堆栈内存溢出
  繁体   English   中英

使用带有SPA的WEB API 2进行OWIN和表单身份验证

[英]OWIN and Forms Authentication with WEB API 2 with SPA

 原文  2013-11-05 15:14:29       javascript/ .net/ asp.net-web-api/ single-page-application/ owin

问题描述

我有一个由SPA JavaScript应用程序引用的Web API 2项目。

我正在使用OWIN对请求进行身份验证,并在使用Forms身份验证登录时,在每次发送回服务器时,我的资源在登录后都未经过身份验证。

App_Start / WebApiConfig.cs 

namespace API
{
    public static class WebApiConfig
    {
        public static void Register(HttpConfiguration config)
        {
            // Web API configuration and services
            // Configure Web API to use only bearer token authentication.
            config.SuppressDefaultHostAuthentication();
            config.Filters.Add(new HostAuthenticationFilter(Startup.OAuthBearerOptions.AuthenticationType));

            config.EnableCors(new EnableCorsAttribute(
                origins: "*", headers: "*", methods: "*"));

            // Web API routes
            config.MapHttpAttributeRoutes();

            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );

            // Use camel case for JSON data.
            config.Formatters.JsonFormatter.SerializerSettings.ContractResolver =
                new CamelCasePropertyNamesContractResolver();
        }
    }
}

/Startup.cs 

[assembly: OwinStartup(typeof(API.Startup))]

namespace API
{
    public partial class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            ConfigureAuth(app);
        }
    }
}

App_Start / Startup.Auth.cs 

namespace API
{
    public partial class Startup
    {
        static Startup()
        {
            OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
        }

        public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; }

        public void ConfigureAuth(IAppBuilder app)
        {
            app.UseCookieAuthentication(new CookieAuthenticationOptions());
            app.UseOAuthBearerAuthentication(OAuthBearerOptions);
        }
    }
}

控制器/ AccountController.cs 

namespace API.Controllers
{
    public class AccountController : ApiController
    {

        public AccountController()
        {
            HttpContext.Current.Response.SuppressFormsAuthenticationRedirect = true;
        }

        [HttpPost]
        [AllowAnonymous]
        [Route("api/account/login")]
        [EnableCors(origins: "*", headers: "*", methods: "*", SupportsCredentials = true)]
        public HttpResponseMessage Login(LoginBindingModel login)
        {
            var authenticated = false;
            if (authenticated || (login.UserName == "a" && login.Password == "a"))
            {
                var identity = new ClaimsIdentity(Startup.OAuthBearerOptions.AuthenticationType);
                identity.AddClaim(new Claim(ClaimTypes.Name, login.UserName));

                AuthenticationTicket ticket = new AuthenticationTicket(identity, new AuthenticationProperties());
                var currentUtc = new SystemClock().UtcNow;
                ticket.Properties.IssuedUtc = currentUtc;
                ticket.Properties.ExpiresUtc = currentUtc.Add(TimeSpan.FromMinutes(30));

                var token = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket);
                var response = new HttpResponseMessage(HttpStatusCode.OK)
                {
                    Content = new ObjectContent<object>(new  
                    { 
                        UserName = login.UserName,
                        AccessToken = token
                    }, Configuration.Formatters.JsonFormatter)
                };

                FormsAuthentication.SetAuthCookie(login.UserName, true);

                return response;
            }

            return new HttpResponseMessage(HttpStatusCode.BadRequest);
        }

        [HttpGet]
        [Route("api/account/profile")]
        [Authorize]
        public HttpResponseMessage Profile()
        {
            return new HttpResponseMessage(HttpStatusCode.OK)
            {
                Content = new ObjectContent<object>(new
                {
                    UserName = User.Identity.Name
                }, Configuration.Formatters.JsonFormatter)
            };
        }
    }
}

然后我用JavaScript调用它: 

       $httpProvider.defaults.withCredentials = true;

       login: function(user, success, error) {
            return $http.post('/api/account/login', user);
        },

        profile:function(){
            return $http.get('/api/account/profile');
        }

我的cookie在浏览器上设置:

ASPXAUTH 040E3B4141C86457CC0C6A10781CA1EFFF1A32833563A6E7C0EF1D062ED9AF079811F1600F6573181B04FE3962F36CFF45F183378A3E23179E89D8D009C9E6783E366AF5E4EDEE39926A39E64C76B165

但登录后,进一步的请求被视为未经授权......

状态码:401未经授权

我觉得我真的很想忘了一件小件,有人有什么想法吗?

2 个解决方案

解决方案1
 4  2013-11-06 01:20:22

您是否在应用中使用了Bearer令牌? 如果您没有使用它并且只想使用cookie,请删除以下代码: 

        // Web API configuration and services
        // Configure Web API to use only bearer token authentication.
        config.SuppressDefaultHostAuthentication();
        config.Filters.Add(new HostAuthenticationFilter(Startup.OAuthBearerOptions.AuthenticationType));

上面的代码只允许web api的承载认证。

您也可以删除app.UseOAuthBearerAuthentication(OAuthBearerOptions); 从OWIN管道中删除承载认证中间件。

如果要在应用程序中使用bearer token,则需要在浏览器中发送ajax请求之前设置令牌。

解决方案2
 4 已采纳  2014-01-03 15:24:33

发布时间太长但添加了有关如何在github gist上设置此内容的所有细节。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 REST API:安全处理Java SPA中的身份验证 Web API身份验证和SSL 具有API和MONGOOSE的简单Web SPA(带有ID的问题) SPA RSA 2048认证 Web 认证 API 奇怪的行为 React SPA with Express Backend API - 将 JWT 存储在 localstorage 中并限制 API 访问仅限 SPA 的 Web 服务器 IP SPA - Firebase 和 .Net WebApi 2 身份验证 具有Web API安全性的Spa应用程序。 具有JWT的登录用户能否向API发出随机请求 Web音频API中的自定义波形 在 Web 表单网站中包含 API 端点?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM