我可以绕过MVC应用程序中的WebAPI控制器的组织身份验证吗? [英] Can I bypass organizational authentication for a WebAPI controller inside an MVC app?

问题描述

我有一个使用组织身份验证(Azure AD)的MVC5，EF6应用程序，除一件事外，其他所有功能都工作正常. WebAPI控制器需要处理未经身份验证的客户端的请求.客户端通常是发出AJAX请求的Android设备.

I have an MVC5, EF6 app which uses organizational authentication (Azure AD) and all is working fine except for one thing. There is a requirement for a WebAPI controller to process requests from unauthenticated clients. The clients are normally Android devices issuing AJAX requests.

在向MVC应用程序添加组织身份验证之前，WebAPI控制器已被调用并正常运行，因此我知道路由正确.现在，我添加了组织身份验证，不再调用我的WebAPI控制器，并且客户端的AJAX请求超时.

Before I added organizational authentication to my MVC app, my WebAPI controller was being called and functioned correctly so I know my routing is correct. Now I've added organizational authentication, my WebAPI controller is no longer called and the client's AJAX request times out.

我了解到有诸如[Authorize]之类的属性来指定对控制器/方法的访问，但是当使用组织身份验证时，似乎没有调用[Authorize]属性的WebAPI控制器.

I understand there are attributes such as [Authorize] to specify access to controllers/methods but when using organizational authentication, it appears that WebAPI controllers without the [Authorize] attribute do not get called.

我的问题是，我可以标记我的WebAPI控制器以允许未经身份验证的客户端发出请求吗?

My question is, can I mark my WebAPI controller to allow requests from unauthenticated clients, if so how can I do it?

非常感谢.

推荐答案

答案是通过在Web.config根文件中输入以下xml，以允许匿名连接到特定控制器.

The answer is to allow anonymous connections to a specific controller by entering the xml below into the root Web.config file.

如果您的控制器名为"PersonController"，那么您应该在path属性中输入的名称是"person"而不是"personcontroller".

If your controller is called "PersonController", then the name you should enter into the path attribute is "person" NOT "personcontroller".

在我的情况下，因为我想允许对WebAPI控制器的匿名请求，所以我需要在path属性中以"api/"作为我的控制器名称的前缀.

In my case, because I want to allow anonymous requests to a WebAPI controller, I need to prefix my controller name in the path attribute with "api/".

希望这可以帮助可能遇到相同问题的其他人.

Hope this helps others who may run into the same issue.

<location path="api/my-controller-name">
  <system.web>
    <authorization>
      <allow users="?" />
    </authorization>
  </system.web>
</location>

这篇关于我可以绕过MVC应用程序中的WebAPI控制器的组织身份验证吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！