c# - 如何在我的 asp net core 3.1 控制器中为特定操作设置基本身份验证?
问题描述
我正在使用 asp.net core 3.1 创建一个 webapi,并且我想使用基本身份验证,我将对 Active Directory 进行身份验证。
我创建了一个身份验证处理程序和服务,但问题是当我使用 [Authorize] 装饰我的控制器操作时,当我调用控制器操作时不会调用 HandleAuthenticateAsync 函数(尽管调用了处理程序的构造函数)。相反,我只收到 401 响应:
GET https://localhost:44321/Test/RequiresAuthentication HTTP/1.1
Authorization: Basic ..........
User-Agent: PostmanRuntime/7.26.8
Accept: */*
Postman-Token: d58490e4-2707-4b75-9cfa-679509951860
Host: localhost:44321
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Thu, 10 Dec 2020 16:31:16 GMT
Content-Length: 0
如果我调用没有 [Authorize] 属性的操作,则会调用 HandleAuthenticateAsync 函数,但即使 HandleAuthenticateAsync 返回 AuthenticateResult.Fail,该操作也会执行并返回 200。我一定完全误解了这应该如何工作。
GET https://localhost:44321/Test/NoAuthenticationRequired HTTP/1.1
User-Agent: PostmanRuntime/7.26.8
Accept: */*
Postman-Token: 81dd4c2a-32b6-45b9-bb88-9c6093f3675e
Host: localhost:44321
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Thu, 10 Dec 2020 16:35:36 GMT
Content-Length: 3
Ok!
我有一个控制器,其中包含一个我想要对其进行身份验证的操作,而另一个我不想:
[ApiController]
[Route("[controller]")]
public class TestController : ControllerBase
{
private readonly ILogger<TestController> _logger;
public TestController(ILogger<TestController> logger)
{
_logger = logger;
}
[HttpGet("RequiresAuthentication")]
[Authorize]
public string RestrictedGet()
{
return "Ok!";
}
[HttpGet("NoAuthenticationRequired")]
public string NonRestrictedGet()
{
return "Ok!";
}
}
我有一个身份验证处理程序:
public class BasicAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
private IBasicAuthenticationService _authService;
public BasicAuthenticationHandler(
IOptionsMonitor<AuthenticationSchemeOptions> options,
ILoggerFactory logger,
UrlEncoder encoder,
ISystemClock clock,
IBasicAuthenticationService authService)
: base(options, logger, encoder, clock)
{
...
_authService = authService;
}
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
// skip authentication if endpoint has [AllowAnonymous] attribute
var endpoint = Context.GetEndpoint();
if (endpoint?.Metadata?.GetMetadata<IAllowAnonymous>() != null)
{
return AuthenticateResult.NoResult();
}
if (!Request.Headers.ContainsKey("Authorization"))
{
return AuthenticateResult.Fail("Missing Authorization Header.");
}
IBasicAuthenticationServiceUser user = null;
try
{
var authHeader = AuthenticationHeaderValue.Parse(Request.Headers["Authorization"]);
var credentialBytes = Convert.FromBase64String(authHeader.Parameter);
var credentials = Encoding.UTF8.GetString(credentialBytes).Split(new[] { ':' }, 2);
var username = credentials[0];
var password = credentials[1];
user = await _authService.Authenticate(username, password);
}
catch
{
return AuthenticateResult.Fail("Invalid Authorization Header.");
}
if (user == null)
{
return AuthenticateResult.Fail("Invalid Username or Password.");
}
var claims = new[] {
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
new Claim(ClaimTypes.Name, user.UserName),
};
var identity = new ClaimsIdentity(claims, Scheme.Name);
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, Scheme.Name);
return AuthenticateResult.Success(ticket);
}
}
我有一个针对活动目录进行身份验证的身份验证服务:
class BasicAuthenticationActiveDirectoryService : IBasicAuthenticationService
{
private class User : IBasicAuthenticationServiceUser
{
public string Id { get; set; }
public string UserName { get; set; }
public string Lastname { get; set; }
public string FirstName { get; set; }
public string Email { get; set; }
}
public async Task<IBasicAuthenticationServiceUser> Authenticate(string username, string password)
{
string domain = GetDomain(username);
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domain))
{
// validate the credentials
bool isValid = pc.ValidateCredentials(username, password);
if (isValid)
{
User user = new User()
{
Id = username,
UserName = username
};
UserPrincipal up = UserPrincipal.FindByIdentity(pc, username);
user.FirstName = up.GivenName;
user.Lastname = up.Surname;
user.Email = up.EmailAddress;
return user;
}
else
{
return null;
}
}
}
private string GetDomain(string username)
{
if (string.IsNullOrEmpty(username))
{
throw new ArgumentNullException(nameof(username), "User name cannot be null or empty.");
}
int delimiter = username.IndexOf("\\");
if (delimiter > -1)
{
return username.Substring(0, delimiter);
}
else
{
return null;
}
}
}
我将它连接到我的 startup.cs 中:
public void ConfigureServices(IServiceCollection services)
{
// configure DI for application services
services.AddScoped<IBasicAuthenticationService, BasicAuthenticationActiveDirectoryService>();
//Set up basic authentication
services.AddAuthentication("BasicAuthentication")
.AddScheme<Microsoft.AspNetCore.Authentication.AuthenticationSchemeOptions, BasicAuthenticationHandler>("BasicAuthentication", null);
...
}
我在我的 startup.cs 中设置身份验证和授权:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
...
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthorization();
app.UseAuthentication();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
解决方案
尝试交换 app.UseAuthorization() 和 app.UseAuthentication() 的顺序。因为UseAuthentication会解析token,然后提取用户信息到HttpContext.User. 然后 UseAuthorization 将根据认证方案进行授权。
推荐阅读
- c# - 如何等到使用 selenium webdriver 加载下拉列表?
- javascript - 赛普拉斯:验证 Json 对象
- python - 为我的 python 应用程序生成许可证密钥
- javascript - 如何绕过 Puppeteer 阻塞系统
- php - 如何在 Codeigniter 4 中使用多列检查 UNIQUE
- gspread - gspread 的多个 Google 帐户 - oauth 凭证的不同位置?
- java - 在方法参数中传递泛型类
- c# - Web api: 400 错误请求
- android - 当 appTheme 从 styles.xml 中选择为“theme1”时,如何使用不同的可绘制 res 文件夹(例如 drawable-theme1)?这可能吗?
- flask - python看门狗挂烧瓶socketio