注册
登录
运筹学
ASP.NET Core Web API身份验证
返回
ASP.NET Core Web API身份验证
作者:
v-star*위위
发布时间:
2024-12-15 06:52:24 (2月前)
转自:
<div class =“excerpt”> 网络服务 <span class =“result-highlight”> 操作 </跨度> 。 过了一些 <span class =“result-highlight”> 研究 </跨度> ,我想出了基本身份验证 - 在HTTP请求的标头中发送用户名和密码。 但是过了几个小时 <span class =“result-highlight”> 研究 </跨度> ,在我看来 </DIV>
收藏
举报
8 条回复
0#
回复此人
trpnest
|
2019-08-31 10-32
<div class =“post-text”itemprop =“text”> <P> 我已经实施了 <code> BasicAuthenticationHandler </code> 用于基本身份验证,因此您可以将其与标准属性一起使用 <code> Authorize </code> 和 <code> AllowAnonymous </code> 。 </p> <pre> <code> public class BasicAuthenticationHandler : AuthenticationHandler<BasicAuthenticationOptions> { protected override Task<AuthenticateResult> HandleAuthenticateAsync() { var authHeader = (string)this.Request.Headers["Authorization"]; if (!string.IsNullOrEmpty(authHeader) && authHeader.StartsWith("basic", StringComparison.OrdinalIgnoreCase)) { //Extract credentials string encodedUsernamePassword = authHeader.Substring("Basic ".Length).Trim(); Encoding encoding = Encoding.GetEncoding("iso-8859-1"); string usernamePassword = encoding.GetString(Convert.FromBase64String(encodedUsernamePassword)); int seperatorIndex = usernamePassword.IndexOf(':'); var username = usernamePassword.Substring(0, seperatorIndex); var password = usernamePassword.Substring(seperatorIndex + 1); //you also can use this.Context.Authentication here if (username == "test" && password == "test") { var user = new GenericPrincipal(new GenericIdentity("User"), null); var ticket = new AuthenticationTicket(user, new AuthenticationProperties(), Options.AuthenticationScheme); return Task.FromResult(AuthenticateResult.Success(ticket)); } else { return Task.FromResult(AuthenticateResult.Fail("No valid user.")); } } this.Response.Headers["WWW-Authenticate"]= "Basic realm=\"yourawesomesite.net\""; return Task.FromResult(AuthenticateResult.Fail("No credentials.")); } } public class BasicAuthenticationMiddleware : AuthenticationMiddleware<BasicAuthenticationOptions> { public BasicAuthenticationMiddleware( RequestDelegate next, IOptions<BasicAuthenticationOptions> options, ILoggerFactory loggerFactory, UrlEncoder encoder) : base(next, options, loggerFactory, encoder) { } protected override AuthenticationHandler<BasicAuthenticationOptions> CreateHandler() { return new BasicAuthenticationHandler(); } } public class BasicAuthenticationOptions : AuthenticationOptions { public BasicAuthenticationOptions() { AuthenticationScheme = "Basic"; AutomaticAuthenticate = true; } } </code> </pre> <P> 在Startup.cs注册 - <code> app.UseMiddleware<BasicAuthenticationMiddleware>(); </code> 。使用此代码,您可以使用标准属性Autorize限制任何控制器: </p> <pre> <code> [Authorize(ActiveAuthenticationSchemes = "Basic")] [Route("api/[controller]")] public class ValuesController : Controller </code> </pre> <P> 并使用属性 <code> AllowAnonymous </code> 如果您在应用程序级别应用授权筛选器。 </p> </DIV>
编辑
1#
回复此人
那年
|
2019-08-31 10-32
<div class =“post-text”itemprop =“text”> <P> 我想你可以和JWT(Json Web Tokens)一起去。 </p> <P> 首先,您需要安装包System.IdentityModel.Tokens.Jwt: </p> <pre> <code> $ dotnet add package System.IdentityModel.Tokens.Jwt </code> </pre> <P> 您需要添加一个用于令牌生成和身份验证的控制器,如下所示: </p> <pre> <code> public class TokenController : Controller { [Route("/token")] [HttpPost] public IActionResult Create(string username, string password) { if (IsValidUserAndPasswordCombination(username, password)) return new ObjectResult(GenerateToken(username)); return BadRequest(); } private bool IsValidUserAndPasswordCombination(string username, string password) { return !string.IsNullOrEmpty(username) && username == password; } private string GenerateToken(string username) { var claims = new Claim[] { new Claim(ClaimTypes.Name, username), new Claim(JwtRegisteredClaimNames.Nbf, new DateTimeOffset(DateTime.Now).ToUnixTimeSeconds().ToString()), new Claim(JwtRegisteredClaimNames.Exp, new DateTimeOffset(DateTime.Now.AddDays(1)).ToUnixTimeSeconds().ToString()), }; var token = new JwtSecurityToken( new JwtHeader(new SigningCredentials( new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Secret Key You Devise")), SecurityAlgorithms.HmacSha256)), new