继续获取未授权的Web API [英] Keep on getting Unauthorize Web API

问题描述

我有一个项目，它是一个需要Windows身份验证的Web应用程序.

I have a project, It's a web application that requires Windows Authentication.

我已经使用NAS虚拟化功能在家中设置了Active Directory.然后，我为IIS创建了一个VMWare服务器，该服务器是我的桌面上该域的成员，我也将其用于开发.我已经创建了Web API并将其安装到该VMWare服务器中.当我直接调用一个例程时，它可以工作并返回结果，但是当我从JavaScript Web应用程序中使用Web API例程时，我不断收到401错误.然后，我将代码放在IIS服务器上，并且Web应用程序正常工作.

I've setup an Active Directory at home using my NAS virtualization. Then I've created a VMWare Server for IIS which is a member of that domain on my desktop which I also use for development. I've created the Web API and installed it into that VMWare server. When I call a routine directly, it works and return results but when I use the Web API routine from my javascript web application I keep on getting 401 error. I then put the code on the IIS server and the web application works.

我已经看到了许多解决方案，例如更改IIS身份验证中提供程序的顺序.在文件夹上添加了所有人的读/写权限.我还在web.config上添加了条目.但是它们都不起作用.

I've seen a lot of solutions like changing the sequence of the Provider in IIS Authentication. Added Everyone read/write permission on the folders. I've also added entry on the web.config. But none of them work.

*****根据评论的请求*****

*****Update as per request on the comment *****

下面是当我直接从Web API运行时

Below is when I run directly from Web API

从Javascript调用Web API

Calling the Web API from Javascript

这是我遇到的错误

仅供参考，我尝试在同一台计算机上从Visual Studio运行Web api，但也出现401错误

Just FYI, I tried running the web api from Visual Studio on the same machine but also with 401 error

有什么可以添加到AD中以使我的开发计算机受信任的东西吗?

Is there anything I could add to AD to make my development machine as trusted?

********************更改代码后的新问题**********

********************A new issue after the code change **********

****************另一个更新******这绝对很奇怪，所以我安装了Fiddler 4来看看发生了什么.但是仍然没有运气.

****************Another Update****** This is definitely weird, so I installed Fiddler 4 to see what's going on. But still no luck.

然后我在IIS HTTP响应标头上进行了更改

Then I made changes on the IIS HTTP Response Header

奇怪的是，当我运行Fiddler时，错误消失了，但是当我关闭它时，错误又回来了.

The weird thing is when I run Fiddler the error is gone but when I close it it comes back.

推荐答案

这里发生了两件事:

1. 401响应是Windows身份验证的正常第一步.然后，期望客户端使用凭证重新发送请求.除非您告知AJAX请求，否则它不会自动执行此操作.

要告诉它在跨域请求中发送凭据(稍后会详细介绍)，您需要设置

To tell it to send credentials in a cross-domain request (more on that later), you need to set the withCredentials option when you make the request in JavaScript.

使用jQuery，如下所示:

With jQuery, that looks like this:

$.ajax({
   url: url,
   xhrFields: {
      withCredentials: true
   }
}).then(callback);

1. 当浏览器地址栏中的URL与您要在JavaScript中尝试连接的API的URL不同时，会弹出这些问题.对于允许的时间，浏览器非常挑剔.这些称为跨域请求"或跨域资源共享"(CORS).

1. These problems pop up when the URL in the address bar of the browser is different than the URL of the API you are trying to connect to in the JavaScript. Browsers are very picky about when this is allowed. These are called "cross-domain requests", or "Cross-Origin Resource Sharing" (CORS).

它查看协议，域名和端口.因此，如果网站是 http://localhost:8000 ，并且正在向 http://localhost:8001 发出AJAX请求，则该网站仍被视为跨域请求.

It looks at the protocol, domain name and port. So if the website is http://localhost:8000, and it's making an AJAX request to http://localhost:8001, that is still considered a cross-domain request.

发出跨域AJAX请求时，浏览器首先向该URL发送一个OPTIONS请求，该URL包含发出请求的网站的URL(例如 http://localhost:8000 ).预计该API将返回带有 Access-Control-Allow-Origin 标头的响应，该标头说明是否允许发出请求的网站.

When a cross-domain AJAX request is made, the browser first sends an OPTIONS request to the URL, which contains the URL of the website that's making the request (e.g. http://localhost:8000). The API is expected to return a response with an Access-Control-Allow-Origin header that says whether the website making the request is allowed to.

如果您不打算发送凭据，则 Access-Control-Allow-Origin 标头可以是 * ，这意味着该API允许任何人调用它.

If you are not planning on sending credentials, then the Access-Control-Allow-Origin header can be *, meaning that the API allows anyone to call it.

但是，如果像您一样需要发送凭据，则不能使用 * . Access-Control-Allow-Origin 标头必须专门包含网页的域(和端口)，并且 Access-Control-Allow-Credentials 必须设置为 true .例如:

However, if you need to send credentials, like you do, you cannot use *. The Access-Control-Allow-Origin header must specifically contain the domain (and port) of your webpage, and the Access-Control-Allow-Credentials must be set to true. For example:

Access-Control-Allow-Origin: http://localhost:8000
Access-Control-Allow-Credentials: true

是的，屁股有点疼.但这对安全性是必要的.

It's a bit of a pain in the butt, yes. But it's necessary for security.

您可以在此处了解有关CORS的更多信息:跨域资源共享(CORS)

You can read more about CORS here: Cross-Origin Resource Sharing (CORS)

这篇关于继续获取未授权的Web API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！