网页API 2.1 Windows身份验证CORS火狐 [英] Web API 2.1 Windows Authentication CORS Firefox

问题描述

下面的情况：

我创建了一个网页API项目和一个MVC项目，像这样：

I created a web api project and an mvc project, like so:

<一个href=\"http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api\">http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api

我安装通过的NuGet CORS支持，并添加了EnableCorsAttribute

I installed CORS support via nuget and added the EnableCorsAttribute

我跑项目，一切都按预期（GET，PUT，POST和）跨浏览器，IE和Firefox。

I ran the project and everything worked as expected (GET, PUT, and POST) across Chrome, IE, and FireFox.

然后我在Web API项目启用Windows身份验证（是的，我真的需要在API项目赢得验证）。为了得到这个工作，我加入了xhrFields精氨酸我jquery.ajax电话：

I then enabled Windows Authentication in the web api project (yes, i really need win auth in the api project). In order to get this to work, I added the xhrFields arg to my jquery.ajax call:

        $.ajax({
            type: method,
            url: serviceUrl,
            data: JSON.stringify(foo),
            contentType: 'application/json; charset=UTF-8',
            xhrFields: {
                withCredentials: true
            }
        }).done(function (data) {
            $('#value1').text(data);
        }).error(function (jqXHR, textStatus, errorThrown) {
            $('#value1').text(jqXHR.responseText || textStatus);
        });

另外，我设置了EnableCorsAttribute.SupportsCredentials属性=真

In addition, I set the EnableCorsAttribute.SupportsCredentials property = true

我测试了所有的东西。 Chrome和IE的工作，火狐没有。 Firefox的响应收到一个401到它的preflight（OPTIONS）请求。

I tested everything out. Chrome and IE worked, FireFox did not. Firefox receives a 401 in response to it's preflight (OPTIONS) request.

这好像Firefox是不是做的尝试与该服务进行身份验证。

It seems as though FireFox is not making an attempt to authenticate with the service.

有没有人找到了解决这个问题的？

Has anyone found a solution to this problem?

推荐答案

我想出了一个两部分的解决方案。

I figured out a 2-part solution.

问题是，当Firefox的发出OPTION请求，被拒绝了401，它并没有进一步的尝试重新进行身份验证。这使我失望绕过所有选项请求认证的路径。我找不到关于这个问题的大量信息，但我没有找到这样的：

The issue is that when Firefox issues an OPTION request and is denied with a 401, it makes no further attempt to re-authenticate. This led me down a path to bypass authentication on all OPTION requests. I couldn't find much information on the subject, but I did find this:

<一个href=\"http://stackoverflow.com/questions/10723088/401-response-for-cors-request-in-iis-with-windows-auth-enabled\">401反应在IIS中CORS要求使用Windows身份验证启用

，我设置匿名身份验证在API项目的设置中设置为已启用（我仍然也有Windows身份验证设置为已启用）。

Based on that, I set Anonymous Authentication set to Enabled in the api project's settings (I still also had Windows Authentication set to Enabled).

运行项目（MVC和API）之后，我发出CORS请求时提示输入凭据。提供我的凭据后，我能够做的GET / POST / PUTS与Firefox成功。

After running the projects (mvc and api), I was prompted for credentials when issuing a CORS request. After supplying my credentials, I was able to make GET/POST/PUTS with Firefox successfully.

要消除证书Firefox中的提示，我收到了来自布鲁克 - 阿伦一个提示，导致我失望使NTLM身份验证的路径。我发现一个帖子这里，提供关于如何进行适当的设置更改的说明。

To eliminate the prompting of credentials in Firefox, I received a tip from Brock Allen that led me down the path of enabling NTLM authentication. I found a post here that offers instructions on how to make the appropriate settings change.

添加的http：//本地主机后的 network.negotiate-auth.trusted - URI的设置，我现在能问题CORS请求对使用Firefox的所有动词不会提示输入凭据。

After adding 'http://localhost' to the network.negotiate-auth.trusted-uris setting, I am now able to issue CORS requests against all verbs using Firefox without prompting for credentials.

这篇关于网页API 2.1 Windows身份验证CORS火狐的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！