我怎样才能令牌认证添加到我的IIS这样一个文件夹中,以确保文件? [英] How can I add token authentication to my IIS so as to secure files in a folder?
问题描述
我有一个Windows Azure的应用程序的WebAPI
- OWIN
- 的Oauth 2
- 令牌认证
- 身份2框架
- VS2013更新2
- IIS(我不知道哪个版本。正如我刚刚更新堆栈中的一切都那么我认为最新的版本)
在时,有一个用户身份验证的<脚本> 在我的index.html文件,我注意到这样看向服务器发送的cookie:
接受语言:EN-US,EN; Q = 0.8
饼干:.AspNet.Cookies = GWLL4LgeFkn7jDndAwf,Pk_eZAPZ5LYZugSmv- ...
在用户通过验证后,我注意到饼干改变:
接受语言:EN-US,EN; Q = 0.8
饼干:.AspNet.Cookies = OqLMSpIv2aQ8KUcw3pWdAYtPYUI_tYMl4rEYKe16N ...
我想我是用令牌认证,所以我的第一个问题是:为什么你们的饼干得到改变,他们为什么在所有已发送?
一旦用户与每个$ HTTP请求,我送一个头这样的服务器验证,那么:
授权:承载abcdefgetc ....
我的服务器上的授权时,我有方法的WebAPI装饰得像作品:
[授权(角色=管理员)]
下面是主要网络配置显示安全设置:
<&的System.Web GT;
<身份验证模式=无/>
<编译调试=真targetFramework =4.5.1/>
<的httpRuntime targetFramework =4.5.1/>
< /system.web>
< system.webServer>
<模块>
<清除NAME =FormsAuthenticationModule/>
< /模块>
< /system.webServer>
现在我想一些安全添加到我在服务器上的一些静态的JavaScript文件。我知道我可以code它,因此文件可以通过我的客户进行检索并添加到DOM两种方式。无论哪种方式是好的,对我来说,虽然我使用preFER第一种方式,如果我这样做的方式则有可能是通过cookie或其他认证发生:
的使用脚本标记和负载的
VAR EL = doc.createElement(脚本),
加载= FALSE;
el.onload = el.onreadystatechange =功能(){
如果((el.readyState&安培;&安培;!el.readyState ==完整&放大器;&安培;!el.readyState ==装)||加载){
返回false;
}
el.onload = el.onreadystatechange = NULL;
加载=真实的;
//完成了!
};
el.async = TRUE;
el.src =路径;
document.getElementsByTagName('头')[0] .insertBefore(EL,head.firstChild);
的以$ HTTP调用,然后直接将它添加到DOM(我能提供承载令牌)的
$ HTTP({
网址:'/Bundles/admin/admin1Bundle.js',
方法:GET
})
.success(功能(结果){
变种M =使用document.createElement('脚本');
m.appendChild(document.createTextNode(结果));
document.getElementsByTagName(头部)[0] .appendChild(米);
一旦添加的JavaScript变为可用。要增加安全性我来保护这些文件,只允许用户在文件夹中创建一个web.config的管理角色有机会获得:
下面是在文件夹网络配置显示安全设置:
<?XML版本=1.0编码=UTF-8&GT?;
<结构>
< system.webServer>
<安全>
<授权>
<删除用户=*角色=动词=/>
<添加存取类型=允许角色=管理员动词=GET/>
< /授权>
< /安全>
< /system.webServer>
< /结构>
在与角色的用户的管理尝试访问的文件夹中有一个GET一个有一个承载令牌他们得到一个消息说:
最可能的原因:
•无身份验证协议(包括匿名)在IIS中被选中。
•只有集成身份验证已启用,客户端浏览器使用不支持集成身份验证。
•集成身份验证已启用,他们到达Web服务器之前请求是通过改变了认证头的代理发送。
•Web服务器没有被配置为允许匿名访问,并没有收到所需的授权头。
•配置/ system.webServer /授权配置部分可能会明确地拒绝用户访问。当发送到Web服务器的WWW-Authenticate头不被支持时出现此错误
服务器配置。检查身份验证方法的资源,并验证其身份验证
方法中使用的客户端。当身份验证方法是不同的时,会出现错误。为了确定
哪种类型的身份验证客户端使用,请检查客户端身份验证设置。
这似乎是我的IIS使用的是不同的实物由我的WebAPI使用的认证(我用我的开发环境,当我点击调试>开始调试版本)。谁能给我解释一下:
- 我应该使用
<的System.Web>或< system.webServer>的安全性? - 我怎样才能让IIS使用作为的WebAPI相同的安全路径使用时,我装饰我的WebAPI的方法呢?请注意,我需要一种方法与web.config中要做到这一点,因为我没有获得直接做了一次应用程序发布到云更改IIS。
- 我使用的令牌认证,为什么被发送的cookie信息?我可以只使用这个cookie信息来防止引火下载保护我的JavaScript文件?
注:
下面是这样的我已经验证设立Startup.Auth.cs
//配置基于流的OAuth应用
PublicClientId =自我;
OAuthOptions =新OAuthAuthorizationServerOptions
{
TokenEndpointPath =新PathString(/令牌),
供应商=新ApplicationOAuthProvider(PublicClientId)
AuthorizeEndpointPath =新PathString(/ API /帐号/ ExternalLogin),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp =真
}; //启用应用程序使用承载令牌来验证用户身份
app.UseOAuthBearerTokens(OAuthOptions);
我应该使用或用于安全性?
我怎样才能让IIS使用相同的安全路径的WebAPI是使用
当我装修我的WebAPI的方法呢?请注意,我需要一种方法来做到这一点
与web.config中,因为我没有获得进行更改IIS
直接一旦应用程序发布到云中。您可以使用授权属性在webconfig限制文件和文件夹,下面限制的例子限制特定的js文件只管理员
<位置路径=资源/脚本/ yourtopsecretjsfile.js>
< system.webServer>
<安全>
<授权>
<删除用户=*角色=动词=/>
<添加存取类型=允许角色=管理员/>
< /授权>
< /安全>
< /system.webServer>
< /地点>
我使用令牌认证那么,为什么cookie信息发送?
这是由服务器使用来识别身份验证的用户。如果你不想不发送cookie的信息做你可以看一看发送已签名的令牌,而不是每个请求做的事情。看看这篇文章,松散介绍了如何做到这一点(但有一个角JS /网页API 2的观点)<一个href=\"http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/\" rel=\"nofollow\">http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
I have a Windows Azure WebAPI application with
- OWIN
- Oauth 2
- token authentication
- Identity 2 Framework
- VS2013 Update 2
- IIS (I am not sure which version. As I just updated everything in the stack then I assume the latest version)
Before a user is authenticated when there's a
<script>in my index.html file I notice cookies sent to the server looking like this:Accept-Language: en-US,en;q=0.8 Cookie: .AspNet.Cookies=GWLL4LgeFkn7jDndAwf-Pk_eZAPZ5LYZugSmv- ...After a user is authenticated I notice the cookies change:
Accept-Language: en-US,en;q=0.8 Cookie: .AspNet.Cookies=OqLMSpIv2aQ8KUcw3pWdAYtPYUI_tYMl4rEYKe16N ...I thought I was using token authentication so my first question is "why do the cookies get changed and why are they sent at all"?
