堆栈内存溢出
  简体   繁体   English

使用WPF客户端对MVC 4 Web Api进行身份验证和授权

[英]Authentication & Authorization with WPF Client to MVC 4 Web Api

 原文  2013-05-07 18:37:33       c#/ authentication/ asp.net-mvc-4/ dotnet-httpclient

问题描述

I have created a MVC 4 Web Api using Entity Framework Code-First and a WPF-Application as a client in VS 2012. 我已使用Entity Framework Code-First和WPF-Application作为VS 2012中的客户端创建了MVC 4 Web Api。

The problem I'm struggling with at the moment is that I have to enable Authentication from the client and authorize users for access to the Api (for example: Every authenticated user can access GET methods but only admins can use POST or DELETE). 我目前遇到的问题是,我必须从客户端启用身份验证并授权用户访问Api(例如:每个经过身份验证的用户都可以访问GET方法,但只有管理员可以使用POST或DELETE)。 I used MVC 4 Internet Application because of Forms Authentication already being included, which worked fine until I tried to login from my client application. 我之所以使用MVC 4 Internet应用程序,是因为它已经包含了表单身份验证,在我尝试从客户端应用程序登录之前,它可以正常工作。 After spending some time researching my problem about I realised that Forms Authentication is mainly supposed to work with webbrowsers. 在花了一些时间研究我的问题之后,我意识到Forms Authentication主要应该与Web浏览器一起使用。 I even found some possible solutions to get it working with HttpClient using CookieContainers (eg: How do I set a cookie on HttpClient's HttpRequestMessage ), but nothing works for me. 我什至找到了一些可能的解决方案,以使其通过CookieContainers与HttpClient一起使用(例如: 如何在HttpClient的HttpRequestMessage上设置cookie ),但是对我来说没有任何用处。
After spending some hours researching ways to accomplish what I'm trying to do I feel completly stuck.. 花了几个小时研究完成我要完成的工作的方法后,我感到完全陷入困境。
I've read about SimpleMembershipprovider, BasicAuthentication, OAuth and someone mentioned Thinktecture.Identitymodel, but wasn't really able to decide which would work best. 我已经读过有关SimpleMembershipprovider,BasicAuthentication,OAuth的文章,并且有人提到Thinktecture.Identitymodel,但是并不能真正确定哪个最合适。
If there is really no way to use Forms Authentication when connecting with a client other than a webbrowser then what is the best Authentication/Authorization method to take? 如果与Web浏览器以外的客户端连接时,实际上没有任何方法可以使用表单身份验证,那么最佳的身份验证/授权方法是什么?

I would be very happy if anyone could provide me with a hint on what works best in this case, because after researching for hours I only get more and more confused. 如果有人可以向我提示在这种情况下最有效的方法,我将非常高兴,因为经过数小时的研究,我只会越来越困惑。

Thanks in advance for any help! 在此先感谢您的帮助!

1 个解决方案

解决方案1
 2 已采纳  2013-05-13 09:54:57

You should be able to do this easily enough, but you haven't said what your problem actually is. 您应该能够很容易地做到这一点,但是您还没有说出问题所在。 Are you 你是

  1. unable to get access to your web api actions because you aren't logged in; 由于您尚未登录,无法访问您的Web api操作; or 要么
  2. unable to make it enforce authorisation (ie you can get anonymous access to actions) 无法使其强制执行授权(即您可以匿名访问操作)

For the second scenario: 对于第二种情况:

There is a very good overview of using Authentication and Authorization in ASP.NET Web API on the server side, and the various ways you can enforce different roles on Actions. 在服务器端的ASP.NET Web API中使用身份验证和授权有一个很好的概述,以及可以在操作上实施不同角色的各种方法。

There is also another approach that is appropriate for machine-to-machine (ie where you don't have a user who will type their login details into an appliation dialog box) in Making your ASP.NET Web API's secure , but it doesn't focus on using SimpleMembershipProvider. 使ASP.NET Web API安全的过程中 ,还有另一种适用于机器对机器的方法(即,您没有用户将其登录详细信息输入到应用对话框中的用户),但这并不适用。专注于使用SimpleMembershipProvider。 Instead of using the framework auth&auth components it uses tokens (take care with this approach - rolling your own security is very very hard to get right). 它使用令牌而不是使用框架的auth&auth组件(请小心使用此方法-很难正确实现自己的安全性)。

For the first scenario: 对于第一种情况:

From the client side, it sounds like you have some a C# application that user's interact with. 从客户端看来,您好像有一些与用户交互的C#应用​​程序。 If this is the case (rather than the machine-to-machine scenario) then your Forms-based approach is still suitable, and you are doing the right thing with your cookies. 如果是这种情况(而不是机器对机器的情况),那么基于表单的方法仍然适用,并且您对Cookie所做的事情是正确的。 The approach would be: 该方法将是:

  • Ask the client to type their username and password in to your application 要求客户在您的应用程序中输入其用户名和密码
  • Send a request to your LogIn action on your AccountsController, this will return your authentication cookie, session cookie etc. 向AccountsController上的LogIn操作发送请求,这将返回身份验证cookie,会话cookie等。
  • Store the cookies that are returned from this (successful) login (or notify the client if the response was "login failed" 存储从此(成功)登录返回的cookie(如果响应为“登录失败”,则通知客户端)
  • Then use those cookies in the request to the web api 然后在向Web API的请求中使用这些cookie

As you are already talking about using HttpClient , I'm guessing you know what you are doing for this, so haven't provided code samples. 正如您已经在谈论使用HttpClient ,我想您知道您正在为此做些什么,因此没有提供代码示例。 I wouldn't use HttpClient , for what it's worth, but HttpWebRequest which allows you to keep a common CookieContainer through the HttpWebRequest.CookieContainer property. 我不会使用HttpClient来获得它的价值,而是使用HttpWebRequest ,它允许您通过HttpWebRequest.CookieContainer属性保留一个公共的CookieContainer

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Web API和WPF客户端 - Web API and WPF client Web api身份验证和MVC 4 - Web api authentication and MVC 4 ASP.NET MVC4和Web API身份验证+授权(Windows 8和Web) - ASP.NET MVC4 and Web API Authentication + Authorization (Windows 8 and Web) MVC网站和Web-api身份验证/授权失败操作(框架4.6.1) - MVC website and web-api authentication/authorization failure action (Framework 4.6.1) 如何在与 Web API 通信的 ASP.NET Core MVC 应用程序中使用自定义身份验证/授权? - How to use custom authentication/authorization in an ASP.NET Core MVC app that communicates with a Web API? 身份验证筛选器无法与Web API中的授权筛选器一起使用 - Authentication Filter not working with Authorization Filter in Web API 授权和身份验证ASP.Net Web API - Authorization and Authentication ASP.Net web api 在MVC和Web Api中进行Owin认证 - Owin Authentication In MVC and Web Api 与Web API共享的MVC身份验证 - MVC authentication shared with Web API 通过 WCF 服务对 MVC 客户端应用程序进行身份验证和授权? - Authentication and Authorization of an MVC client application throgh WCF service?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM