OWIN身份验证与IIS基本身份验证 [英] OWIN Authentication with IIS Basic Authentication

问题描述

我创建了由Visual Studio 2013和Owin中间件提供的默认访问控制的新的ASP.NET MVC应用5。

I created a new ASP.NET MVC 5 application with default access control provided by Visual Studio 2013 and Owin Middleware.

我启用IIS上的基本身份验证（禁用所有其他认证），以保护现场从没有说我在Windows上创建的用户/密码的人。这导致在浏览器中的重定向循环。

I enabled basic authentication on IIS (disabling all the others authentications) to protect the site from people that don't have the user/password that I created on Windows. It result in a "redirect loop" in the browser.

任何想法，为什么？如何保护网站不改变code？

Any ideas why? How can I protect a web site without change the code?

推荐答案

默认文件Startup.Auth.cs，会出现这样的事情：

By default in file Startup.Auth.cs, there will be something like this:

 app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Main/Account/Login"),
                CookieName = "OwinAuthCookie",
            });

当您启用IIS基本身份验证，这里是发生了什么：

When you enable Basic Authentication in IIS, here is what happens:

1. IIS基本身份验证模块认为没有认证头，所以它返回一个 HTTP 401响应。


2. 的响应不立刻返回，但由Owin处理。


3. Owin看到的请求得到了 401响应，所以它重定向到配置的 LOGINPATH 。


4. 您的浏览器处理重定向，试图打开新的URL，我们又回到了点1和theres的循环。

1. IIS Basic Authentication module sees that there is no Authentication header, so it returns a HTTP 401 Response.
2. The response is not returned immediatly, but is processed by Owin.
3. Owin sees the request got 401 (Unauthorized) Response, so it redirects to the configured LoginPath.
4. Your browser processes the redirect, tries to open the new URL and we are back to point 1. And theres's the loop.

你可以做的是注释掉高于code中的LOGINPATH财产。这应该停止重定向循环，还可以（但不必，这取决于你的实现）破身份验证的应用程序的用户。

What you can do is comment out the LoginPath property in the above code. This should stop the redirect loop, but also can (but don't have to, depending on your implementation) break authentication for application users.

我终于结束了与正在实施的小Owin中间件和做基本验证自己。

What I eventually ended up with was implementing a small Owin middleware and doing Basic Authentication myself.

这些链接可能会有所帮助：

These links could be helpful:

• 写一个OWIN认证中间件


• Basic身份验证的ASP.NET Web API使用OWIN中间件


• Thinktecture.IdentityModel在GitHub上

• Writing an OWIN Authentication Middleware
• Basic Authentication with ASP.NET Web API Using OWIN Middleware
• Thinktecture.IdentityModel on GitHub

这篇关于OWIN身份验证与IIS基本身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！