窗口身份验证时如何控制登录对话框?
[英]How to control login dialog when Window Authentication?
问题描述
the workflow as below
工作流程如下
- I set the application with webapi in IIS as window authentication我在 IIS 中使用 webapi 将应用程序设置为窗口身份验证
- using ajax to access this webapi,使用ajax访问这个webapi,
- popup the login dialogue (window system dialogue), I think the request to IIS with anonymous, then respond 401 error to the client, the browser popup dialogue.弹出登录对话框(window system dialog),我以为是匿名请求给IIS,然后给客户端响应401错误,浏览器弹出对话框。
- I enter correct domain account, it passes IIS window authentication我输入了正确的域帐户,它通过了 IIS 窗口身份验证
The request goes to web API, I expand "AuthorizationFilterAttribute" to validate if it has a specified role.
请求转到 Web API,我展开“AuthorizationFilterAttribute”以验证它是否具有指定的角色。 but this account has not.但是这个账号没有。a.
一种。 if I respond it also as 401 status.如果我也将其响应为 401 状态。 the result is that the login dialogue popup again and again.结果是登录对话框一次又一次地弹出。 But the expectation is dialogue disappear and go to an error page.但是期望对话消失并转到错误页面。
b.湾if I respond it 200 status with an error message to the client.如果我用错误消息向客户端响应它 200 状态。 I cannot make the dialogue popup again.我无法再次弹出对话框。 I guess it caused by header "Persistent-Auth:true"我猜它是由标题“Persistent-Auth:true”引起的
I search it from the internet and get the below information.我从互联网上搜索并获得以下信息。
The browser pops up a login prompt when both of the following conditions are met:当同时满足以下两个条件时,浏览器会弹出登录提示:
HTTP status is 4xx WWW-Authenticate header is present in the response HTTP 状态为 4xx WWW-Authenticate 标头存在于响应中
So, I try to remove "WWW-Authenticate", but never success.因此,我尝试删除“WWW-Authenticate”,但从未成功。 As long as I set只要我设定
"StatusCode = System.Net.HttpStatusCode.Unauthorized" for "HttpResponseMessage", the client browser always gets "WWW-Authenticate". “StatusCode = System.Net.HttpStatusCode.Unauthorized”为“HttpResponseMessage”,客户端浏览器总是得到“WWW-Authenticate”。 It seems the window authentication module in IIS covers the information. IIS 中的窗口身份验证模块似乎涵盖了这些信息。
//responseMessage.Content.Headers.Remove("WWW-Authenticate"); //responseMessage.Content.Headers.Remove("WWW-Authenticate"); //responseMessage.Content.Headers.Remove("Persistent-Auth"); //responseMessage.Content.Headers.Remove("Persistent-Auth");
So, my question is that所以,我的问题是
how to remove "WWW-Authenticate" or "Persistent-Auth"?如何删除“WWW-Authenticate”或“Persistent-Auth”? OR或者
how to pop up login dialogue when the status is 200?状态为200时如何弹出登录对话框? Thanks.谢谢。
Joey乔伊
1 个解决方案
解决方案1
0 2019-12-06 09:07:59
Actually I did it like you mentioned as below.其实我是按照你下面提到的那样做的。
HttpResponseMessage responseMessage = new HttpResponseMessage()
{
Content = new StringContent(JsonConvert.SerializeObject(message)),
//StatusCode = System.Net.HttpStatusCode.Forbidden
StatusCode = System.Net.HttpStatusCode.Unauthorized
};
But there is a bad user practice.但是有一个不好的用户习惯。 When it response Unauthorized to client.当它响应 Unauthorized 给客户端时。 The login dialog would flash once, and login dialog appears again.登录对话框将闪烁一次,然后再次出现登录对话框。
The Expected is that enter user account and password and clicking OK button, then server side response Unauthorized to client.预期是输入用户帐户和密码并单击确定按钮,然后服务器端响应未授权给客户端。 Then login dialog disappears and show error page to tell user has not permission.然后登录对话框消失并显示错误页面,告诉用户没有权限。 Click login button to show login dialog again.单击登录按钮再次显示登录对话框。
The above is the question 1.以上是问题1。
The question 2, if I use "Forbidden" instead of Unauthorized, then I could implement the above expected, but login dialog would be no longer show again.问题2,如果我使用“Forbidden”而不是Unauthorized,那么我可以实现上述预期,但登录对话框将不再显示。
The question 3, if I enter the incorrect account or password, then it response statuscode as 0, and the login dialog also cannot show again.问题3,如果我输入了错误的帐户或密码,则响应statuscode为0,并且登录对话框也无法再次显示。 Even I press f5 to refresh it.即使我按 f5 来刷新它。 Unless I close chrome and open it again.除非我关闭 chrome 并再次打开它。
Well, window authentication is not easy to use.嗯,窗口认证不好用。
Thanks.谢谢。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.