我有一個 .NET 6.0 Web 應用程式,它為用戶使用基于 Cookie 的身份驗證。
今天我想添加一個具有非常簡單的基本身份驗證機制的 API 控制器。
這是我的控制器:
public class DemaController : Controller
{
[HttpGet("test")]
[BasicAuthentication(username: "test", password: "abc")]
public bool Test()
{
return true;
}
}
這是我超級簡單的基本身份驗證屬性:
public class BasicAuthenticationAttribute : Attribute, IAuthorizationFilter
{
private readonly string _username;
private readonly string _password;
public BasicAuthenticationAttribute(string username, string password)
{
_username = username;
_password = password;
}
public void OnAuthorization(AuthorizationFilterContext context)
{
try
{
var authorizationHeader = context.HttpContext.Request.Headers["Authorization"];
(string username, string password) = this.GetUsernameAndPassword(authorizationHeader: authorizationHeader);
if (username != null && password != null)
{
if (username == _username && password == _password)
return; // Grant access
}
}
catch (FormatException)
{
}
context.Result = new UnauthorizedResult();
}
static System.Text.Encoding ISO_8859_1_ENCODING = System.Text.Encoding.GetEncoding("ISO-8859-1");
private (string, string) GetUsernameAndPassword(string authorizationHeader)
{
if (authorizationHeader == null || !authorizationHeader.Contains("Basic "))
return (null, null);
string encodedUsernamePassword = authorizationHeader.Substring("Basic ".Length).Trim();
string usernamePassword = ISO_8859_1_ENCODING.GetString(Convert.FromBase64String(encodedUsernamePassword));
string username = usernamePassword.Split(':')[0];
string password = usernamePassword.Split(':')[1];
return (username, password);
}
}
當我在本地機器(Visual Studio 2022 IIS Express)上運行應用程式并使用 Postman 訪問 Api 時,一切正常。正如預期的那樣,回應是“真實的”。
這就是我喂郵遞員的方式:
- 獲取 https://localhost:44360/test
- 授權型別:基本認證
- 用戶名:測驗
- 密碼:abc
所以我的自定義 BasicAuthenticationAttribute 似乎有效。我可以設定斷點(被擊中)并且對 Postman 憑據的任何更改都會回傳 Http-401 錯誤。
到目前為止,一切都很好。
Now I published my application to my production server (IIS). In Postman, I replaced "localhost:44360" by my real production domain.
My problem: Sending the request to my production server returns a 401 (and a whole ASP.NET Core default error page).
I went a little further and setup the MS Visual Studio Remote Debugger on my server. Then I set a breakpoint inside my custom BasicAuthenticationAttribute. The breakpoint is never hit. In other words: the 401 does not come from inside my attribute. It seems like my BasicAuthenticationAttribute is not touched at all on my server (but it is touched for sure on my development machine as stated before).
Let me guess: I need to add or change something in my Startup.cs?
For what it's worth: I am aware that Basic Authentication is not really safe. But for my needs it's totally fine. In any case I want to get around complex Policies, OAuth etc.
Does anybody have an idea what I need to do?
uj5u.com熱心網友回復:
現在我將我的應用程式發布到我的生產服務器 (IIS)。在 Postman 中,我將“localhost:44360”替換為我的真實生產域。
我的問題:將請求發送到我的生產服務器會回傳 401(以及整個 ASP.NET Core 默認錯誤頁面)。
嘗試檢查 IIS 是否具有基本身份驗證或 Windows 身份驗證。如果是,請在 IIS 中禁用它們并重試。
轉載請註明出處,本文鏈接:https://www.uj5u.com/qiye/440810.html
標籤:asp.net-core basic-authentication .net-6.0