当自定义 SecurityTokenHandler 被触发时? [英] When custom SecurityTokenHandler gets triggered?

问题描述

我有一个简单的 REST Web 服务.我试图实现 SimpleWebToken 安全性，为此我创建了一个自定义的 SecurityTokenHandler 与重写的 CanreadToken 和 ReadToken 然后我在 web.cofig 文件中注册它.

I have a simple REST Web Service. I have tried to implement SimpleWebToken security therefor I created a custom SecurityTokenHandler with overridden CanreadToken and ReadToken then I registered it in web.cofig file.

<system.identityModel>
  <identityConfiguration>
    <securityTokenHandlers>
      <clear/>
      <add type="TestTokens.SimpleWebTokenHandler, TestTokens"></add>
    </securityTokenHandlers>    
 <audienceUris>
    <clear/>
    <add value="http://mytestrealm/"/>
 </audienceUris>
</identityConfiguration>

我认为 CanReadToken() 总是被调用，以确保可以处理传入的请求.为什么不叫?

I thought that CanReadToken() is always called, in order to make sure that the incoming request can be handled. Why it is not called?

推荐答案

没错，WIF 管道可用于对用户进行身份验证.看起来您正在寻找更多的 WebAPI 解决方案.我建议使用 Jwt 令牌，因为每个人似乎都倾向于这种方式.看看这里:http://www.cloudidentity.com/blog/2013/06/06/the-json-web-token-handler-for-net-4-5-reaches-ga/

That is correct, WIF plumbing can be used to authenticate users. It looks like you are looking for more of a WebAPI solution. I would recommend using Jwt tokens as everyone seems to be leaning that way. Have a look here: http://www.cloudidentity.com/blog/2013/06/06/the-json-web-token-handler-for-net-4-5-reaches-ga/

我们加入了一些有助于验证 WebAPI 的 jwt 的功能.

We put in some features that help when validating jwt's for WebAPI's.

这篇关于当自定义 SecurityTokenHandler 被触发时?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！