Warning: file_get_contents(/data/phpspider/zhask/data//catemap/6/apache/9.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Apache 绕过“的身份验证”;“选择请求”;(因此所有头都在响应中发送)_Apache_Configuration_Http Headers_Cross Domain_Cors - Fatal编程技术网
Fatal编程技术网
  • apache/
  • Apache 绕过“的身份验证”;“选择请求”;(因此所有头都在响应中发送)

Apache 绕过“的身份验证”;“选择请求”;(因此所有头都在响应中发送)

apache configuration cors

Apache 绕过“的身份验证”;“选择请求”;(因此所有头都在响应中发送),apache,configuration,http-headers,cross-domain,cors,Apache,Configuration,Http Headers,Cross Domain,Cors,这是在跨来源资源共享的背景下进行的。对于飞行前请求,服务器未发送标题集。 当一个有效的cookie没有通过“选项请求”时,它的响应中的服务器没有发送我设置的头,但是,它发送的是“200OK”。我用curl检查了这一点,如下所示(显然,我用一个虚拟的“xyzabcde”替换了我的有效cookie) 不带cookie的curl请求: curl -H "Origin: app2_url" -H "Access-Control-Request-Method: POST" -H "Access-C

这是在跨来源资源共享的背景下进行的。对于飞行前请求,服务器未发送标题集。 当一个有效的cookie没有通过“选项请求”时,它的响应中的服务器没有发送我设置的头,但是,它发送的是“200OK”。我用curl检查了这一点,如下所示(显然,我用一个虚拟的“xyzabcde”替换了我的有效cookie)

不带cookie的curl请求:

curl -H "Origin: app2_url"   -H "Access-Control-Request-Method: POST"   -H "Access-Control-Request-Headers: accept, origin, content-type"   -X OPTIONS --verbose   app1_url/jsonrpc.cgi
(在下面发送响应…)

使用“-H Cookie:xyzabcde”:

(在下面发送响应…)

apache配置看起来像

<VirtualHost *:443>
.
.
Header always set X-Frame-Options "ALLOW-FROM app2_url"
Header  always set  Access-Control-Allow-Credentials "true"
Header  always set  Access-Control-Allow-Headers    "accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With"
Header  always set  Access-Control-Allow-Methods    "GET, POST, HEAD, PUT, OPTIONS"
Header  always set  Access-Control-Allow-Origin    "app2_url"
Header  always set  Access-Control-Max-Age  "1800"
.
.
.
<Directory /app1/dir/>      
    Options Includes FollowSymLinks ExecCGI MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
    AuthType Net
    PubcookieInactiveExpire -1
    PubcookieAppID app1.company.com
    require valid-user
</Directory>
.
.
</VirtualHost>


.
.
标题始终设置X-Frame-Options“允许来自app2\u url”
标头始终将访问控制允许凭据设置为“true”
Header始终设置访问控制允许Header“接受、来源、内容类型、Man、Messagetype、Soapaction、X-Requested-With”
Header始终设置访问控制允许方法“GET、POST、HEAD、PUT、OPTIONS”
标头始终设置访问控制允许源“app2\u url”
标题始终设置访问控制最大年龄“1800”
.
.
.
选项包括以下符号链接执行CGI多视图
不允许超限
命令允许,拒绝
通融
AuthType网络
PubCookieVeExpire-1
PubcookieAppID app1.company.com
需要有效用户
.
.
如何使所有标头发送以响应未经验证的请求? 我想,理想情况下,选项请求应该不需要任何身份验证

“LimitExcept”指令解决了这个问题。事实上,在发布问题之前,我尝试了指令,但是之前的错误是将前两行(“选项包括…”和“Alowoverride…”)包含在“LimitExcept”块中


选项包括以下符号链接执行CGI多视图
不允许超限
命令允许,拒绝
通融
AuthType网络
PubCookieVeExpire-1
PubcookieAppID app1.company.com
需要有效用户

# 我们用不同的配置解决了这个问题。下面是myApplication.conf文件的代码段,位于/usr/local/apache/conf/extra


    <Location "/myService">
      SetEnvIf Request_URI "/healthCheck" REDIRECT_noauth=1
      SetEnvIf Request_Method "OPTIONS" REDIRECT_noauth=1
      AuthType Basic
      AuthName "myService"
      AuthUserFile /usr/local/apache/conf/passwd/passwords
      AuthGroupFile /usr/local/apache/conf/passwd/groups
      Require group GroupName
      Order allow,deny
      Allow from env=REDIRECT_noauth
      Satisfy any
   </Location>




SetEnvIf请求\u URI“/healthCheck”重定向\u noauth=1
SetEnvIf请求\u方法“选项”重定向\u noauth=1
AuthType Basic
AuthName“myService”
AuthUserFile/usr/local/apache/conf/passwd/passwords
AuthGroupFile/usr/local/apache/conf/passwd/groups
需要组GroupName
命令允许,拒绝
允许来自环境=重定向\u noauth
满足任何


因此,我们可以绕过身份验证:


    

  • 基于特定的URI,在上面的示例中,绕过了/healthCheck
    • 

  • 基于HTTP方法,在上面的示例中,绕过选项,并提示auth使用其他HTTP方法
    • 



希望它能帮助解决问题。
这里有语法错误。节应以结尾。在本例中,它缺少“/”。

HTTP/1.1 403 Forbidden
Date: Wed, 02 Oct 2013 18:48:34 GMT
Server: Apache
X-frame-options: ALLOW-FROM app2_url
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With
Access-Control-Allow-Methods: GET, POST, HEAD, PUT, OPTIONS
Access-Control-Allow-Origin: app2_url
Access-Control-Max-Age: 1800
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8



<VirtualHost *:443>
.
.
Header always set X-Frame-Options "ALLOW-FROM app2_url"
Header  always set  Access-Control-Allow-Credentials "true"
Header  always set  Access-Control-Allow-Headers    "accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With"
Header  always set  Access-Control-Allow-Methods    "GET, POST, HEAD, PUT, OPTIONS"
Header  always set  Access-Control-Allow-Origin    "app2_url"
Header  always set  Access-Control-Max-Age  "1800"
.
.
.
<Directory /app1/dir/>      
    Options Includes FollowSymLinks ExecCGI MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
    AuthType Net
    PubcookieInactiveExpire -1
    PubcookieAppID app1.company.com
    require valid-user
</Directory>
.
.
</VirtualHost>



<Directory /app1/dir/>      
  Options Includes FollowSymLinks ExecCGI MultiViews
  AllowOverride None
  <LimitExcept OPTIONS>
    Order allow,deny
    allow from all
    AuthType Net
    PubcookieInactiveExpire -1
    PubcookieAppID app1.company.com
    require valid-user
  </LimitExcept> #<- syntax error fixed.
</Directory>



    <Location "/myService">
      SetEnvIf Request_URI "/healthCheck" REDIRECT_noauth=1
      SetEnvIf Request_Method "OPTIONS" REDIRECT_noauth=1
      AuthType Basic
      AuthName "myService"
      AuthUserFile /usr/local/apache/conf/passwd/passwords
      AuthGroupFile /usr/local/apache/conf/passwd/groups
      Require group GroupName
      Order allow,deny
      Allow from env=REDIRECT_noauth
      Satisfy any
   </Location>