1. 首页
  2. 问答
  3. web api windows身份验证在foxxl上未经授权

web api windows身份验证在foxxl上未经授权

2013-06-03 76 views
0

我希望有人能够帮助我解决以下问题,我一直在研究运行在.net 4.0和ef代码上的mvc4 web api。我正在尝试将基本身份验证与授权属性结合使用。它适用于我的Azure试用版,也适用于Localhost,但是我无法将它用于foxxl托管,并且一直要求我输入在foxxl托管上尝试使用时无效的证书。为了测试我不使用https,所以这将包含在发布版本中。web api windows身份验证在foxxl上未经授权

这里是我加入了对基本身份验证的一些示例代码:

Web配置

<system.web> 
    <customErrors mode="Off" /> 
    <compilation debug="true" targetFramework="4.0" /> 
    <authentication mode="Windows" /> 
    <pages> 
     <namespaces> 
     <add namespace="System.Web.Helpers" /> 
     <add namespace="System.Web.Mvc" /> 
     <add namespace="System.Web.Mvc.Ajax" /> 
     <add namespace="System.Web.Mvc.Html" /> 
     <add namespace="System.Web.Optimization" /> 
     <add namespace="System.Web.Routing" /> 
     <add namespace="System.Web.WebPages" /> 
     </namespaces> 
    </pages> 
    <profile defaultProvider="DefaultProfileProvider"> 
     <providers> 
     <add name="DefaultProfileProvider" type="System.Web.Providers.DefaultProfileProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" /> 
     </providers> 
    </profile> 
    <membership defaultProvider="DefaultMembershipProvider"> 
     <providers> 
     <add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" /> 
     </providers> 
    </membership> 
    <roleManager defaultProvider="DefaultRoleProvider"> 
     <providers> 
     <add name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" /> 
     </providers> 
    </roleManager> 

    <sessionState mode="InProc" customProvider="DefaultSessionProvider"> 
     <providers> 
     <add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" /> 
     </providers> 
    </sessionState> 
    </system.web> 
    <system.webServer> 
    <validation validateIntegratedModeConfiguration="false" /> 
    <modules runAllManagedModulesForAllRequests="true"> 
     <add name="BasicAuthHttpModule" type="KlantenBestand.BasicAuthHttpModule, KlantenBestand"/> 
    </modules> 
    <handlers> 
     <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" /> 
     <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" /> 
     <remove name="ExtensionlessUrlHandler-Integrated-4.0" /> 
     <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" /> 
     <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" /> 
     <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" /> 
    </handlers> 
    </system.webServer>

的TestController

 [Authorize] 
     public HttpResponseMessage Get() 
     { 

      String name = HttpContext.Current.User.Identity.Name; 

      return Request.CreateResponse(HttpStatusCode.OK, name); 
     }

BasicAuthHttpModule

public class BasicAuthHttpModule : IHttpModule 
    { 
     private const string Realm = "KlantenBestand"; 
     private static KlantenBestandContext db = new KlantenBestandContext(); 

     public void Init(HttpApplication context) 
     { 
      // Register event handlers 
      context.AuthenticateRequest += OnApplicationAuthenticateRequest; 
      context.EndRequest += OnApplicationEndRequest; 
     } 

     private static void SetPrincipal(IPrincipal principal) 
     { 
      Thread.CurrentPrincipal = principal; 
      if (HttpContext.Current != null) 
      { 
       HttpContext.Current.User = principal; 
      } 
     } 

     private static bool CheckPassword(string username, string password) 
     { 
      var company = db.Companies.FirstOrDefault(u => u.EmailAdress.Equals(username)); 

      return company != null && company.Password.Equals(Md5Hash(password)); 
     } 

     private static bool AuthenticateUser(string credentials) 
     { 
      bool validated = false; 
      try 
      { 
       var encoding = Encoding.GetEncoding("iso-8859-1"); 
       credentials = encoding.GetString(Convert.FromBase64String(credentials)); 

       int separator = credentials.IndexOf(':'); 
       string name = credentials.Substring(0, separator); 
       string password = credentials.Substring(separator + 1); 

       validated = CheckPassword(name, password); 
       if (validated) 
       { 
        var identity = new GenericIdentity(name); 
        SetPrincipal(new GenericPrincipal(identity, null)); 
       } 
      } 
      catch (FormatException) 
      { 
       // Credentials were not formatted correctly. 
       validated = false; 

