为 WebAPI 禁用 Windows 身份验证 [英] Disable Windows Authentication for WebAPI
问题描述
我正在使用 MVC4 应用程序并使用 WebAPI 来获取/发送我的所有数据.在控制器中,我使用 HttpClient 请求来获取数据并且一切正常.我面临的问题是,当项目中启用 Windows 身份验证时,Web API 调用返回 401 未授权错误.
I am playing with an MVC4 application and using WebAPI for fetching/sending all my data. In a controller I am using an HttpClient request to get the data and all is working fine. The issue I am facing is that when Windows authentication is enabled in the project, the web API calls are returning a 401 Unauthorized error.
我的控制器中执行调用的代码是:
the code in my controller that does the calling is:
using (var client = new HttpClient())
{
var invoiceDetailUrl = BASE_URL + Url.HttpRouteUrl(
"DefaultApi",
new { controller = "InvoiceDetails", id = id }
);
var result = client.GetAsync(invoiceDetailUrl).Result;
}
必须为站点启用 Windows 身份验证,但不一定要启用 Web API 控制器.我尝试在 web.config 中排除 API 控制器,如下所示:
Windows authentication has to be on for the site, but not necessarily the Web API controllers. I have tried excluding the API controllers in the web.config like below:
<location path="api">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
但是添加到 web.config 的内容没有任何作用.
but the additions to the web.config did nothing.
有什么建议吗?
推荐答案
Authentication
Web API 假定身份验证发生在主机中.IIS 使用 HTTP 模块进行身份验证.asp.net 现在允许您通过 web.config 配置任何内置于 IIS 或 ASP.NET 的身份验证模块,或编写您自己的 HTTP 模块来执行自定义身份验证.
Authentication
Web API assumes that authentication happens in the host. IIS uses HTTP modules for authentication. asp.net now allow you to configure via web.config any of the authentication modules built in to IIS or ASP.NET, or write your own HTTP module to perform custom authentication.
您可以同时使用多个身份验证,这不是问题.在您的情况下,您需要 Windows 身份验证和匿名身份验证.Windows 身份验证将保护您的网站,而匿名身份验证将打开您的 Web Api.
You can use multiple authentications at the same time, it's not a problem. In you case, you need both Windows authentication & Anonymous authentication. Windows authentication will secure your WebSite, and Anonymous authentication will open your Web Api.
在 IIS Express 上托管打开属性"窗格(通过 F4 而不是项目的属性),并应用所需的身份验证将匿名身份验证"设置为已禁用".将Windows 身份验证"设置为已启用".
Hosting on IIS Express Open the Properties pane (via F4 and not the properties of the project), and apply desired authentication Set "Anonymous Authentication" to "Disabled". Set "Windows Authentication" to "Enabled".
在 IIS 7 或更高版本上托管在 IIS 管理器中,在功能视图中打开身份验证功能.启用/禁用所需的身份验证.如果身份验证系统不是一个选项(例如 Windows),您需要通过服务器管理器(添加角色服务)安装它.
Hosting on IIS 7 or later In IIS Manager, open the Authentication feature in the features View. Enable/Disable desired authentication. If an authentication system is not an option (such as Windows), you'll need to install it via the Server Manager (Add Role Services).
asp.net 授权
在 ASP.NET 中,有两种方法可以授权访问给定资源:文件授权和 Url 授权.我不会在这里解释,但你可以阅读这个 文章.
In ASP.NET, there are two ways to authorize access to a given resource: File and Url authorization. I won't explain it here but you can read this article.
重要的是您可以在 web.config 中允许/拒绝用户和/或组.
The important thing is that you can allow/deny users and/or groups in web.config.
Windows 认证的默认配置是只允许认证用户 *****,如下所示:
The default config in Windows authentication is to allow only authentication users *****, like this :
<authorization>
<deny users="?" ></deny>
</authorization>
如果你想允许匿名用户?在url位置api"下,添加:
If you want to allow anonymous users ? under the url location "api", add this :
<location path="api">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Web Api 授权
asp.net Web Api 授权发生在管道的后面,更靠近控制器.这让您可以在授予对资源的访问权限时做出更精细的选择.
asp.net Web Api Authorization happens later in the pipeline, closer to the controller. That lets you make more granular choices when you grant access to resources.
Web API 提供了一个内置的授权过滤器,授权属性.还有一个 AllowAnonymousAttribute.您可以在全局、控制器或操作上使用它.默认情况下,所有操作均获得授权.
Web API provides a built-in authorization filter, AuthorizeAttribute. There is also an AllowAnonymousAttribute. You can use it Globally, on a Controller or on an action. By default, all actions are authorized.
通过浏览器
集成的 Windows 身份验证适用于任何支持协商身份验证方案的浏览器.它是 Internet Explorer 和现在 Chrome 的 cas:当浏览具有 Windows 身份验证的网站时,它们将自动提供 Windows 凭据.Firefox 不支持这个方案,所以我经常用这个浏览器测试认证.
Integrated Windows authentication works with any browser that supports the Negotiate authentication scheme. It's the cas for Internet Explorer and now Chrome : they will automatically provide Windows Credentials when browsing a Web Site with Windows authentication. Firefox does not support this scheme, so I often test authentication with this browser.
通过HttpClient您的 HttpClient 在调用 Web Api(如浏览器)时需要提供 Credentials.这是通过配置具有适当凭据的 HttpClientHandler 来完成的.
Via HttpClient Your HttpClient needs to provide Credentials when invoking the Web Api (like browsers). This is done by configuring an HttpClientHandler whith appropriate credentials.
//use default credentials aka Windows Credentials
HttpClientHandler handler = new HttpClientHandler()
{
UseDefaultCredentials = true
};
//use username/password credentials
HttpClient client = new HttpClient(handler);
var handler = new HttpClientHandler {
Credentials = new NetworkCredential(username, password)
};
var httpClient = new HttpClient(handler);
希望对你有帮助.
对您而言,最后一件重要的事情是您的 Web Api 根本不允许匿名用户!因为您在 HttpClientHandler 中使用了默认凭据,这意味着您的服务需要 Windows 身份验证.您不必在打开的 & 中配置任何凭据.公共服务.
One last important thing in you case, is that your Web Api does not allow anonymous users at all ! Because you are using Default Credentials in your HttpClientHandler, this means that your service requires Windows authentication. You don't have to configure any credentials in an open & public service.
这篇关于为 WebAPI 禁用 Windows 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
