ASP.NET Web API 中的用户身份验证 [英] User Authentication in ASP.NET Web API
问题描述
这个话题让我非常困惑.我是 HTTP 应用程序的新手,但需要开发一个 iPhone 客户端,从某个地方使用 JSON 数据.我选择了 MS 的 Web API,因为它看起来很简单,但是当涉及到用户身份验证时,事情变得非常令人沮丧.
This topic has been incredibly confusing for me. I am a rookie in HTTP apps but need to develop an iPhone client that consumes JSON data from somewhere. I chose Web API from MS because it seemed easy enough but when it comes to authenticating users, things get quite frustrating.
令我惊讶的是,我无法找到一个清晰的示例,说明如何从登录屏幕到使用 ApiController 上的 Authorize 属性验证用户身份代码>几个小时的谷歌搜索后的方法.
I am amazed how I've not been able to find a clear example of how to authenticate an user right from the login screen down to using the Authorize attribute over my ApiController methods after several hours of Googling.
这不是一个问题,而是一个关于如何准确做到这一点的示例的请求.我查看了以下页面:
This is not a question but a request for an example of how to do this exactly. I have looked at the following pages:
尽管这些解释了如何处理未经授权的请求,但这些并没有清楚地展示诸如 LoginController 之类的东西来要求用户凭据并对其进行验证.
Even though these explain how to handle unauthorized requests, these do not demonstrate clearly something like a LoginController or something like that to ask for user credentials and validate them.
有人愿意写一个很好的简单例子或给我指出正确的方向吗?
Anyone willing to write a nice simple example or point me in the right direction, please?
谢谢.
推荐答案
我很惊讶,在谷歌搜索了几个小时后,我无法找到一个清晰的示例,说明如何从登录屏幕到使用 ApiController 方法上的 Authorize 属性验证用户身份.
I am amazed how I've not been able to find a clear example of how to authenticate an user right from the login screen down to using the Authorize attribute over my ApiController methods after several hours of Googling.
那是因为您对这两个概念感到困惑:
That's because you are getting confused about these two concepts:
身份验证是系统可以安全地识别其用户的机制.身份验证系统提供了以下问题的答案:
Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions:
- 谁是用户?
- 用户真的是他/她所代表的自己吗?
授权是系统确定特定经过身份验证的用户对系统控制的安全资源应具有的访问级别的机制.例如,数据库管理系统可能被设计为向某些特定的个人提供从数据库中检索信息的能力,但不提供更改存储在数据库中的数据的能力,同时赋予其他个人更改数据的能力.授权系统提供了以下问题的答案:
Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:
- 用户 X 是否有权访问资源 R?
- 用户 X 是否被授权执行操作 P?
- 用户 X 是否被授权对资源 R 执行操作 P?
MVC中的Authorize属性用于应用访问规则,例如:
The Authorize attribute in MVC is used to apply access rules, for example:
[System.Web.Http.Authorize(Roles = "Admin, Super User")]
public ActionResult AdministratorsOnly()
{
return View();
}
上述规则将只允许管理员和超级用户角色的用户访问该方法
The above rule will allow only users in the Admin and Super User roles to access the method
这些规则也可以在 web.config 文件中设置,使用 location 元素.示例:
These rules can also be set in the web.config file, using the location element. Example:
<location path="Home/AdministratorsOnly">
<system.web>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
但是,在执行这些授权规则之前,您必须对当前网站进行身份验证.
However, before those authorization rules are executed, you have to be authenticated to the current web site.
尽管这些解释了如何处理未经授权的请求,但这些并没有清楚地展示像 LoginController 或类似的东西来要求用户凭据并验证它们.
Even though these explain how to handle unauthorized requests, these do not demonstrate clearly something like a LoginController or something like that to ask for user credentials and validate them.
从这里,我们可以将问题一分为二:
From here, we could split the problem in two:
在同一 Web 应用程序中使用 Web API 服务时对用户进行身份验证
Authenticate users when consuming the Web API services within the same Web application
这将是最简单的方法,因为您将依赖 ASP 中的身份验证.Net
This would be the simplest approach, because you would rely on the Authentication in ASP.Net
这是一个简单的例子:
<authentication mode="Forms">
<forms
protection="All"
slidingExpiration="true"
loginUrl="account/login"
cookieless="UseCookies"
enableCrossAppRedirects="false"
name="cookieName"
/>
</authentication>
用户将被重定向到 account/login 路由,在那里您将呈现自定义控件以询问用户凭据,然后您将使用以下方法设置身份验证 cookie:
Users will be redirected to the account/login route, there you would render custom controls to ask for user credentials and then you would set the authentication cookie using:
if (ModelState.IsValid)
{
if (Membership.ValidateUser(model.UserName, model.Password))
{
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
return RedirectToAction("Index", "Home");
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
// If we got this far, something failed, redisplay form
return View(model);
跨平台认证
Cross - platform authentication
这种情况是当您仅在 Web 应用程序中公开 Web API 服务,因此,您将有另一个客户端使用这些服务,该客户端可以是另一个 Web 应用程序或任何 .Net 应用程序(Win Forms、WPF、控制台、Windows 服务等)
This case would be when you are only exposing Web API services within the Web application therefore, you would have another client consuming the services, the client could be another Web application or any .Net application (Win Forms, WPF, console, Windows service, etc)
例如,假设您将从同一网络域(内联网内)上的另一个 Web 应用程序使用 Web API 服务,在这种情况下,您可以依赖 ASP.Net 提供的 Windows 身份验证.
For example assume that you will be consuming the Web API service from another web application on the same network domain (within an intranet), in this case you could rely on the Windows authentication provided by ASP.Net.
<authentication mode="Windows" />
如果您的服务在 Internet 上公开,那么您需要将经过身份验证的令牌传递给每个 Web API 服务.
If your services are exposed on the Internet, then you would need to pass the authenticated tokens to each Web API service.
欲了解更多信息,请阅读以下文章:
For more info, take a loot to the following articles:
http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/
这篇关于ASP.NET Web API 中的用户身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
