从ASP.NET Core 1.1 MVC迁移到2.0后,自定义cookie身份验证不起作用 [英] Custom cookie authentication not working after migration from ASP.NET Core 1.1 MVC to 2.0
问题描述
我已经将ASP.NET Core 1.1 MVC项目迁移到ASP.NET Core 2.0,现在我注意到,对应用程序未授权部分的请求不再产生"401未经授权"响应,而是导致代码异常,导致响应"500内部服务器错误".
I have migrated an ASP.NET Core 1.1 MVC project to ASP.NET Core 2.0 and now I note that requests to unauthorized sections of the application no longer result with a "401 Unauthorized" response but rather with a code exception leading to a response "500 internal server error".
日志文件中的示例摘录(约翰史密斯无权执行他尝试访问的控制器操作):
An example excerpt from the log file (John Smith is not authorized to acces the controller action he tried to access):
2018-01-02 19:58:23 [DBG] Request successfully matched the route with name '"modules"' and template '"m/{ModuleName}"'.
2018-01-02 19:58:23 [DBG] Executing action "Team.Controllers.ModulesController.Index (Team)"
2018-01-02 19:58:23 [INF] Authorization failed for user: "John Smith".
2018-01-02 19:58:23 [INF] Authorization failed for the request at filter '"Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter"'.
2018-01-02 19:58:23 [INF] Executing ForbidResult with authentication schemes ([]).
2018-01-02 19:58:23 [INF] Executed action "Team.Controllers.ModulesController.Index (Team)" in 146.1146ms
2018-01-02 19:58:23 [DBG] System.InvalidOperationException occurred, checking if Entity Framework recorded this exception as resulting from a failed database operation.
2018-01-02 19:58:23 [DBG] Entity Framework did not record any exceptions due to failed database operations. This means the current exception is not a failed Entity Framework database operation, or the current exception occurred from a DbContext that was not obtained from request services.
2018-01-02 19:58:23 [ERR] An unhandled exception has occurred while executing the request
System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultForbidScheme found.
at Microsoft.AspNetCore.Authentication.AuthenticationService.<ForbidAsync>d__12.MoveNext()
...
我使用自定义cookie身份验证,作为中间件实现.这是我的Startup.cs(app.UseTeamAuthentication()是对中间件的调用):
I use a custom cookie authentication, implemented as a middleware. Here is my Startup.cs (app.UseTeamAuthentication() is the call to the middleware):
public class Startup
{
public Startup(IHostingEnvironment env)
{
var builder = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);
builder.AddEnvironmentVariables();
Configuration = builder.Build();
}
public IConfigurationRoot Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.Configure<MyAppOptions>(Configuration);
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services.AddDbContext<ApplicationDbContext>(options => options
.ConfigureWarnings(warnings => warnings.Throw(CoreEventId.IncludeIgnoredWarning))
.ConfigureWarnings(warnings => warnings.Throw(RelationalEventId.QueryClientEvaluationWarning)));
services.AddAuthorization(options =>
{
options.AddPolicy(Security.TeamAdmin, policyBuilder => policyBuilder.RequireClaim(ClaimTypes.Role, Security.TeamAdmin));
options.AddPolicy(Security.SuperAdmin, policyBuilder => policyBuilder.RequireClaim(ClaimTypes.Role, Security.SuperAdmin));
});
services.AddDistributedMemoryCache();
services.AddSession(options =>
{
options.IdleTimeout = System.TimeSpan.FromMinutes(5);
options.Cookie.HttpOnly = true;
});
services.AddMvc()
.AddJsonOptions(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver())
.AddViewLocalization(
LanguageViewLocationExpanderFormat.SubFolder,
options => { options.ResourcesPath = "Resources"; })
.AddDataAnnotationsLocalization();
services.Configure<RequestLocalizationOptions>(options =>
{
