如何在我的 asp net core 3.1 控制器中为特定操作设置基本身份验证?
How do I set up basic authentication on specific actions in my asp net core 3.1 controller?
我正在使用 asp.net 核心 3.1 创建一个 webapi,我想使用基本身份验证,我将对 Active Directory 进行身份验证。
我创建了一个身份验证处理程序和服务,但问题是当我用 [Authorize] 装饰我的控制器操作时,当我调用控制器操作时 HandleAuthenticateAsync 函数没有被调用(尽管调用了处理程序的构造函数)。相反,我只收到 401 响应:
GET https://localhost:44321/Test/RequiresAuthentication HTTP/1.1
Authorization: Basic ..........
User-Agent: PostmanRuntime/7.26.8
Accept: */*
Postman-Token: d58490e4-2707-4b75-9cfa-679509951860
Host: localhost:44321
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Thu, 10 Dec 2020 16:31:16 GMT
Content-Length: 0
如果我调用不具有 [Authorize] 属性的操作,则会调用 HandleAuthenticateAsync 函数,但操作会执行并且 returns 200 即使 HandleAuthenticateAsync 返回 AuthenticateResult.Fail.我一定是完全误解了这是怎么回事。
GET https://localhost:44321/Test/NoAuthenticationRequired HTTP/1.1
User-Agent: PostmanRuntime/7.26.8
Accept: */*
Postman-Token: 81dd4c2a-32b6-45b9-bb88-9c6093f3675e
Host: localhost:44321
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Thu, 10 Dec 2020 16:35:36 GMT
Content-Length: 3
Ok!
我有一个 Controller,其中一项操作我想进行身份验证,而另一项操作则不需要:
[ApiController]
[Route("[controller]")]
public class TestController : ControllerBase
{
private readonly ILogger<TestController> _logger;
public TestController(ILogger<TestController> logger)
{
_logger = logger;
}
[HttpGet("RequiresAuthentication")]
[Authorize]
public string RestrictedGet()
{
return "Ok!";
}
[HttpGet("NoAuthenticationRequired")]
public string NonRestrictedGet()
{
return "Ok!";
}
}
我有一个身份验证处理程序:
public class BasicAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
private IBasicAuthenticationService _authService;
public BasicAuthenticationHandler(
IOptionsMonitor<AuthenticationSchemeOptions> options,
ILoggerFactory logger,
UrlEncoder encoder,
ISystemClock clock,
IBasicAuthenticationService authService)
: base(options, logger, encoder, clock)
{
...
_authService = authService;
}
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
// skip authentication if endpoint has [AllowAnonymous] attribute
var endpoint = Context.GetEndpoint();
if (endpoint?.Metadata?.GetMetadata<IAllowAnonymous>() != null)
{
return AuthenticateResult.NoResult();
}
if (!Request.Headers.ContainsKey("Authorization"))
{
return AuthenticateResult.Fail("Missing Authorization Header.");
}
IBasicAuthenticationServiceUser user = null;
try
{
var authHeader = AuthenticationHeaderValue.Parse(Request.Headers["Authorization"]);
var credentialBytes = Convert.FromBase64String(authHeader.Parameter);
var credentials = Encoding.UTF8.GetString(credentialBytes).Split(new[] { ':' }, 2);
var username = credentials[0];
var password = credentials[1];
user = await _authService.Authenticate(username, password);
}
catch
{
return AuthenticateResult.Fail("Invalid Authorization Header.");
}
if (user == null)
{
return AuthenticateResult.Fail("Invalid Username or Password.");
}
var claims = new[] {
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
new Claim(ClaimTypes.Name, user.UserName),
};
var identity = new ClaimsIdentity(claims, Scheme.Name);
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, Scheme.Name);
return AuthenticateResult.Success(ticket);
}
}
我有一个针对活动目录进行身份验证的身份验证服务:
class BasicAuthenticationActiveDirectoryService : IBasicAuthenticationService
{
private class User : IBasicAuthenticationServiceUser
{
public string Id { get; set; }
public string UserName { get; set; }
public string Lastname { get; set; }
public string FirstName { get; set; }
public string Email { get; set; }
}
public async Task<IBasicAuthenticationServiceUser> Authenticate(string username, string password)
{
string domain = GetDomain(username);
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domain))
{
// validate the credentials
bool isValid = pc.ValidateCredentials(username, password);
if (isValid)
{
User user = new User()
{
Id = username,
UserName = username
};
UserPrincipal up = UserPrincipal.FindByIdentity(pc, username);
user.FirstName = up.GivenName;
user.Lastname = up.Surname;
user.Email = up.EmailAddress;
return user;
}
else
{
return null;
}
}
}
private string GetDomain(string username)
{
if (string.IsNullOrEmpty(username))
{
throw new ArgumentNullException(nameof(username), "User name cannot be null or empty.");
}
int delimiter = username.IndexOf("\");
if (delimiter > -1)
{
return username.Substring(0, delimiter);
}
else
{
return null;
}
}
}
我把它连接到我的 startup.cs:
public void ConfigureServices(IServiceCollection services)
{
// configure DI for application services
services.AddScoped<IBasicAuthenticationService, BasicAuthenticationActiveDirectoryService>();
//Set up basic authentication
services.AddAuthentication("BasicAuthentication")
.AddScheme<Microsoft.AspNetCore.Authentication.AuthenticationSchemeOptions, BasicAuthenticationHandler>("BasicAuthentication", null);
...
}
我在 startup.cs 中设置了身份验证和授权:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
...
