
由网友(一挽青丝)分享简介:一个CORS POST请求(AJAX)通过我的客户端服务器所做的(在Apache上运行@ 443端口),以我的REST服务器(Tomcat上运行@端口8443),未能触发,当试图通过HTTPS。 A CORS POST request (AJAX) made by my client server (running...

一个CORS POST请求(AJAX)通过我的客户端服务器所做的(在Apache上运行@ 443端口),以我的REST服务器(Tomcat上运行@端口8443),未能触发,当试图通过HTTPS。

A CORS POST request (AJAX) made by my client server (running on Apache @ port 443) to my REST server (running on Tomcat @ port 8443), fails to trigger when tried over HTTPS.


Please note that all the requests function properly without SSL.

我已经设置了 withCredentials:真正的选项请求领域。而我的Tomcat服务器也需要相应的头文件的护理:

I have already set the withCredentials: true options in the request fields. And my Tomcat server also takes care of the appropriate headers :

response.addHeader("Access-Control-Allow-Origin", "https://localhost");
response.addHeader("Access-Control-Allow-Credentials", "true");
response.addHeader("Access-Control-Allow-Headers", "Content-Type");
response.addHeader("Access-Control-Allow-Methods", "OPTIONS, POST");

我也尝试使用卷曲,但问题依然存在通过SSL。但是,Tomcat服务器响应我的所有请求时在邮差 /通过浏览器。

I also tried using Curl, but the issue persisted over SSL. However, the Tomcat server responds to all my requests when tried directly over Postman/through the browser.


Could someone tell me what I'm missing out here?



I'm assuming this is an issue with the preflight request. There are two types of CORS requests: simple, and not-so-simple.


The simple kind is either a GET or POST with no custom headers whose content type is "text/plain".


The not-so-simple kind is any request using custom headers, utilising request methods other than POST or GET, and using different content body types. These requests will be "preflighted"; that is the browser will make a preflight request on the clients behalf in order to determine whether or not the server will allow this request. The preflight request uses the OPTIONS method. I'm willing to bet if you use something like Firebug to have a look what's going on you'll see something like this in the Net tab: "OPTIONS activity" with a status of "Aborted".


Unfortunately the preflight request doesn't pass the client certificate to the server which is why your request is failing to trigger. You need to disable two way SSL in order to get it working. In Apache you can try changing the SSLVerifyClient to:

SSLVerifyClient optional


I've used this before in order to get my cross domain AJAX calls working over HTTPS.



