从AJAX表单验证和POST请求 [英] Forms Authentication and POST requests from AJAX

问题描述

我们必须通过窗体身份验证保护的ASP.NET应用程序。该应用程序使用MS AJAX巨资，调用它的网络服务。

We have an ASP.NET app protected by forms authentication. The app uses MS AJAX heavily to call its web-services.

当窗体身份验证超时，和获取 -request发生 - 所有的罚款（将用户重定向到登录页面）

When the forms authentication times out, and a GET-request happens - all is fine (the user is redirected to a login page).

BUT 当窗体身份验证超时和发表 -request发生（阿贾克斯） - 无重定向发生，而不是应用程序返回401 unathorized，浏览器的提示用户名和密码（不是登录表单，但内置的对话框中的浏览器）。当然，任何输入的用户名/密码永不帮助。

BUT when the forms authentication times out and a POST-request happens (ajax) - no redirect happens, instead the app returns "401 unathorized" and the browser prompts for username and password (not a login form, but a browsers built-in dialog). Of course entering ANY username/password never helps.

我该如何处理呢？

更新：与萤火虫看后，我才发现，经常POST请求重定向到登录精细，它只是抛出401 UnauthorizesWeb服务调用。
定期请求和网络服务之间的差别是网址。这是page.aspx对于常规后请求和service.asmx /方法名为web服务...

UPDATE: After looking with firebug, I just found out that regular POST requests redirect to login fine, it's only web-service calls that throw "401 Unauthorizes". The difference between a regular request and web-service is URL. Which is "page.aspx" for a regular post-request and "service.asmx/MethodName" for webservices...

推荐答案

好吧，回答我自己的questin。

Ok, answering my own questin.

寻找到这个问题，经过研究多一点，我发现，当一个web应用程序是通过表单的身份验证和保护用户的未通过身份验证，这是发生了什么：

After looking into this issue and researching a bit more I found that when a web-app is protected by Forms-Authentication and the user is not authenticated, this is what happens:

• 如果这是一个GET请求 - 用户
  重定向到登录页面。


• 如果它是一个POST请求一个页面 - 用户
  重定向到登录页面。


• 如果它是一个POST请求以web服务 - 在
  用户将获得401-未经授权

这就是ASP.NET是如何工作的。

Thats how ASP.NET works

如果一个Web服务由AJAX（xmlHtt prequest对象）的调用，并返回401 - 当然浏览器显示弹出登录框

And if a web-service is called by AJAX (xmlHttpRequest object) and returns 401 - of course the browser shows a pop-up login box.

现在，你应该做的是添加一些code到Application_PostAuthenticateRequest将prevent掷401 web服务。

Now, what should you do is add some code to Application_PostAuthenticateRequest that will prevent throwing 401 for webservices.

protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
	if (Request.RequestType == "POST" //if its POST
		&& !User.Identity.IsAuthenticated //if user NOT authed
		&& !HasAnonymousAccess(Context) //if it's not the login page
		)
	{
		//lets get the auth type
		Configuration config = WebConfigurationManager.OpenWebConfiguration("~");
		SystemWebSectionGroup grp = (SystemWebSectionGroup)config.GetSectionGroup("system.web");
		AuthenticationSection auth = grp.Authentication;
		//if it FORMS auth
		if(auth.Mode== AuthenticationMode.Forms)
		{

			//then redirect... this redirect won't work for AJAX cause xmlHttpRequest can't handle redirects, but anyway...
			Response.Redirect(FormsAuthentication.LoginUrl, true);
			Response.End();

		}
	}
}
public static bool HasAnonymousAccess(HttpContext context)
{
	return UrlAuthorizationModule.CheckUrlAccessForPrincipal(
		context.Request.Path,
		new GenericPrincipal(new GenericIdentity(string.Empty), null),
		context.Request.HttpMethod);
}

这篇关于从AJAX表单验证和POST请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！