问题
I searched a lot on Google and Stack overflow to find a solution for my problem, but nothing worked.
Here is my problem:
I use IIS 7 with a special programming environment called WebDEV that does not allow direct manipulation of
OPTIONSHTTP method. So, all solutions suggesting some kind of server-side request handling using code are not feasible.I have to use Window authentication and disable anonymous access
I have a page that uses CORS to POST to this server. As this POST should have
Content-type: Octet-stream, a preflight is issued by the browser.When I enable anonymous access, everything works fine (CORS is well configured)
When I disable anonymous access, the server replies with HTTP 401 unauthorized response to the preflight request, as it does not contain credentials information.
I tried to write a module for IIS that accepts OPTIONS requests like this, but it did not work (couldn't add the module correctly to IIS, maybe)
public class CORSModule : IHttpModule { public void Dispose() { } public void Init(HttpApplication context) { context.PreSendRequestHeaders += delegate { if (context.Request.HttpMethod == "OPTIONS") { var response = context.Response; response.StatusCode = (int)HttpStatusCode.OK; } }; } }
The question is: How can I make IIS respond with HTTP 200 to the preflight request without enabling anonymous access or writing some server-side code? Is there an easy configuration or a ready-made module for IIS to do so? At least, what are the detailed steps to install the above module into IIS 7?
回答1:
Here is the solution that uses "URL Rewrite" IIS module. It works perfectly.
1- Stop IIS service (maybe not necessary)
2- Install "web platform installer" from https://www.microsoft.com/web/downloads/platform.aspx
3- Go to "Applications" tab and search for "URL Rewrite" and download it
4- Install this hotfix KB2749660 (maybe not necessary)
5- Open IIS configuration tool, double click "URL Rewrite"
6- Add a new blankrule
7- Give it any name
8- In "Match URL", specify this pattern: .*
9- In "Conditions", specify this condition entry: {REQUEST_METHOD} and this pattern: ^OPTIONS$
10- In "Action", specify: action type Personalized response, state code 200, reason Preflight, description Preflight
11- Start the server
Now, the server should reply with a 200 status code response to the preflight request, regardless of the authentication.
Remarks: I also disabled all compression, I don't know if it matters.
回答2:
From AhmadWabbi's answer, easy XML pasting into your web.config:
<system.webServer>
<rewrite>
<rules>
<rule name="CORS Preflight Anonymous Authentication" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{REQUEST_METHOD}" pattern="^OPTIONS$" />
</conditions>
<action type="CustomResponse" statusCode="200" statusReason="Preflight" statusDescription="Preflight" />
</rule>
</rules>
</rewrite>
</system.webServer>
回答3:
In order for your module to take precedence it will have to override any modules within IIS that may interfere. For instance, your web.config may need a or enable anonymous, and create an attribute for intercepting the traffic and filtering through as you need to.
来源:https://stackoverflow.com/questions/38201776/cors-preflight-request-returning-http-401-with-windows-authentication