ASP.NET Web API如何对用户进行身份验证 [英] ASP.NET Web API how to authenticate user
问题描述
我正在尝试创建一个简单的用户身份验证功能,但是我无法使其正常工作. 这是我正在处理的代码:
I'm trying to create a simple user authentication function but I just can't get it to work. Here is the code I'm working on:
public class LoginController : ApiController
{
private void SetPrincipal(IPrincipal principal)
{
Thread.CurrentPrincipal = principal;
if (HttpContext.Current != null)
{
HttpContext.Current.User = principal;
}
}
public bool Login(string token)
{
//Check token
if (.....)
{
//Authenticate user
var identity = new GenericIdentity("Test user");
SetPrincipal(new GenericPrincipal(identity, new string[]{"Test role"}));
}
}
[Authorize]
public string TestFun()
{
return "Hello " + User.Identity.Name;
}
}
因此,如果我尝试先调用方法TestFun(),它将返回应有的错误代码401.
但是,当我调用方法Login()时,它应该以某种方式保存用户凭据,但这就是我迷路的地方,我无法使其正常工作.
So, if I try to call method TestFun() first, it returns error code 401 like it should.
However when I call method Login() it should somehow save user credentials, but this is where I get lost, I just can't get it to work.
TestFun()始终返回错误代码401.
如果我尝试将return "Hello " + User.Identity.Name;放在Login()函数中,它将返回正确的用户名,但是在TestFun()中,该用户不可用.
TestFun() always returns error code 401 even if I call Login() first.
If I try to put return "Hello " + User.Identity.Name; in the Login() function it returns correct username, but in the TestFun() the user is not available.
我什至尝试使用Sessions和FormsAuthentication,但是即使在这个非常简单的示例上,我也无法使用它.
I've even tried using Sessions and FormsAuthentication but I just can't get it to work, even on this really simple example.
有人可以告诉我我想念什么吗?
Can someone please tell me what am I missing?
谢谢!
推荐答案
Login方法仅设置当前请求的主体.在请求完成后,主体上下文将被清除,以便服务器可以为其他用户处理其他请求.当新请求到来时(从服务器的角度来看),主体上下文将不再存在,并且如果没有任何内容还原,则该请求将未经身份验证.
The Login method sets the principal for current request only. Just after the request completes, the principal context is wiped out so that the server can handle other requests for other users. When a new request comes, eons later from the server perspective, the principal context no longer exists and if nothing restores it, the request is unauthenticated.
要解决此问题,您必须从登录方法向客户端返回一些信息.不仅是布尔,而且是身份验证令牌.客户端可以用来验证进一步请求的东西.
To fix this you have to return something from your login method to the client. Not only bool but rather - an authentication token. Something the client could use to authenticate further requests.
可以是任何东西.只要客户端记得将表单cookie附加到其他请求中,表单cookie就可以了.另一种常见的做法是将自定义身份验证令牌返回到客户端,然后由客户端附加到自定义身份验证标头中.而且,由于表单Cookie是由表单身份验证模块处理的,因此自定义标头将需要自定义mvc身份验证过滤器或自定义asp.net身份验证模块,以便读取令牌,在之前提取并还原身份该请求即将执行.
It could be anything. Forms cookie would be fine as long as the client remembers to append it to further requests. Another common practice is to have a custom authentication token returned to the client and then appended by the client in a custom authentication header. And as forms cookies are handled by the Forms Authentication module, custom headers would need a custom mvc authentication filter or custom asp.net authentication module so that the token is readed, the identity is extracted and restored just before the request is about to execute.
如果您不想烘焙自己的令牌基础结构,我还建议您使用OAuth2令牌.有一本很棒的书,其中包含有关此身份验证方法和其他可能的身份验证方法的易于遵循的示例:
If you don't like to bake your own token infrastructure, I would also recommend OAuth2 tokens. There is a great book that contains easy to follow examples on this and other possible authentication methods:
这篇关于ASP.NET Web API如何对用户进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
