包括ASP.NET Windows身份验证401响应的自定义内容 [英] Include custom content in ASP.NET Windows Authentication 401 response
问题描述
我们有一个内部系统,用户可以使用Windows身份验证进行身份验证,但是我们希望包括在401 repsonse一些自定义的内容,将用户带到一个自定义的用户名/密码认证页面,如果取消这个Windows身份验证对话框。
We have an internal system where users can authenticate using Windows authentication but we want to include some custom content in the 401 repsonse that takes the user to a custom username/password authentication page if the cancel off the Windows authentication dialog.
当未认证用户访问一个网页,Windows身份验证一个401 Unauthorized响应响应,与头
When an unauthenticated user accesses a page, Windows authentication responds with a 401 Unauthorized response, with the headers
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
这提示浏览器中显示一个对话框,要求Windows凭据。如果用户输入其凭证,还有另一种握手请求 - 响应,然后用户被认证,并且请求显示的网页。
This prompts the browser to show a dialog asking for Windows credentials. If the user enters their credentials, there is another handshake request-response, and then the user is authenticated and the requested page is shown.
如果用户取消对话框,浏览器显示原来的401未授权效应初探的内容。
我们使用Application_EndRequest在Global.asax返回这里的一些自定义内容这需要用户到我们的自定义登录系统。
If the user cancels the dialog, the browser displays the content of the original 401 Unauthorized reponse. We use Application_EndRequest in the Global.asax to return some custom content here which takes the user to our custom login system.
/// <summary>
/// If we are about to send the NTLM authenticate headers, include this content. Then, if the user cancels off the
/// windows auth dialog, they will be presented with this page and redirected to the username / password login screen
/// </summary>
void Application_EndRequest(object sender, EventArgs e)
{
Logger.DebugFormat("in Application_EndRequest. Response.StatusCode: {0}", Response.StatusCode);
if (Response.StatusCode == 401)
{
Response.ContentType = "text/html";
var redirectUrl = string.Format("https://mycompany.com/SSO/Login?encryptedSessionRequestId={1}",
HttpUtility.UrlEncode(Request.QueryString["encryptedSessionRequestId"]));
var text = File.ReadAllText(Server.MapPath("~/UnauthorizedError.html"));
text = text.Replace("[USERNAME_PASSWORD_LOGON_REDIRECT]", redirectUrl);
Response.Write(text);
Logger.Debug("Done writing response");
Response.End();
}
}
UnauthorizedError.html包含以下脚本,转发用户上
UnauthorizedError.html contains the following script which forwards the user on
<script language="javascript" type="text/javascript">
window.location = "[USERNAME_PASSWORD_LOGON_REDIRECT]";
</script>
当在(Win7的/ IIS7.5)本地运行,这个伟大的工程,我们使用的Response.Write()来发送我们的内容和用户能够看到它的时候,他们取消对话框。
When running locally in (Win7/IIS7.5), this works great, we use Response.Write() to send our content and the user is able to see it when they cancel the dialog.
但远程访问该网站时,如当它在我们的开发环境中运行,尽管我们可以从Application_EndRequest被调用和我们的内容写入响应日志中看到,它在某些时候重写和所有到达浏览器是认证报头和文本您没有权限查看该目录或页面。
But when accessing the site remotely, e.g. when it running in our development environment, although we can see from the logs that Application_EndRequest is being called and our content written to the response, it is overridden at some point and all that reaches the browser is the authentication headers and the text You do not have permission to view this directory or page.
1)我们怎样才能prevent此内容被覆盖?
1) How can we prevent this content being overwritten?
2)凡在管道这可能是这样吗?
2) Where in the pipeline might this be happening?
3)任何人不会有另一种方式的建议,以实现这一行为,例如使用HTTP模块?
3) Does anyone have any suggestions of another way to implement this behaviour, e.g. with an HTTP module?
谢谢!
推荐答案
我浪费了很多解决这个问题,但没有直接的解决方案。
这是因为赢身份验证适用于IIS网站没有水平,你无法控制怎么权威性当前请求。
还有就是使用重定向上依赖于IP不同的登录页面数哈克方式。
I wasted a lot to solve this problem but there isn't direct solution. It because win auth works on iis not site level and you can't control how to auth current request. There is several hacky ways to use redirection on different login pages depending on ip.
这篇关于包括ASP.NET Windows身份验证401响应的自定义内容的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
