-Control-Expose-Headers' => [
'X-Pagination-Per-Page',
'X-Pagination-Total-Count',
'X-Pagination-Current-Page',
'X-Pagination-Page-Count',
],
],
];
/*re-set here*/
$behaviors['authenticator'] = [
'class' => HttpBearerAuth::className(),
'except' => ['options'],
];
$behaviors['contentNegotiator'] = [
'class' => ContentNegotiator::className(),
'formats' => [
'application/json' => Response::FORMAT_JSON,
],
];
return $behaviors;
}这里已经清楚地记录了这一点:-只需遵循此指南,它就会起作用。小结:确保身份验证在CORS行为之后,并始终从身份验证中排除选项。