仅在一个页面上从AJAX POST获得NTLM挑战

Question

这里很神秘.我有一个使用Windows身份验证的ASP.NET MVC 4 Web应用程序,该应用程序已维护超过18个月而没有问题.最近,它被部署到一个新的站点,我遇到了以下非常奇怪的行为.

我正在使用jQuery 1.8.2 $.ajax调用POST数据到服务器端点来更新数据.除了在一个页面上,AJAX POST触发新的NTLM协商之外,这个工作正常.Chrome,IE和Firefox也出现了同样的问题.虽然所有浏览器的问题都是相同的,但它的表现方式略有不同:

• Firefox:从服务器收到401 Challenge响应,并打开一个用户名/密码对话框,询问无限循环中的凭据.取消凭据检查会导致请求失败并显示未经授权的响应.
• IE:服务器没有响应,请求状态在网络监视器中显示为"(已中止)"
• Chrome:服务器没有响应,请求状态在网络监视器中显示"(失败)".

核心问题似乎是Connection: keep-alive头部没有与有问题的AJAX请求一起发送,但在其他情况下.但是,底层JavaScript代码几乎完全相同,并且AJAX调用在开发环境中正常运行,该环境也设置为使用Windows身份验证.

此外,尝试Connection在beforeSend回调中设置请求标头无效.

任何关于问题根源的见解,或者两种AJAX POST之间存在差异的方法都是最受欢迎的.

工作代码和请求标头

$.ajax({
   url: url,
   type: "POST",
   data: $("#myForm").serialize(),
   cache: false,
   success: function (response) {
   }
});


Accept:*/*
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:621
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Host:www.xxx.yyy.zzz
Origin:http://www.xxx.yyy.zzz
Referer:http://www.xxx.yyy.zzz/app/resource/path
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
X-Requested-With:XMLHttpRequest

失败的代码和请求标头

$.ajax({
    url: url,
    type: "POST",
    data: data,
    cache: false,
    success: function (data, status, xhr) {
    }
 });

 WARN: Provisional headers are shown
 Accept:*/*
 Content-Type:application/x-www-form-urlencoded; charset=UTF-8
 Origin:http://www.xxx.yyy.zzz
 Referer:http://www.xxx.yyy.zzz/app/resource/item/1
 User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
 X-Requested-With:XMLHttpRequest

我还查看了Chrome浏览chrome://net-internals/#events器中的网络流程.这是失败请求中与成功请求不同的事件日志.在失败的请求获得"HTTP/1.1 401 Unauthorized"的情况下,成功请求获得"HTTP/1.1 200 OK"响应,可能是由于存在Connection: keep-alive头部.

2303: URL_REQUEST
Start Time: 2015-04-28 13:53:41.788

t=14736 [st= 0] +REQUEST_ALIVE  [dt=71]
t=14736 [st= 0]    URL_REQUEST_DELEGATE  [dt=0]
t=14736 [st= 0]   +URL_REQUEST_START_JOB  [dt=70]
                   --> load_flags = 2688000 (BYPASS_DATA_REDUCTION_PROXY | MAYBE_USER_GESTURE | REPORT_RAW_HEADERS | VERIFY_EV_CERT)
               --> method = "POST"
               --> priority = "LOW"
               --> upload_id = "0"
               --> url = "http://..."
t=14736 [st= 0]      URL_REQUEST_DELEGATE  [dt=0]
t=14736 [st= 0]      HTTP_CACHE_GET_BACKEND  [dt=0]
t=14736 [st= 0]      URL_REQUEST_DELEGATE  [dt=0]
t=14736 [st= 0]     +HTTP_STREAM_REQUEST  [dt=0]
t=14736 [st= 0]        HTTP_STREAM_REQUEST_BOUND_TO_JOB
                       --> source_dependency = 2305 (HTTP_STREAM_JOB)
t=14736 [st= 0]     -HTTP_STREAM_REQUEST
t=14736 [st= 0]     +HTTP_TRANSACTION_SEND_REQUEST  [dt=0]
t=14736 [st= 0]        HTTP_TRANSACTION_SEND_REQUEST_HEADERS
                       --> POST ... HTTP/1.1
                       Host: www.xxx.yyy.zzz
                       Connection: keep-alive
                       Content-Length: 105
                       Accept: */*
                       Origin: http://www.xxx.yyy.zzz
                       User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
                       X-Requested-With: XMLHttpRequest
                       Content-Type: application/x-www-form-urlencoded; charset=UTF-8
                       Referer: http://www.xxx.yyy.zzz/app/resource/item/1
                       Accept-Encoding: gzip, deflate
                       Accept-Language: en-US,en;q=0.8
t=14736 [st= 0]        HTTP_TRANSACTION_SEND_REQUEST_BODY
                       --> did_merge = true
                       --> is_chunked = false
                       --> length = 105
t=14736 [st= 0]     -HTTP_TRANSACTION_SEND_REQUEST
t=14736 [st= 0]     +HTTP_TRANSACTION_READ_HEADERS  [dt=0]
t=14736 [st= 0]        HTTP_STREAM_PARSER_READ_HEADERS  [dt=0]
t=14736 [st= 0]        HTTP_TRANSACTION_READ_RESPONSE_HEADERS
                   --> HTTP/1.1 401 Unauthorized
                       Content-Type: text/html
                       Server: Microsoft-IIS/7.5
                       WWW-Authenticate: Negotiate
                       WWW-Authenticate: NTLM
                       X-Powered-By: ASP.NET
                       X-UA-Compatible: IE=9
                       Date: Tue, 28 Apr 2015 18:53:41 GMT
                       Content-Length: 1293

编辑

通过控制台播放不同的请求会显示以下结果表(在Chrome下).当前的基本URL是http://IPAddress /app/topic/item,所有测试只是执行一个$.ajax({ url: url, type: 'POST' })

+--------------------------------------+----------------------------+
|   URL                                | Response                   |
+--------------------------------------+----------------------------+
| http://IP/app/topic/item/1/subitem/1 | net::ERR_INVALID_HANDLE    |
| //IP/app/topic/item/1/subitem/1      | net::ERR_INVALID_HANDLE    |
| /app/topic/item/1/subitem/1          | net::ERR_INVALID_HANDLE    |
| 1/subitem/1                          | net::ERR_INVALID_HANDLE    |
| 1/foo                                | 404 (Not Found) [expected] |
| 1                                    | 302 (Redirect)  [expected] |
+--------------------------------------+----------------------------+

因为错误只影响POST一个控制器中的操作方法的子集,所以我最初认为这是一个服务器端问题,但是在发现缺少Connection标头的问题后,它实际上似乎是一个客户端问题.究竟如何触发问题对我来说仍然是一个谜.

我还确认了工作页面和有问题页面的响应标头是相同的.最相关的Persistent-Auth: true是,在这两种情况下总是返回标题.

Answer 1

Some wild guesses:

• 当您请求的角色不在当前登录用户的声明中时，就会发生这种情况。如果您使用的是[Authorize(Roles = "xyz")]，请验证当前用户是否确实具有该角色。

• 目前尚不清楚您的应用程序是否使用 cookie 进行身份验证。如果是，您应该会在请求中看到它。您是否withCredentials: true为每个请求进行设置？