Once a user is authenticated then with each $http request to the server I send a header like this:
Authorization: Bearer abcdefgetc....My authorization on the server works when I have WebAPI methods decorated like:
[Authorize(Roles = "Admin")]Here is the main web-config that shows the security settings:
<system.web> <authentication mode="None" /> <compilation debug="true" targetFramework="4.5.1" /> <httpRuntime targetFramework="4.5.1" /> </system.web> <system.webServer> <modules> <remove name="FormsAuthenticationModule" /> </modules> </system.webServer>Now I would like to add some security to some static javascript files that I have on the server. I know how I can code it so the files can be retrieved by my client and added to the DOM in two ways. Either way is okay for me to use although I prefer the first way if when I do that way then there can be authentication happen through cookies or otherwise:
With a script tag and a load
var el = doc.createElement("script"), loaded = false; el.onload = el.onreadystatechange = function () { if ((el.readyState && el.readyState !== "complete" && el.readyState !== "loaded") || loaded) { return false; } el.onload = el.onreadystatechange = null; loaded = true; // done! }; el.async = true; el.src = path; document.getElementsByTagName('head')[0].insertBefore(el, head.firstChild);With a $http call and then adding it directly to the DOM (I can supply bearer token)
$http({ url: '/Bundles/admin/admin1Bundle.js', method: "GET" }) .success(function (result) { var m = document.createElement('script'); m.appendChild(document.createTextNode(result)); document.getElementsByTagName('head')[0].appendChild(m);Once added the javascript becomes available. To add security I created a web.config in the folder to protect these files and allow only users with Admin role to have access:
Here is the folders web-config that shows the security settings:
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.webServer> <security> <authorization> <remove users="*" roles="" verbs="" /> <add accessType="Allow" roles="Admin" verbs='GET'/> </authorization> </security> </system.webServer> </configuration>When a user with the role of Admin tries to access files in the folder with a GET that a has a bearer token they get a message saying:
Most likely causes: •No authentication protocol (including anonymous) is selected in IIS. •Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication. •Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server. •The Web server is not configured for anonymous access and a required authorization header was not received. •The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access. This error occurs when the WWW-Authenticate header sent to the Web server is not supported by the server configuration. Check the authentication method for the resource, and verify which authentication method the client used. The error occurs when the authentication methods are different. To determine which type of authentication the client is using, check the authentication settings for the client.It seems like my IIS (the version I am using on my development environment when I click Debug > Start Debugging) is using a different kind of authentication from that used by my WebAPI. Can someone explain to me:
- Should I be using
<system.web>or<system.webServer>for the security?- How can I make the IIS use the same security path as WebAPI is using when I decorate my WebAPI methods? Note that I need a way to do this with web.config as I don't have access to make changes to the IIS directly once the application is published to the cloud.
- I am using token authentication so why is the cookie information sent? Could I just use this cookie information to secure my javascript files from getting downloaded?
Notes:
Here is the way I have authentication set up in Startup.Auth.cs
// Configure the application for OAuth based flow PublicClientId = "self"; OAuthOptions = new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/Token"), Provider = new ApplicationOAuthProvider(PublicClientId), AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"), AccessTokenExpireTimeSpan = TimeSpan.FromDays(14), AllowInsecureHttp = true }; // Enable the application to use bearer tokens to authenticate users app.UseOAuthBearerTokens(OAuthOptions);
解决方案Should I be using or for the security? How can I make the IIS use the same security path as WebAPI is using when I decorate my WebAPI methods? Note that I need a way to do this with web.config as I don't have access to make changes to the IIS directly once the application is published to the cloud.
You could use the authorization attribute in the webconfig to restrict files and folders, the example below restricts restricts a specific js file to admins only.
<location path="resources/scripts/yourtopsecretjsfile.js"> <system.webServer> <security> <authorization> <remove users="*" roles="" verbs="" /> <add accessType="Allow" roles="Administrators" /> </authorization> </security> </system.webServer> </location>
I am using token authentication so why is the cookie information sent?
It is used by the server to identify the authenticated user. If you don't want to do without sending the cookie info you can look at doing at sending a signed token with every request instead. Check out this article, loosely covers how to do that (but that with an angular JS/ Web API 2 point of view) http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
这篇关于我怎样才能令牌认证添加到我的IIS这样一个文件夹中,以确保文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
