问题
Our app(AngularJS + REST) is protected by Shibboleth service provider for SSO. The issue is we are seeing CORS errors when trying to make ajax calls for the REST services, saying the redirect to IDP failed "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at"
However if we refresh/reload the browser everything works fine. I believe the cookie is not created first time around, and got created after force reload.
Obviously this is not acceptable solution to refresh the browser every single time.
What needs to be done in order to make this work without reload?
Thanks for any pointers in advance.
回答1:
I'm dealing with this issue myself. I don't believe there is any CORS support in the Shibboleth IDP, and the solution I'm going with is an active keep-alive ping from the client:
- Periodically make an Ajax request to a location under Shibboleth auth session to keep the session from timing out (using e.g. setTimeout)
- If this request fails, throw up a full page error that prompts the user to reload the page with something like this
As long as the browser tab is open and the client machine is awake, this will prevent XHR errors of this kind for at least session "lifetime":
lifetime(time in seconds) (default is 28800) Maximum duration in seconds that a session maintained by the SP will be valid. The actual time may be less than this value (if an IdP indicates it should be shorter) but will never be longer. Note that this will not influence sessions maintained by an application.
If the client machine goes to sleep and enough pings are missed, or if the SP's session storage is cleared, they'll get the full screen error pretty immediately and get to reload to either reauth or just reestablish their Shibboleth session.
I think that's the best we can do without CORS in the IDP!
Here's the Apache config that ended up working for me in case anyone else lands here:
RewriteEngine On
<Location />
AuthType Shibboleth
ShibUseHeaders On
ShibRequireSession On
Require valid-user
AuthGroupFile /etc/httpd/groups
</Location>
RewriteCond "%{LA-F:REMOTE_USER}" =""
RewriteRule ^/session-ping$ /yoursessiondoesnotexist [PT,L]
<Location /yoursessiondoesnotexist>
AuthType None
Require all granted
</Location>
RewriteCond "%{LA-F:REMOTE_USER}" !=""
RewriteRule ^/session-ping$ /ok.html [PT,L]
Alias /ok.html /var/www/ok.html
SetEnvIf Request_URI "^/session-ping$" DONTLOG
CustomLog /dev/stdout ncgl env=!DONTLOG
I poll /session-ping every five seconds with XHR and throw up my "your session expired" modal/dimmer when it gets a non-200 status code.
来源:https://stackoverflow.com/questions/32979785/shibboleth-sso-cors-error