我已在IIS7中为我的站点启用基本身份验证,并按照此link为基本身份验证请求创建处理程序。 问题是,无论用户输入什么凭证,即使输入正确的凭证,网站也会返回401。这只是一个测试,凭据会根据硬编码值进行检查。基本身份验证IHttpModule意外行为
下面是相关的代码:
public class BasicAuthenticationHttpModule : IHttpModule
{
public void Init(HttpApplication context)
{
context.BeginRequest+=context_BeginRequest;
context.AuthenticateRequest += context_AuthenticateRequest;
}
void context_AuthenticateRequest(object sender, EventArgs e)
{
HttpApplication application = (HttpApplication)sender;
TryAuthenticate(application);
}
private void context_BeginRequest(object sender, EventArgs e)
{
HttpApplication application = (HttpApplication)sender;
TryAuthenticate(application);
}
private static void TryAuthenticate(HttpApplication application)
{
if (!Authenticate(application.Context))
{
application.Context.Response.Status = "401 Unauthorized";
application.Context.Response.StatusCode = 401;
application.Context.Response.AddHeader("WWW-Authenticate", "Basic");
application.CompleteRequest();
}
}
private static bool Authenticate(HttpContext context)
{
if (context.User!=null && context.User.Identity.IsAuthenticated)
{
return true;
}
if (!context.Request.Headers.AllKeys.Contains("Authorization"))
return false;
string authHeader = HttpContext.Current.Request.Headers["Authorization"];
IPrincipal principal;
if (TryGetPrincipal(authHeader, out principal))
{
context.User = principal;
return true;
}
return false;
}
private static bool TryGetPrincipal(string[] creds, out IPrincipal principal)
{
if (creds[0] == "Administrator" && creds[1] == "SecurePassword")
{
principal = new GenericPrincipal(
new GenericIdentity("Administrator"),
new string[] { "Administrator", "User" }
);
return true;
}
if (creds[0] == "BasicUser" && creds[1] == "Password")
{
principal = new GenericPrincipal(
new GenericIdentity("BasicUser"),
new string[] { "User", "SystemUser" }
);
return true;
}
else
{
principal = null;
return false;
}
}
当客户端进入正确的凭据(即“BasicUser”,“密码”),则创建GenericPrincipal对象和分配给的HttpContext的用户属性。展望Request.IsAuthenticated告诉它它是true
。
这就是为什么我不明白为什么客户端一次又一次地接收401。
我不知道所有的管道是如何工作的 - 可能是基本身份验证进一步到一些IIS HttpModule,它也服务于请求?或者可能代码不完整,需要扩展context_BeginRequest
? (我知道,在表单身份验证类型的情况下,你做类似Response.Redirect(goodguy.aspx))
无论如何,任何帮助/问题的赞赏。
忘了提及,在web.config中我还摆放
<system.webServer>
<modules>
<add name="BasicAuthenticationHttpModule" type="Analytics.BasicAuthenticationHttpModule" />
</modules>
</system.webServer>