stackoom
  简体   繁体   中英

ASP.NET mvc 3 Anonymous Authorization not working

 原文  2015-03-27 13:35:11       asp.net/ asp.net-mvc/ asp.net-mvc-3/ anonymous

Question

I have a strange issue that of course only occurs on our production box. It works on our test server and on my box.

I have an ASP.NET MVC 3 controller that is serving exposing a RESTful API. I have enabled anonymous users to call these service with the code shown below. Calling these methods via GET works just fine (using WebRequest). However, when trying to POST data (using HttpClient) it fails with a 401 error.

This web service is hosted within another IIS site which uses Windows Auth. But I configured this directory to allow Anonymous and disabled windows auth. It lives in /Areas/Services under the main site.

I have configured IIS to allow Anonymous authentication and even enabled it in the web.config. However, when I try to POST data to this controller, I get back "401 - Unauthorized: Access is denied due to invalid credentials". I don't want any credentials! Again, GET on this same controller works fine anonymously.

This seems to be a configuration issue (since it works in QA) but I do not know any other things to configure. I have been configuring IIS websites for anonymous/windows/forms auth for 10 years but have never run into anything like this before.

Here is the code that allows MVC 3 to serve these methods up to anyone: 

[AuthorizeAnonymous]
public class LtWebsiteController : Controller
{
...
}

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = false)]
public class AuthorizeAnonymousAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!(filterContext.Controller is LtWebsiteController))
            base.OnAuthorization(filterContext);
    }
}

This is driving me nuts! Please help.

1 answers

solution1
 1 ACCPTED  2015-03-27 13:59:00

You are likely missing HTTP headers for NTLM authentication. I would configure HttpClient to send the right credentials as part of the request. 

HttpClientHandler handler = new HttpClientHandler()
{
    UseDefaultCredentials = true
};

HttpClient client = new HttpClient(handler);

It's confusing since you are enabling anonymous authentication. But, with Windows Authentication the request needs to have proper headers. A 401 tells me the server flat out rejects the HTTP request.

http://www.asp.net/web-api/overview/security/integrated-windows-authentication

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ASP.NET MVC: Making an anonymous action secure without authorization ASP.Net MVC 3 Allow Anonymous white list not working Url Authorization with MVC and ASP.NET Identity Authorization MVC3 ASP.NET Role based Authorization in ASP.net MVC 4 ASP.NET MVC custom authorization Authentication and role authorization in ASP.NET MVC 4 ASP.NET MVC Authorization for a dynamic path Asp.net Core MVC Roles and Authorization Data Level Authorization in ASP.Net MVC 3
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM