One test webserver, with the following applications
一个测试Web服务器,具有以下应用程序
service.ganymedes.com:8008 - WCF RESTful service, basically the FormsAuth sample from WCF Starter Kit Preview 2
service.ganymedes.com:8008 - WCF RESTful服务,基本上来自WCF Starter Kit Preview 2的FormsAuth示例
mvc.ganymedes.com:8008 - ASP.NET MVC 2.0 application
mvc.ganymedes.com:8008 - ASP.NET MVC 2.0应用程序
web.config for service.ganymedes.com:
service.ganymedes.com的web.config:
<authentication mode="Forms">
<forms loginUrl="~/login.aspx" timeout="2880" domain="ganymedes.com" name="GANYMEDES_COOKIE" path="/" />
</authentication>
web.config for mvc.ganymedes.com:
mvc.ganymedes.com的web.config:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" domain="ganymedes.com" name="GANYMEDES_COOKIE" path="/" />
</authentication>
Trying my darndest, a GET (or POST for that matter) via jQuery's $.ajax or getJson does not send my cookie (according to Firebug), so I get HTTP 302 returned from the WCF service:
尝试我最糟糕的,通过jQuery的$ .ajax或getJson获取GET(或POST)并不发送我的cookie(根据Firebug),所以我从WCF服务返回HTTP 302:
Request Headers
Host service.ganymedes.com:8008
User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729)
Accept application/json, text/javascript, */*
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 300
Connection keep-alive
Referer http://mvc.ganymedes.com:8008/Test
Origin http://mvc.ganymedes.com:8008
It's sent when mucking about on the MVC site though:
它是在MVC网站上发送时发送的:
Request Headers
Host mvc.ganymedes.com:8008
User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729)
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 300
Connection keep-alive
Referer http://mvc.ganymedes.com:8008/Test
Cookie GANYMEDES_COOKIE=0106A4A666C8C615FBFA9811E9A6C5219C277D625C04E54122D881A601CD0E00C10AF481CB21FAED544FAF4E9B50C59CDE2385644BBF01DDD4F211FE7EE8FAC2; GANYMEDES_COOKIE=D6569887B7C5B67EFE09079DD59A07A98311D7879817C382D79947AE62B5508008C2B2D2112DCFCE5B8D4C61D45A109E61BBA637FD30315C2D8353E8DDFD4309
I also put the exact same settings in both applications' web.config files (self-generated validationKey and decryptionKey).
我还在两个应用程序的web.config文件中放置了完全相同的设置(自生成的validationKey和decryptionKey)。
On WCF binding config, the FormsAuth example doesn't have an explicit <bindings> element, but I've added this:
在WCF绑定配置中,FormsAuth示例没有显式的
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true">
<baseAddressPrefixFilters>
<add prefix="http://service.ganymedes.com:8008" />
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
</system.serviceModel>
or the service wouldn't bind at all. I can use the same data URI as I use in the jQuery call directly in the browser, it'll send the cookie and WCF will return data. I just can't seem to use it in a cross sub-domain call and include the auth cookie.
或者服务根本不会绑定。我可以使用与我在浏览器中直接使用jQuery调用相同的数据URI,它将发送cookie并且WCF将返回数据。我似乎无法在跨子域调用中使用它并包含auth cookie。
1 个解决方案
#1
1
OK, I guess this is a known limitation due to security (Same Origin Policy). I knew about cross-domain blocks, but I thought it'd be okay for subdomains.
好吧,我想这是一个已知的限制,因为安全性(同源策略)。我知道跨域阻止,但我认为它可以用于子域名。
I spent about 2 weeks researching WCF and REST (and using MVC as a RESTful webservice as well) always with an AJAX-aware mindset and this never came up before proof-of-concept implementation time. Go figure.
我花了大约2周时间研究WCF和REST(以及使用MVC作为RESTful Web服务)总是采用AJAX感知思维模式,这在概念验证实现时间之前就没有出现过。去搞清楚。
Apparently Basic authentication won't work across subdomains via AJAX either. JSONP will work with forms authentication/cookies, it seems, but won't work with Basic authentication (I don't want to limit myself to HTTP GET anyway...). Changing document.domain didn't do squat for me.
显然,基本身份验证也无法通过AJAX跨子域工作。看起来,JSONP将使用表单身份验证/ cookie,但不能使用基本身份验证(我不想将自己限制为HTTP GET ...)。改变document.domain并没有为我做下蹲。
I guess I have to put everything on the same domain after all, or manually send authentication info as request parameters for every call but both of those solutions feel like crappy workarounds (and it sure isn't more secure either). Oh well.
我想我必须把所有内容都放在同一个域上,或者手动发送身份验证信息作为每次调用的请求参数,但这两种解决方案都感觉像是糟糕的解决方法(而且肯定也不是更安全)。好吧。
I feel kind of stupid now.
我觉得现在有点蠢。
#1
1
OK, I guess this is a known limitation due to security (Same Origin Policy). I knew about cross-domain blocks, but I thought it'd be okay for subdomains.
好吧,我想这是一个已知的限制,因为安全性(同源策略)。我知道跨域阻止,但我认为它可以用于子域名。
I spent about 2 weeks researching WCF and REST (and using MVC as a RESTful webservice as well) always with an AJAX-aware mindset and this never came up before proof-of-concept implementation time. Go figure.
我花了大约2周时间研究WCF和REST(以及使用MVC作为RESTful Web服务)总是采用AJAX感知思维模式,这在概念验证实现时间之前就没有出现过。去搞清楚。
Apparently Basic authentication won't work across subdomains via AJAX either. JSONP will work with forms authentication/cookies, it seems, but won't work with Basic authentication (I don't want to limit myself to HTTP GET anyway...). Changing document.domain didn't do squat for me.
显然,基本身份验证也无法通过AJAX跨子域工作。看起来,JSONP将使用表单身份验证/ cookie,但不能使用基本身份验证(我不想将自己限制为HTTP GET ...)。改变document.domain并没有为我做下蹲。
I guess I have to put everything on the same domain after all, or manually send authentication info as request parameters for every call but both of those solutions feel like crappy workarounds (and it sure isn't more secure either). Oh well.
我想我必须把所有内容都放在同一个域上,或者手动发送身份验证信息作为每次调用的请求参数,但这两种解决方案都感觉像是糟糕的解决方法(而且肯定也不是更安全)。好吧。
I feel kind of stupid now.
我觉得现在有点蠢。