[英]Authorization issue in ASP.NET Core hosted Blazor template
我在 api 的控制器函數上使用[Authorize]屬性,它總是顯示數據,這些屬性不起作用,當我調試身份用戶時,我發現它沒有經過身份驗證,但它總是發送 json 數據,而它應該發送未經身份驗證的響應,知道為什么授權屬性不起作用有什么幫助嗎?
using System;
using System.IO.Compression;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.ResponseCompression;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Newtonsoft.Json.Serialization;
using System.Linq;
using System.Security.Cryptography.X509Certificates;
using MedicalDivision.Server.Security;
using Microsoft.Extensions.Configuration;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection.Extensions;
namespace test.Server
{
public class Startup
{
private X509Certificate2 Cert { get; }
private IConfiguration Configuration { get; }
private IWebHostEnvironment Env { get; }
private ITokenProvider TokenProvider { get; }
private PasswordHelper PasswordHelper { get; }
private IHttpContextAccessor httpContextAccessor { get; }
private IServiceProvider ServiceProvider { get; }
public readonly string _myAllowSpecificOrigins = "_myAllowSpecificOrigins";
public Startup(IConfiguration configuration,IWebHostEnvironment env,IServiceProvider serviceProvider)
{
ServiceProvider = serviceProvider;
Configuration = configuration;
Env = env;
Cert = new X509Certificate2(Convert.FromBase64String(Configuration["Auth:Cert:Data"]), Configuration["Auth:Cert:Password"], X509KeyStorageFlags.MachineKeySet);
TokenProvider =new JwtTokenProvider(Cert, Configuration,env);
PasswordHelper = new PasswordHelper();
httpContextAccessor = ServiceProvider.GetService<IHttpContextAccessor>();
}
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
services.AddSingleton(serviceProvider => new AuthManager(Configuration,TokenProvider));
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(o =>
{
o.TokenValidationParameters = TokenProvider.GetValidationParameters();
o.SecurityTokenValidators.Clear();
o.SecurityTokenValidators.Add(new CustomTokenValidator(ServiceProvider));
});
services.AddAuthorization();
services.AddResponseCompression(opts =>
{
opts.EnableForHttps = true;
opts.MimeTypes = ResponseCompressionDefaults.MimeTypes.Concat(new[] { "application/octet-stream", "image/png", "font/otf", "image/gif", "image/x-icon", "image/jpeg", "application/pdf", "image/svg+xml", "font/ttf", "font/woff", "font/woff2", "application/xml", "text/csv" });
});
services.Configure<GzipCompressionProviderOptions>(o =>
{
o.Level = CompressionLevel.Optimal;
});
services.AddCors(options =>
{
options.AddPolicy(_myAllowSpecificOrigins,
builder =>
{
builder
.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader();
//.AllowCredentials();
});
});
services.AddMvc().AddNewtonsoftJson();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseAuthentication();
app.UseAuthorization();
app.UseResponseCompression();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseBlazorDebugging();
}
app.UseCors(_myAllowSpecificOrigins);
app.UseStaticFiles();
app.UseClientSideBlazorFiles<Client.Startup>();
app.UseRouting();
app.UseEndpoints(endpoints =>
{
endpoints.MapDefaultControllerRoute();
endpoints.MapFallbackToClientSideBlazor<Client.Startup>("index.html");
});
}
}
}
和自定義驗證類:
using System;
using System.Collections.Generic;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Security.Claims;
using System.Text;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Tokens;
namespace test.Server.Security
{
public class CustomTokenValidator : ISecurityTokenValidator
{
private readonly JwtSecurityTokenHandler _tokenHandler;
//private readonly IHttpContextAccessor _httpContextAccessor;
private readonly HttpContextAccessor _httpContextAccessor = new HttpContextAccessor();
public CustomTokenValidator(IServiceProvider serviceProvider)
{
_tokenHandler = new JwtSecurityTokenHandler();
// _httpContextAccessor = httpContextAccessor;
// _httpContextAccessor = serviceProvider.GetService<IHttpContextAccessor>();
}
public bool CanValidateToken => true;
public int MaximumTokenSizeInBytes { get; set; } = TokenValidationParameters.DefaultMaximumTokenSizeInBytes;
public bool CanReadToken(string securityToken)
{
return _tokenHandler.CanReadToken(securityToken);
}
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters,
out SecurityToken validatedToken)
{
//How to access HttpContext/IP address from here?