options.DefaultRequestCulture = new RequestCulture("en-US");
options.SupportedCultures = TeamConfig.SupportedCultures;
options.SupportedUICultures = TeamConfig.SupportedCultures;
options.RequestCultureProviders.Insert(0, new MyCultureProvider(options.DefaultRequestCulture));
});
services.AddScoped<IViewLists, ViewLists>();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
Log.Logger = new LoggerConfiguration()
.MinimumLevel.Debug()
.WriteTo.File("log.txt", outputTemplate: "{Timestamp:yyyy-MM-dd HH:mm:ss} [{Level:u3}] {Message}{NewLine}{Exception}")
.CreateLogger();
loggerFactory.AddSerilog();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
}
bool UseHttps = Configuration.GetValue("Https", false);
if (UseHttps)
{
app.UseRewriter(new RewriteOptions().AddRedirectToHttps());
}
app.UseStaticFiles();
app.UseTeamDatabaseSelector();
app.UseTeamAuthentication();
var localizationOptions = app.ApplicationServices.GetService<IOptions<RequestLocalizationOptions>>();
app.UseRequestLocalization(localizationOptions.Value);
app.UseSession();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "modules",
template: "m/{ModuleName}",
defaults: new { controller = "Modules", action = "Index" }
);
routes.MapRoute(
name: "actions",
template: "a/{action}",
defaults: new { controller = "Actions" }
);
routes.MapRoute(
name: "modules_ex",
template: "mex/{action}",
defaults: new { controller = "ModulesEx" }
);
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
}
这是中间件:
public class TeamAuthentication
{
private readonly RequestDelegate next;
private readonly ILogger<TeamAuthentication> logger;
public TeamAuthentication(RequestDelegate _next, ILogger<TeamAuthentication> _logger)
{
next = _next;
logger = _logger;
}
public async Task Invoke(HttpContext context, ApplicationDbContext db)
{
if (TeamConfig.AuthDebug)
{
logger.LogDebug("Auth-Invoke: " + context.Request.Path);
}
const string LoginPath = "/Login";
const string LoginPathTimeout = "/Login?timeout";
const string LogoutPath = "/Logout";
bool Login =
(context.Request.Path == LoginPath ||
context.Request.Path == LoginPathTimeout);
bool Logout = (context.Request.Path == LogoutPath);
string TokenContent = context.Request.Cookies["t"];
bool DatabaseSelected = context.Items["ConnectionString"] != null;
bool Authenticated = false;
bool SessionTimeout = false;
// provjera tokena
if (!Login && !Logout && DatabaseSelected && TokenContent != null)
{
try
{
var token = await Security.CheckToken(db, logger, TokenContent, context.Response);
if (token.Status == Models.TokenStatus.OK)
{
Authenticated = true;
context.Items["UserID"] = token.UserID;
List<Claim> userClaims = new List<Claim>();
var person = await db.Person.AsNoTracking()
.Where(x => x.UserID == token.UserID)
.FirstOrDefaultAsync();
if (person != null)
{
var emp = await db.Employee.AsNoTracking()
.Where(x => x.PersonID == person.ID)
.FirstOrDefaultAsync();
if (emp != null)
{
context.Items["EmployeeID"] = emp.ID;
}
}
string UserName = "";
if (person != null && person.FullName != null)
{
UserName = person.FullName;
}
else
{
var user = await db.User.AsNoTracking()
.Where(x => x.ID == token.UserID)
.Select(x => new { x.Login }).FirstOrDefaultAsync();
UserName = user.Login;
}
context.Items["UserName"] = UserName;
userClaims.Add(new Claim(ClaimTypes.Name, UserName));
if ((token.Roles & (int)Security.TeamRoles.TeamAdmin) == (int)Security.TeamRoles.TeamAdmin)
{
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
}
if ((token.Roles & (int)Security.TeamRoles.SuperAdmin) == (int)Security.TeamRoles.SuperAdmin)
{
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
userClaims.Add(new Claim(ClaimTypes.Role, Security.SuperAdmin));