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthorization();
app.UseAuthentication();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
尝试调换 app.UseAuthorization() 和 app.UseAuthentication() 的顺序。因为UseAuthentication会解析token,然后提取用户的信息给HttpContext.User。然后UseAuthorization会根据认证方案进行授权。
我正在使用 asp.net 核心 3.1 创建一个 webapi,我想使用基本身份验证,我将对 Active Directory 进行身份验证。
我创建了一个身份验证处理程序和服务,但问题是当我用 [Authorize] 装饰我的控制器操作时,当我调用控制器操作时 HandleAuthenticateAsync 函数没有被调用(尽管调用了处理程序的构造函数)。相反,我只收到 401 响应:
GET https://localhost:44321/Test/RequiresAuthentication HTTP/1.1
Authorization: Basic ..........
User-Agent: PostmanRuntime/7.26.8
Accept: */*
Postman-Token: d58490e4-2707-4b75-9cfa-679509951860
Host: localhost:44321
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Thu, 10 Dec 2020 16:31:16 GMT
Content-Length: 0
如果我调用不具有 [Authorize] 属性的操作,则会调用 HandleAuthenticateAsync 函数,但操作会执行并且 returns 200 即使 HandleAuthenticateAsync 返回 AuthenticateResult.Fail.我一定是完全误解了这是怎么回事。
GET https://localhost:44321/Test/NoAuthenticationRequired HTTP/1.1
User-Agent: PostmanRuntime/7.26.8
Accept: */*
Postman-Token: 81dd4c2a-32b6-45b9-bb88-9c6093f3675e
Host: localhost:44321
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Thu, 10 Dec 2020 16:35:36 GMT
Content-Length: 3
Ok!
我有一个 Controller,其中一项操作我想进行身份验证,而另一项操作则不需要:
[ApiController]
[Route("[controller]")]
public class TestController : ControllerBase
{
private readonly ILogger<TestController> _logger;
public TestController(ILogger<TestController> logger)
{
_logger = logger;
}
[HttpGet("RequiresAuthentication")]
[Authorize]
public string RestrictedGet()
{
return "Ok!";
}
[HttpGet("NoAuthenticationRequired")]
public string NonRestrictedGet()
{
return "Ok!";
}
}
我有一个身份验证处理程序:
public class BasicAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
private IBasicAuthenticationService _authService;
public BasicAuthenticationHandler(
IOptionsMonitor<AuthenticationSchemeOptions> options,
ILoggerFactory logger,
UrlEncoder encoder,
ISystemClock clock,
IBasicAuthenticationService authService)
: base(options, logger, encoder, clock)
{
...
_authService = authService;
}
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
// skip authentication if endpoint has [AllowAnonymous] attribute
var endpoint = Context.GetEndpoint();
if (endpoint?.Metadata?.GetMetadata<IAllowAnonymous>() != null)
{
return AuthenticateResult.NoResult();
}
if (!Request.Headers.ContainsKey("Authorization"))
{
return AuthenticateResult.Fail("Missing Authorization Header.");
}
IBasicAuthenticationServiceUser user = null;
try
{
var authHeader = AuthenticationHeaderValue.Parse(Request.Headers["Authorization"]);
var credentialBytes = Convert.FromBase64String(authHeader.Parameter);
var credentials = Encoding.UTF8.GetString(credentialBytes).Split(new[] { ':' }, 2);
var username = credentials[0];
var password = credentials[1];
user = await _authService.Authenticate(username, password);
}
catch
{
return AuthenticateResult.Fail("Invalid Authorization Header.");
}
if (user == null)
{
return AuthenticateResult.Fail("Invalid Username or Password.");
}
var claims = new[] {
new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
new Claim(ClaimTypes.Name, user.UserName),
};
var identity = new ClaimsIdentity(claims, Scheme.Name);
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, Scheme.Name);
return AuthenticateResult.Success(ticket);
}
}
我有一个针对活动目录进行身份验证的身份验证服务:
class BasicAuthenticationActiveDirectoryService : IBasicAuthenticationService
{
private class User : IBasicAuthenticationServiceUser
{
public string Id { get; set; }
public string UserName { get; set; }
public string Lastname { get; set; }
public string FirstName { get; set; }
public string Email { get; set; }
}
public async Task<IBasicAuthenticationServiceUser> Authenticate(string username, string password)
{
string domain = GetDomain(username);
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domain))
{
// validate the credentials
bool isValid = pc.ValidateCredentials(username, password);
if (isValid)
{
User user = new User()
{
Id = username,
UserName = username
};
UserPrincipal up = UserPrincipal.FindByIdentity(pc, username);
user.FirstName = up.GivenName;
user.Lastname = up.Surname;
user.Email = up.EmailAddress;
return user;
}
else
{
return null;
}
}
}
private string GetDomain(string username)
{
if (string.IsNullOrEmpty(username))
{
throw new ArgumentNullException(nameof(username), "User name cannot be null or empty.");
}
int delimiter = username.IndexOf("\");
if (delimiter > -1)
{
return username.Substring(0, delimiter);
}
else
{
return null;
}
}
}
我把它连接到我的 startup.cs:
public void ConfigureServices(IServiceCollection services)
{
// configure DI for application services
services.AddScoped<IBasicAuthenticationService, BasicAuthenticationActiveDirectoryService>();
//Set up basic authentication
services.AddAuthentication("BasicAuthentication")
.AddScheme<Microsoft.AspNetCore.Authentication.AuthenticationSchemeOptions, BasicAuthenticationHandler>("BasicAuthentication", null);
...
}
我在 startup.cs 中设置了身份验证和授权:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
...
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthorization();
app.UseAuthentication();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
尝试调换 app.UseAuthorization() 和 app.UseAuthentication() 的顺序。因为UseAuthentication会解析token,然后提取用户的信息给HttpContext.User。然后UseAuthorization会根据认证方案进行授权。