var httpContext = _httpContextAccessor.HttpContext;
var xx = httpContext.Connection.RemoteIpAddress;
//simple condition for testing
var yy = xx.ToString()=="::1";
if (yy)
{
validatedToken=null;
return null;
}
var principal = _tokenHandler.ValidateToken(securityToken, validationParameters, out validatedToken);
return principal;
}
}
}
這是控制器:
[HttpGet]
[Authorize]
public IEnumerable<WeatherForecast> Get()
{
var rng = new Random();
var r= Enumerable.Range(1, 5).Select(index => new WeatherForecast
{
Date = DateTime.Now.AddDays(index),
TemperatureC = rng.Next(-20, 55),
Summary = Summaries[rng.Next(Summaries.Length)]
})
.ToList();
r.Add(new WeatherForecast(){Date =DateTime.Now,TemperatureC =111111,Summary = $"{HttpContext.User.Identity.IsAuthenticated}"});
return r;
}
希望發送未授權的結果,而是發送數據。
HttpContext.User.Identity.IsAuthenticated給出false但仍顯示數據。
aut&auth 的中間件需要稍后配置:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
// not here
// app.UseAuthentication();
// app.UseAuthorization();
app.UseResponseCompression();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseBlazorDebugging();
}
app.UseCors(_myAllowSpecificOrigins);
app.UseStaticFiles();
app.UseClientSideBlazorFiles<Client.Startup>();
app.UseRouting();
// but here
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapDefaultControllerRoute();
endpoints.MapFallbackToClientSideBlazor<Client.Startup>("index.html");
});
}
它們必須添加到路由下面(在之后執行)。
也許你需要這樣的東西:
services.AddMvcCore(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});
Blazor WASM Asp.net 核心是否托管 = Blazor 服務器端?
[英]Is Blazor WASM Asp.net core Hosted = Blazor server side?
部署托管到 Azure 的 Blazor WebAssembly 應用 ASP.NET Core
[英]Deploy Blazor WebAssembly App ASP.NET Core hosted to Azure
如何使用 ASP.NET 核心托管發布 Blazor WebAssembly
[英]How to publish Blazor WebAssembly with ASP.NET Core hosted
Blazor,ASP.NET Core 托管與 ASP.NET Core 中的服務器端
[英]Blazor, ASP.NET Core Hosted vs Server Side in ASP.NET Core
Blazor Webassembly (PWA) 是否支持獨立的 session 存儲(不在 asp.net 內核中托管)?
[英]Is session storage supported in Blazor Webassembly (PWA) standalone (Not hosted in asp.net core)?
Blazor WebAssembly 應用程序與個人帳戶和 ASP.NET 核心托管 - 令牌請求 - “錯誤”:“unauthorized_client”
[英]Blazor WebAssembly App with Individual Accounts and ASP.NET Core Hosted - Token request - "error": "unauthorized_client"
對於托管在 asp.net core 中的 Blazor Wasm,User.Identity.Name 為 null
[英]User.Identity.Name is null for Blazor Wasm hosted in asp.net core
如何使用 ASP.NET Core Hosted 生成 Blazor wasm 腳手架 CRUD (EF)
[英]How to generate Blazor wasm scaffolded CRUD (EF) wiht ASP.NET Core Hosted
Blazor WebAssembly 應用程序與個人帳戶和 ASP.NET 核心托管 - 禁用用戶注冊
[英]Blazor WebAssembly App with Individual Accounts and ASP.NET Core Hosted - Disable user registration
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.