}
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(userClaims, "local"));
context.User = principal;
}
else if (token.Status == Models.TokenStatus.Expired)
{
SessionTimeout = true;
}
}
catch (System.Exception ex)
{
logger.LogCritical(ex.Message);
}
}
if (Login || (Logout && DatabaseSelected) || Authenticated)
{
await next.Invoke(context);
}
else
{
if (Utility.IsAjaxRequest(context.Request))
{
if (TeamConfig.AuthDebug)
{
logger.LogDebug("Auth-Invoke => AJAX 401");
}
context.Response.StatusCode = 401;
context.Response.Headers.Add(SessionTimeout ? "X-Team-Timeout" : "X-Team-Login", "1");
}
else
{
string RedirectPath = SessionTimeout ? LoginPathTimeout : LoginPath;
if (TeamConfig.AuthDebug)
{
logger.LogDebug("Auth-Invoke => " + RedirectPath);
}
context.Response.Redirect(RedirectPath);
}
}
}
}
}
这里是相同的中间件,但我认为对于删除该问题并不重要的代码:
Here is the same middleware, with the code that I believe is not important for the question stripped out:
public class TeamAuthentication
{
private readonly RequestDelegate next;
private readonly ILogger<TeamAuthentication> logger;
public async Task Invoke(HttpContext context, ApplicationDbContext db)
{
// preparatory actions...
var token = await Security.CheckToken(db, logger, TokenContent, context.Response);
if (token.Status == Models.TokenStatus.OK)
{
List<Claim> userClaims = new List<Claim>();
string UserName = "";
// find out the UserName...
userClaims.Add(new Claim(ClaimTypes.Name, UserName));
if ((token.Roles & (int)Security.TeamRoles.TeamAdmin) == (int)Security.TeamRoles.TeamAdmin)
{
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
}
if ((token.Roles & (int)Security.TeamRoles.SuperAdmin) == (int)Security.TeamRoles.SuperAdmin)
{
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
userClaims.Add(new Claim(ClaimTypes.Role, Security.SuperAdmin));
}
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(userClaims, "local"));
}
// ...
这是我授权访问控制器的方式:
This is how I authorize access to the controller:
namespace Team.Controllers
{
[Authorize(Policy = Security.TeamAdmin)]
public class ModulesController : Controller
{
// ...
I tried to research the issue by Google-ing and found articles like https://docs.microsoft.com/en-us/aspnet/core/migration/1x-to-2x/identity-2x and some similar, but they didn't help me resolve the issue.
推荐答案
IMHO you might want to switch to the built in Role base authorization instead of rolling your own custom policy authorization there are bound to be cases you haven't thought of that are handled by it (avoid reinventing the wheel :).
对于身份验证,您应该使用
For authentication you should set up the cookie authentication scheme using
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie();
在这里阅读有关它提供的设置的信息,用于没有ASP.Net Identity的自定义方案.
Read about the settings it provides here, for a custom scheme without ASP.Net Identity.
至于授权,您在这里混合了身份验证和授权,中间件同时实现了两者,但被命名为UseTeamAuthentication,其区别被解释了 ,因此,这两件事在ASP.Net Core基础结构中是分开的.
As for authorization you have mixed authentication and authorization a bit here, the middleware does both but is named UseTeamAuthentication the difference is explained here, and as such these two things are separate in the ASP.Net Core infrastructure.
进行授权(自定义)时,需要通过IAuthorizationRequirement界面实现要求来完成授权,您可以在上面的自定义策略链接中了解如何进行授权.但我强烈建议您使用内置的角色机制.
Authorization as you have done it (custom) needs to be done by implementing requirements through the IAuthorizationRequirement interface, you can read how to do that in the above custom policy link. But I strongly suggest you use the built in Roles mechanism.
干杯:)
这篇关于从ASP.NET Core 1.1 MVC迁移到2.0后,自定义cookie身份验证不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
