我可以绕过MVC应用程序中的WebAPI控制器的组织身份验证吗?
[英]Can I bypass organizational authentication for a WebAPI controller inside an MVC app?
问题描述
I have an MVC5, EF6 app which uses organizational authentication (Azure AD) and all is working fine except for one thing. 
我有一个使用组织身份验证(Azure AD)的MVC5,EF6应用程序,除一件事外,其他所有功能都工作正常。 There is a requirement for a WebAPI controller to process requests from unauthenticated clients. WebAPI控制器需要处理来自未经身份验证的客户端的请求。 The clients are normally Android devices issuing AJAX requests. 客户端通常是发出AJAX请求的Android设备。
Before I added organizational authentication to my MVC app, my WebAPI controller was being called and functioned correctly so I know my routing is correct. 在向MVC应用程序添加组织身份验证之前,我的WebAPI控制器已被调用并正常运行,因此我知道路由正确。 Now I've added organizational authentication, my WebAPI controller is no longer called and the client's AJAX request times out. 现在,我添加了组织身份验证,不再调用我的WebAPI控制器,并且客户端的AJAX请求超时。
I understand there are attributes such as [Authorize] to specify access to controllers/methods but when using organizational authentication, it appears that WebAPI controllers without the [Authorize] attribute do not get called. 我知道有诸如[Authorize]之类的属性来指定对控制器/方法的访问,但是在使用组织身份验证时,似乎没有调用[Authorize]属性的WebAPI控制器。
My question is, can I mark my WebAPI controller to allow requests from unauthenticated clients, if so how can I do it? 我的问题是,我可以将我的WebAPI控制器标记为允许未经身份验证的客户端发出的请求吗?
Many thanks. 非常感谢。
2 个解决方案
解决方案1
4 已采纳 2015-01-27 14:07:08
The answer is to allow anonymous connections to a specific controller by entering the xml below into the root Web.config file. 答案是通过在根Web.config文件中输入以下xml,以允许匿名连接到特定控制器。
If your controller is called "PersonController", then the name you should enter into the path attribute is "person" NOT "personcontroller". 如果您的控制器名为“ PersonController”,那么您应该在path属性中输入的名称是“ person”而不是“ personcontroller”。
In my case, because I want to allow anonymous requests to a WebAPI controller, I need to prefix my controller name in the path attribute with "api/". 就我而言,因为我想允许匿名请求到WebAPI控制器,所以我需要在path属性中以“ api /”作为控制器名称的前缀。
Hope this helps others who may run into the same issue. 希望这对可能遇到相同问题的其他人有所帮助。
<location path="api/my-controller-name">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
解决方案2
2 2015-01-27 10:00:16
If you want to allow anonymous access you can use the [AllowAnonymous] attribute. 如果要允许匿名访问,则可以使用[AllowAnonymous]属性。
You can either add this above the ApiController to mark the whole controller for anonymous acces like: 您可以在ApiController上方添加此代码,以将整个控制器标记为匿名访问,例如:
[AllowAnonymous]
public class MyApiController : ApiController
{
}
Or you can give a specific method this attribute, to allow that method to be called anonymously: 或者,您可以为特定方法提供此属性,以允许匿名调用该方法:
[Authorize]
public class MyApiController : ApiController
{
[AllowAnonymous]
public string GetData()
{
}
}
This will block access to all methods when a user is not authorized, except the GetData() method which can be called anonymously. 如果未授权用户,这将阻止对所有方法的访问,但可以匿名调用的GetData()方法除外。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.