HostAuthenticationFilter做什么？

Question

可以在我的WebApiConfig.cs文件的Register（）方法中解釋這兩行代碼的含義。

// Web API configuration and services
// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

我假設它添加了HostAuthentication應用程序。 但即使我沒有通過我的請求傳遞持票人令牌，我仍然能夠獲得數據。 那么添加這個過濾器的重點是什么？

Answer 1

我通常在我的代碼中保留以下注釋，以提醒它們的用途。

// Configure Web API to use only bearer token authentication.
// If you don't want the OWIN authentication to flow to your Web API then call 
// SuppressDefaultHostAuthentication on your HttpConfiguration. 
// This blocks all host level authentication at that point in the pipeline.
config.SuppressDefaultHostAuthentication();
//config.Filters.Add(new HostAuthenticationFilter(Microsoft.Owin.Security.OAuth.OAuthDefaults.AuthenticationType));

// “Host-level authentication” is authentication performed by the host (such as IIS), 
// before the request reaches the Web API framework. 
// ----
// Often, you may want to to enable host-level authentication for the rest of your application, 
// but disable it for your Web API controllers. For example, a typical scenario is to 
// enable Forms Authentication at the host level, but use token-based authentication for Web API.
// ----
// To disable host-level authentication inside the Web API pipeline, call config.SuppressHostPrincipal() 
// in your configuration. This causes Web API to remove the IPrincipal from any request that enters 
// the Web API pipeline. Effectively, it "un-authenticates" the request.
config.SuppressHostPrincipal();

此外，如果您仍然可以訪問操作數據，則可能未將[Authorize]屬性應用於控制器或限制訪問的操作。

相關閱讀使用OWIN和主動與被動身份驗證中間件的主機身份驗證和Web API