禁用Windows身份验证的WebAPI [英] Disable Windows Authentication for WebAPI
问题描述
我与MVC4应用演奏和使用的WebAPI的读取/送我的所有数据。在控制器我使用的是HttpClient的请求来获取数据和所有工作正常。我现在面临的问题是,当Windows身份验证在项目启动时,Web API调用返回一个401未授权错误。
I am playing with an MVC4 application and using WebAPI for fetching/sending all my data. In a controller I am using an HttpClient request to get the data and all is working fine. The issue I am facing is that when Windows authentication is enabled in the project, the web API calls are returning a 401 Unauthorized error.
在我的控制器,做主叫的code是:
the code in my controller that does the calling is:
using (var client = new HttpClient())
{
var invoiceDetailUrl = BASE_URL + Url.HttpRouteUrl(
"DefaultApi",
new { controller = "InvoiceDetails", id = id }
);
var result = client.GetAsync(invoiceDetailUrl).Result;
}
Windows验证必须为站点,但不一定是网页API控制器。我曾尝试在web.config中像下面不包括API控制器:
Windows authentication has to be on for the site, but not necessarily the Web API controllers. I have tried excluding the API controllers in the web.config like below:
<location path="api">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
但增加的web.config中什么也没做。
but the additions to the web.config did nothing.
有什么建议?
推荐答案
网页API假定认证发生在主机。 IIS使用HTTP模块进行验证。 asp.net现在允许你通过的web.config配置任何内置在IIS或ASP.NET验证模块,或写你自己的HTTP模块来执行自定义验证。
Authentication
Web API assumes that authentication happens in the host. IIS uses HTTP modules for authentication. asp.net now allow you to configure via web.config any of the authentication modules built in to IIS or ASP.NET, or write your own HTTP module to perform custom authentication.
您可以同时使用多个认证,这不是一个问题。
在你的情况下,你需要的 Windows身份验证和放大器;匿名身份验证即可。
Windows身份验证的安全的网站,和匿名身份验证将的打开的你的Web API。
You can use multiple authentications at the same time, it's not a problem. In you case, you need both Windows authentication & Anonymous authentication. Windows authentication will secure your WebSite, and Anonymous authentication will open your Web Api.
托管在IIS防爆preSS
(通过F4和项目而不是属性)打开属性面板,并应用所需的验证
将匿名验证改为已禁用。
将Windows身份验证为Enabled。
Hosting on IIS Express Open the Properties pane (via F4 and not the properties of the project), and apply desired authentication Set "Anonymous Authentication" to "Disabled". Set "Windows Authentication" to "Enabled".
托管在IIS 7或更高版本
在IIS管理器中,打开功能查看认证功能。启用/禁用所需的验证。如果一个认证系统不是一个选项(如Windows),您需要通过服务器管理器进行安装(添加角色服务)。
Hosting on IIS 7 or later In IIS Manager, open the Authentication feature in the features View. Enable/Disable desired authentication. If an authentication system is not an option (such as Windows), you'll need to install it via the Server Manager (Add Role Services).
asp.net授权
在ASP.NET中,有两种方法来授权访问给定的资源:文件和URL授权。我不会在这里解释,但你可以看到这篇文章。
In ASP.NET, there are two ways to authorize access to a given resource: File and Url authorization. I won't explain it here but you can read this article.
重要的是,你可以允许/拒绝用户和/或组在web.config中。
The important thing is that you can allow/deny users and/or groups in web.config.
在Windows身份验证的默认配置是只允许认证用户的 * ,就像这样:
The default config in Windows authentication is to allow only authentication users *, like this :
<authorization>
<deny users="?" ></deny>
</authorization>
如果你想允许匿名用户的 下的URL位置API,加上这一句:
If you want to allow anonymous users ? under the url location "api", add this :
<location path="api">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
网页API授权
asp.net网页API授权以后发生在管道,接近控制器。这可让您更精细的选择,当您授予对资源的访问。
asp.net Web Api Authorization happens later in the pipeline, closer to the controller. That lets you make more granular choices when you grant access to resources.
网页API提供了一个内置的授权过滤器,<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.http.authorizeattribute.aspx\">AuthorizeAttribute.还有一个<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.http.allowanonymousattribute.aspx\">AllowAnonymousAttribute.
您可以在全球范围内使用它,在一个控制器或一个动作。
默认情况下,所有的行动的授权的
Web API provides a built-in authorization filter, AuthorizeAttribute. There is also an AllowAnonymousAttribute. You can use it Globally, on a Controller or on an action. By default, all actions are authorized.
通过浏览器
集成Windows身份验证的工作与支持协商身份验证方案的任何浏览器。这对Internet Explorer和Chrome浏览器现在中科院:浏览使用Windows身份验证的网站时,他们会自动提供Windows凭据。 Firefox不支持这个计划,所以我经常跟这个浏览器中测试认证。
Integrated Windows authentication works with any browser that supports the Negotiate authentication scheme. It's the cas for Internet Explorer and now Chrome : they will automatically provide Windows Credentials when browsing a Web Site with Windows authentication. Firefox does not support this scheme, so I often test authentication with this browser.
通过HttpClient的
你需要的HttpClient调用Web API(像浏览器)时提供凭据。这可以通过配置适当蒙山凭据的HttpClientHandler完成。
Via HttpClient Your HttpClient needs to provide Credentials when invoking the Web Api (like browsers). This is done by configuring an HttpClientHandler whith appropriate credentials.
//use default credentials aka Windows Credentials
HttpClientHandler handler = new HttpClientHandler()
{
UseDefaultCredentials = true
};
//use username/password credentials
HttpClient client = new HttpClient(handler);
var handler = new HttpClientHandler {
Credentials = new NetworkCredential(username, password)
};
var httpClient = new HttpClient(handler);
希望这会帮助你。
Hope this will help you.
在你的情况下最后一个重要的事情,是你的网页API的不允许匿名用户在所有!由于您使用的默认凭据的在你HttpClientHandler,这意味着你的服务要求Windows身份验证。您不必配置在一个开放的和放任何凭据;公共服务。
One last important thing in you case, is that your Web Api does not allow anonymous users at all ! Because you are using Default Credentials in your HttpClientHandler, this means that your service requires Windows authentication. You don't have to configure any credentials in an open & public service.
这篇关于禁用Windows身份验证的WebAPI的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
