ASP.Net/ASP.NET Core Web API未经授权的请求返回302重定向响应，而不是401 [英] ASP.Net / ASP.NET Core Web API unauthorized requests returns 302 redirect response instead of 401

问题描述

在ASP.Net/ASP.Net Core WebAPI中，

In ASP.Net / ASP.Net Core WebAPI,

当客户端/浏览器尝试访问使用 [Authorized] 属性修饰的WebAPI端点时.它会获得 302-Found 状态代码，并带有指向登录页面的重定向响应，而不是 401-Unauthorized 表示未经授权的请求.

When the client/browser tries to access a WebAPI endpoint which is decorated with [Authorized] attribute. It gets a 302-Found status code with a redirect response to the Login page, instead of 401-Unauthorized for an unauthorized request.

注意:我注意到 AuthorizeAttribute 过滤器中的 Fail(AuthorizationContext context) 方法将响应代码设置为 401-Unauthorized ，但最终浏览器 302-Found 回复.

Note: I have noticed that Fail(AuthorizationContext context) method in AuthorizeAttribute filter sets the response code as 401-Unauthorized, but eventually browser gets a 302-Found response.

如何发送 401 而不是 302 ?

更新:使用ASP.NET Core更新问题

UPDATE: Update the question with ASP.NET Core

推荐答案

最终找到了解决方案.

重定向通过 Cookie身份验证模块进行.默认情况下，其LoginPath属性设置为/Account/Login.如果将其设置为PathString.Empty，它将状态代码保留为401-Unauthorized，而无需将其更改为302-Found.

The redirection happens with the Cookie Authentication module. By default its LoginPath property is set to /Account/Login. If it is set to PathString.Empty, it will keep the status code as 401-Unauthorized without changing it to 302-Found.

在 Startup.cs 中更改CookieAuthenticationOptions，如下所示:

public void ConfigureServices(IServiceCollection services)
{
    // Other configurations ...

    services.Configure<CookieAuthenticationOptions>(o =>
    {
        o.LoginPath = PathString.Empty;
    });

    // ...
}

LoginPath属性的XML文档:

LoginPath属性通知中间件它应该更改传出的401未经授权状态 代码将302重定向到给定的登录路径.添加生成401的当前网址 到LoginPath作为由ReturnUrlParameter命名的查询字符串参数.一次向 LoginPath授予新的SignIn身份，ReturnUrlParameter值用于将浏览器重定向回 到导致原始未授权状态代码的网址.

The LoginPath property informs the middleware that it should change an outgoing 401 Unauthorized status code into a 302 redirection onto the given login path. The current url which generated the 401 is added to the LoginPath as a query string parameter named by the ReturnUrlParameter. Once a request to the LoginPath grants a new SignIn identity, the ReturnUrlParameter value is used to redirect the browser back to the url which caused the original unauthorized status code.

如果LoginPath为null或为空，则中间件将不会查找401未经授权的状态代码，并且它将 登录后不会自动重定向.

If the LoginPath is null or empty, the middleware will not look for 401 Unauthorized status codes, and it will not redirect automatically when a login occurs.

---

更新:正如@swdon所指出的， ASP.NET Core 2.x 具有不同的实现方式.

---

UPDATE: As @swdon pointed out, ASP.NET Core 2.x has a different way of doing this.

以下是链接1 中可接受的答案:

Here's the accepted answer from the link 1:

自 ASP.NET Core 2.x 起:

services.ConfigureApplicationCookie(options =>
{
    options.Events.OnRedirectToLogin = context =>
    {
        context.Response.StatusCode = 401;    
        return Task.CompletedTask;
    };
});

这篇关于ASP.Net/ASP.NET Core Web API未经授权的请求返回302重定向响应，而不是401的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！