      } 
      return validated; 
     } 

     private static void OnApplicationAuthenticateRequest(object sender, EventArgs e) 
     { 
      var request = HttpContext.Current.Request; 
      var authHeader = request.Headers["Authorization"]; 
      if (authHeader != null) 
      { 
       var authHeaderVal = AuthenticationHeaderValue.Parse(authHeader); 

       // RFC 2617 sec 1.2, "scheme" name is case-insensitive 
       if (authHeaderVal.Scheme.Equals("basic", 
         StringComparison.OrdinalIgnoreCase) && 
        authHeaderVal.Parameter != null) 
       { 
        AuthenticateUser(authHeaderVal.Parameter); 
       } 
      } 
     } 

     // If the request was unauthorized, add the WWW-Authenticate header 
     // to the response. 
     private static void OnApplicationEndRequest(object sender, EventArgs e) 
     { 
      var response = HttpContext.Current.Response; 
      if (response.StatusCode == 401) 
      { 
       response.Headers.Add("WWW-Authenticate", 
        string.Format("Basic realm=\"{0}\"", Realm)); 
      } 
     } 

     public void Dispose() 
     { 
     } 

     public static string Md5Hash(string password) 
     { 
      MD5 md5 = new MD5CryptoServiceProvider(); 

      //compute hash from the bytes of text 
      md5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(password)); 

      //get hash result after compute it 
      byte[] result = md5.Hash; 

      StringBuilder strBuilder = new StringBuilder(); 
      for (int i = 0; i < result.Length; i++) 
      { 
       //change it into 2 hexadecimal digits 
       //for each byte 
       strBuilder.Append(result[i].ToString("x2")); 
      } 

      return strBuilder.ToString(); 
     } 
    }

编辑 我也tryed添加认证线,我的web.config,因为我的主机说,这将解决这一问题。但是,当我这样做,并运行它本地主机它给了我以下错误:此配置节不能用于此路径。当部分锁定在父级别时,会发生这种情况。锁定可以是默认的(overrideModeDefault =“Deny”),也可以是带有overrideMode =“Deny”或legacy allowOverride =“false”的位置标签。

<system.webServer> 
    <security> 
     <authentication> 
      <anonymousAuthentication enabled="false" /> 
      <basicAuthentication enabled="true" /> 
      <windowsAuthentication enabled="false" /> 
     </authentication> 
    </security> 
    <validation validateIntegratedModeConfiguration="false" /> 
    <modules runAllManagedModulesForAllRequests="true"> 
     <add name="BasicAuthHttpModule" type="KlantenBestand.BasicAuthHttpModule, KlantenBestand"/> 
    </modules> 
    <handlers> 
     <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" /> 
     <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" /> 
     <remove name="ExtensionlessUrlHandler-Integrated-4.0" /> 
     <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" /> 
     <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" /> 
     <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" /> 
    </handlers> 
    </system.webServer>

来源

2013-06-03 Fergers

回答

1

看看你的web.config。

<authentication mode="Windows" />

它被设置为Windows身份验证。您需要删除该行。

来源

2013-06-03 13:29:18 Badri

+0

是的好点!这是我没有做正确的事情之一,但不幸的是,即使删除该行后,它并不让我在我的主机上进行身份验证。任何想法可能是什么问题? – Fergers

+0

需要更多信息。你还在401吗?如果是这样,你会得到什么答复。使用Fiddler捕获流量并发布请求和响应消息。 – Badri

+0

奥克我提出的请求与提琴手运行,它只是给我一个401由于无效的凭据。然后再次弹出对话框输入用户名和密码。 我也尝试在web.config中添加以下部分,因为我的主机告诉我,这将解决问题,但是当我在localhost上运行时,它告诉我以下内容: – Fergers

相关问题

 相关问题