Angular2从REST服务的响应中缺少Set-Cookie

Question

Angular2从REST服务的响应中缺少Set-Cookie

angularspringrestcookies

3

目标

目标是使用HTTP基本身份验证调用远程登录服务并获取JSESSIONID以便进一步使用。

已测试的后端

到目前为止，我已经成功调用了服务，并得到了200响应。我的restassured测试工作顺利，并表明登录服务已经正确提供了JSESSIONID。Spring后端服务带有@CrossOrigin注解。

// assure we are not logged in
RestAssured.baseURI = "https://" + ip;
RestAssured.basePath = "/user";
Response responseA = post("/create"); // /user/create is a secured service
assertEquals(401, responseA.statusCode());

// log in and save the token
RestAssured.baseURI = "https://" + username + ":pass@" + ip; // http basic auth is used
RestAssured.basePath = "/user";
Response responseB = post("/login");
assertEquals(200, responseB.statusCode());

String jsessionId = responseB.getCookie("JSESSIONID");
// C50C28EA1F3ABBB76F0E4189A772A4E9

RestAssured.baseURI = "https://" + ip;
RestAssured.basePath = "/user";

// call a service without token or credentials --> 401
Response responseC = get("/id"); // /user/id is a secured service
assertEquals(401, responseC.statusCode());

// call a service with the token
RestAssured.sessionId = jsessionId;
Response responseD = get("/id");
assertEquals(200, responseD.statusCode());

测试通过。

前端问题

在我们的Angular2前端应用程序中，我们有一个登录页面，其提交按钮通过onSubmit()方法运行以下代码。

_url = "theLoginServiceUrl"

createAuthorizationHeader(username: string, password: string, headers:Headers) {
    headers.append('Authorization', 'Basic ' + btoa(username + ':' + password));
    // tried all of these, but they didn't fix the problem
    // headers.append('Access-Control-Allow-Origin', '*');
    // headers.append('Access-Control-Allow-Headers', '*');
    // headers.append('Access-Control-Allow-Methods', '*');
}

login (username: string, password: string) {
    let headers = new Headers();
    this.createAuthorizationHeader(username, password, headers);
    return this._http.post(this._url, "", {
        headers: headers
    });
}

onSubmit() {
    this.login(this.currentUser.username, this.currentUser.password)
        .subscribe((res) => {
                var headers = res.headers;
                console.log(headers); 
                // Headers {_headersMap: Map}
                // <entries>[3]
                // {"Pragma" => Array[1]}
                // {"Cache-Control" => Array[1]}
                // {"Expires" => Array[1]}

                var setCookieHeader = headers.get('Set-Cookie');
                console.log(setCookieHeader)
                // null
            }
        );
}

从评论中可以看出，我无法访问Set-Cookie头。然而，在浏览器中，我能看到包含Set-Cookie头的成功调用：

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=58A072F2BB40A711CB42233CA4EB7BF6; Path=/; Secure; HttpOnly
Access-Control-Allow-Origin: http://localhost:3000
Vary: Origin
Access-Control-Allow-Credentials: true
Content-Length: 0
Date: Fri, 06 May 2016 10:43:21 GMT

请注意这一切都是通过 HTTPS 运行的。

前端细节:

"typescript": "^1.7.5"
"angular2": "2.0.0-beta.7"

问题:

为什么我不能在我的Angular2代码中访问Set-Cookie？我需要改变什么？

- michaelbahr

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- Günter Zöchbauer · Accepted Answer

当cookie的属性设置为Secure时，JavaScript无法读取它。Cookie的目的仅是用于验证请求，并将由浏览器随每个请求一起发送，但出于安全考虑，它不可用于JavaScript代码。

对于JS代码来检查用户是否已登录，使用不同的措施，例如调用响应当前已登录状态的服务器。

另请参阅如何使用JavaScript读取安全cookie。