jquery跨域post到wcf服务,无需代理
我正在尝试解决一个复杂的解决方案。
我在服务器 1 上托管了一个 wcf 服务 (.net 4.0)。服务器 1 符合 PCI 标准。
服务器 2 是客户端网站。该网站托管有信用卡表格。它还有一个 jquery 插件,可以劫持表单帖子。服务器 2 不符合 PCI 标准。
信用卡表单中的数据无法发布到服务器2。
因此,我尝试从我的jquery 插件调用我的wcf 服务(json 输入,json 输出)。我无法在服务器 2 上使用代理,因为这意味着我的发布数据将发送到该服务器。
因此,表单数据必须从客户端计算机直接发送到服务器 1,同时完全绕过服务器 2。
我看到了几篇关于在服务器 1 上使用 crossdomain.xml 文件的帖子,但是我仍然收到错误:
XMLHttpRequest 无法加载 http://server1/MySite.Services/PaymentService.svc/SubmitCreditCardPayment。 来源 http://server2 不是 允许的 访问控制允许来源。
有没有办法对 WFC 服务进行跨域 ajax 调用,输入 json 输出 json?
我不必使用 jquery ajax 来执行此操作。如果您有另一个使用 jquery 跨域发送数据的解决方案,我很想听听。
编辑:
为了澄清,这是我的服务的样子。
PaymentResponse SubmitCreditCardPayment(CreditCardRequest request);
请求和响应对象只是具有属性的类 (DataContract
/DataMember
)。
I have a complicated solution I am attempting to solve.
I have a wcf service (.net 4.0) hosted on Server 1. Server 1 is PCI compliant.
Server 2 is a client web site. This website has a credit card form hosted. It also has a jquery plugin which hijacks the form post. Server 2 is not PCI compliant.
The data in the credit card form cannot be posted to Server 2.
So, I am trying to call my wcf service (json in, json out) from my jquery plugin. I can't use a proxy on Server 2 because that would mean my post data goes to that server.
So, the form data must go from the client machine directly to server 1 while bypassing server2 completely.
I saw several posts about using a crossdomain.xml file on Server 1, however I still get an error:
XMLHttpRequest cannot load
http://server1/MySite.Services/PaymentService.svc/SubmitCreditCardPayment.
Origin http://server2 is not
allowed by
Access-Control-Allow-Origin.
Is there any way to do a cross-domain ajax call to a WFC service with json in and json out?
I am not bound to using jquery ajax to do this. If you have another solution that uses jquery to send the data cross domain, I would love to hear it.
EDIT:
To clarify, here's what my service looks like.
PaymentResponse SubmitCreditCardPayment(CreditCardRequest request);
The request and response objects are just classes with properties (DataContract
/DataMember
).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您尝试过 JSONP 吗?
这是从客户端调用 server1 上的服务的简单方法,使用对源目标没有限制的脚本标记。要在 js 环境中解释 json 响应,您需要一个回调(例如
foo(data)
),并且需要在 ajax 查询上将此回调名称设置为 GET 参数。目标 ajax 服务将通过调用 foo 来封装他的 json 响应;foo({json: things})
。编辑:
回应你的评论;:你已经测试了 JSON-P,但它不安全(并使用 GET):
你是对的,JSON-P 的安全性不是很好。但是CORS会减少应用程序允许的浏览器数量(仅限最新的浏览器)。您收到的错误消息是 CORS 错误消息。如果您在 js 中发出请求,那么您在 CORS 的实现中就会遇到问题,较旧的浏览器将需要 JSON-P 后备。
因此,即使使用 jQuery 魔法 ajax 函数,您也会遇到使用错误的安全 json-p 或错误支持的 CORS 的问题。
另一种解决方案是将 server2 作为 server1 的子域,但对于信用卡付款,我认为这不是您的情况。
crossdomain.xml 文件仅针对 Flash 应用程序存在,而不是 js,但您可以使用它使整个 ajax 过程都在 flash 中(喘息),减少人员数量允许再次使用您的应用程序,但基于(最近的)闪存支持。天哪,我正在谈论闪存作为一个真正的解决方案......
Have you tried JSONP?
This is a simple way to call a service on server1 from the client, by using a script tag which has no limitation on source target. To get that json response interpreted in your js env you need a callback (say
foo(data)
) and you need to set this callback name on the ajax query as a GET parameter. And the targeted ajax service will enclose his json response by a call to foo;foo({json: things})
.Edit:
Responding to your remark;: you've tested JSON-P but it is not secured (and use GET):
You're right JSON-P is not very good for security. But CORS would reduce the number of browser allowed for your application (only very recent browsers). The error message you have is a CORS error message. If you made your request in js then you just have a problem in your implementation of CORS, older browser would need a JSON-P fallback.
So even using by jQuery magic ajax functions you will have the problem of either using bad securized json-p or bad supported CORS.
One other solution is having server2 as a subdomain of server1, but for credit card payments I assume it's not your case.
The crossdomain.xml file exists only for Flash application, not js, but you could use it to make the whole ajax process in flash (gasp), reducing the number of people allowed to use your application again, but based on (recent) flash support. OMG I'm talkning about flash as a real solution...