从AJAX表单验证和POST请求 [英] Forms Authentication and POST requests from AJAX
问题描述
我们必须通过窗体身份验证保护的ASP.NET应用程序。该应用程序使用MS AJAX巨资,调用它的网络服务。
We have an ASP.NET app protected by forms authentication. The app uses MS AJAX heavily to call its web-services.
当窗体身份验证超时,和获取 -request发生 - 所有的罚款(将用户重定向到登录页面)
When the forms authentication times out, and a GET-request happens - all is fine (the user is redirected to a login page).
BUT 当窗体身份验证超时和发表 -request发生(阿贾克斯) - 无重定向发生,而不是应用程序返回401 unathorized,浏览器的提示用户名和密码(不是登录表单,但内置的对话框中的浏览器)。当然,任何输入的用户名/密码永不帮助。
BUT when the forms authentication times out and a POST-request happens (ajax) - no redirect happens, instead the app returns "401 unathorized" and the browser prompts for username and password (not a login form, but a browsers built-in dialog). Of course entering ANY username/password never helps.
我该如何处理呢?
更新:与萤火虫看后,我才发现,经常POST请求重定向到登录精细,它只是抛出401 UnauthorizesWeb服务调用。
定期请求和网络服务之间的差别是网址。这是page.aspx对于常规后请求和service.asmx /方法名为web服务...
UPDATE: After looking with firebug, I just found out that regular POST requests redirect to login fine, it's only web-service calls that throw "401 Unauthorizes". The difference between a regular request and web-service is URL. Which is "page.aspx" for a regular post-request and "service.asmx/MethodName" for webservices...
推荐答案
好吧,回答我自己的questin。
Ok, answering my own questin.
寻找到这个问题,经过研究多一点,我发现,当一个web应用程序是通过表单的身份验证和保护用户的未通过身份验证,这是发生了什么:
After looking into this issue and researching a bit more I found that when a web-app is protected by Forms-Authentication and the user is not authenticated, this is what happens:
- 如果这是一个GET请求 - 用户
重定向到登录页面。 - 如果它是一个POST请求一个页面 - 用户
重定向到登录页面。 - 如果它是一个POST请求以web服务 - 在
用户将获得401-未经授权
这就是ASP.NET是如何工作的。
Thats how ASP.NET works
如果一个Web服务由AJAX(xmlHtt prequest对象)的调用,并返回401 - 当然浏览器显示弹出登录框
And if a web-service is called by AJAX (xmlHttpRequest object) and returns 401 - of course the browser shows a pop-up login box.
现在,你应该做的是添加一些code到Application_PostAuthenticateRequest将prevent掷401 web服务。
Now, what should you do is add some code to Application_PostAuthenticateRequest that will prevent throwing 401 for webservices.
protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
if (Request.RequestType == "POST" //if its POST
&& !User.Identity.IsAuthenticated //if user NOT authed
&& !HasAnonymousAccess(Context) //if it's not the login page
)
{
//lets get the auth type
Configuration config = WebConfigurationManager.OpenWebConfiguration("~");
SystemWebSectionGroup grp = (SystemWebSectionGroup)config.GetSectionGroup("system.web");
AuthenticationSection auth = grp.Authentication;
//if it FORMS auth
if(auth.Mode== AuthenticationMode.Forms)
{
//then redirect... this redirect won't work for AJAX cause xmlHttpRequest can't handle redirects, but anyway...
Response.Redirect(FormsAuthentication.LoginUrl, true);
Response.End();
}
}
}
public static bool HasAnonymousAccess(HttpContext context)
{
return UrlAuthorizationModule.CheckUrlAccessForPrincipal(
context.Request.Path,
new GenericPrincipal(new GenericIdentity(string.Empty), null),
context.Request.HttpMethod);
}
这篇关于从AJAX表单验证和POST请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!