JwtPayload(claims)); return new JwtSecurityTokenHandler().WriteToken(token); } } </code> </pre> <P> 之后更新Startup.cs类如下所示: </p> <pre> <code> namespace WebAPISecurity { public class Startup { public Startup(IConfiguration configuration) { Configuration = configuration; } public IConfiguration Configuration { get; } // This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { services.AddMvc(); services.AddAuthentication(options => { options.DefaultAuthenticateScheme = "JwtBearer"; options.DefaultChallengeScheme = "JwtBearer"; }) .AddJwtBearer("JwtBearer", jwtBearerOptions => { jwtBearerOptions.TokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Secret Key You Devise")), ValidateIssuer = false, //ValidIssuer = "The name of the issuer", ValidateAudience = false, //ValidAudience = "The name of the audience", ValidateLifetime = true, //validate the expiration and not before values in the token ClockSkew = TimeSpan.FromMinutes(5) //5 minute tolerance for the expiration date }; }); } // This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IHostingEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } app.UseAuthentication(); app.UseMvc(); } } </code> </pre> <P> 就是这样,现在剩下的就是放 <code> [Authorize] </code> 您想要的控制器或操作的属性。 </p> <P> 这是一个完整的直接教程的链接。 </p> <P> <a href="http://www.blinkingcaret.com/2017/09/06/secure-web-api-in-asp-net-core/" rel="nofollow noreferrer"> http://www.blinkingcaret.com/2017/09/06/secure-web-api-in-asp-net-core/ </A> </p> </DIV>
编辑
2#
回复此人
岁爵
|
2019-08-31 10-32
<div class =“post-text”itemprop =“text”> <P> 要仅将其用于特定控制器,请使用以下命令: </p> <pre> <code> app.UseWhen(x => (x.Request.Path.StartsWithSegments("/api", StringComparison.OrdinalIgnoreCase)), builder => { builder.UseMiddleware<AuthenticationMiddleware>(); }); </code> </pre> </DIV>
编辑
3#
回复此人
那月静好
|
2019-08-31 10-32
<div class =“post-text”itemprop =“text”> <P> 现在,在我指出正确的方向后,这是我的完整解决方案: </p> <P> 这是在每个传入请求上执行的中间件类,并检查请求是否具有正确的凭据。如果没有凭据或者它们是错误的,则服务响应a <EM> 401未经授权 </EM> 立即出错。 </p> <pre> <code> public class AuthenticationMiddleware { private readonly RequestDelegate _next; public AuthenticationMiddleware(RequestDelegate next) { _next = next; } public async Task Invoke(HttpContext context) { string authHeader = context.Request.Headers["Authorization"]; if (authHeader != null && authHeader.StartsWith("Basic")) { //Extract credentials string encodedUsernamePassword = authHeader.Substring("Basic ".Length).Trim(); Encoding encoding = Encoding.GetEncoding("iso-8859-1"); string usernamePassword = encoding.GetString(Convert.FromBase64String(encodedUsernamePassword)); int seperatorIndex = usernamePassword.IndexOf(':'); var username = usernamePassword.Substring(0, seperatorIndex); var password = usernamePassword.Substring(seperatorIndex + 1); if(username == "test" && password == "test" ) { await _next.Invoke(context); } else { context.Response.StatusCode = 401; //Unauthorized return; } } else { // no authorization header context.Response.StatusCode = 401; //Unauthorized return; } } } </code> </pre> <P> 需要在服务Startup类的Configure方法中调用中间件扩展 </p> <pre> <code> public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { loggerFactory.AddConsole(Configuration.GetSection("Logging")); loggerFactory.AddDebug(); app.UseMiddleware<AuthenticationMiddleware>(); app.UseMvc(); } </code> </pre> <P> 就这样! :) </p> <P> 可以在此处找到.Net Core中的中间件和身份验证的非常好的资源: <a href="https://www.exceptionnotfound.net/writing-custom-middleware-in-asp-net-core-1-0/"> https://www.exceptionnotfound.net/writing-custom-middleware-in-asp-net-core-1-0/ </A> </p> </DIV>
编辑
4#
回复此人
夏花
|
2019-08-31 10-32
<div class =“post-text”itemprop =“text”> <P> 在这个公共Github回购 <a href="https://github.com/boskjoett/BasicAuthWebApi" rel="nofollow noreferrer"> https://github.com/boskjoett/BasicAuthWebApi </A> 您可以看到一个简单的ASP.NET Core 2.2 Web API示例,其端点受基本身份验证保护。 </p> </DIV>
编辑
5#
回复此人
生如夏花
|
2019-08-31 10-32
<div class =“post-text”itemprop =“text”> <P> 的<strong> 带有Angular的ASP.NET Core 2.0 </强> </p> <P> <a href =“https://fullstackmark.com/post/13/jwt-authentication-with-aspnet-core-2-web-api-angular-5-net-core-identity-and-facebook-login"rel =“nofollow noreferrer”> https://fullstackmark.com/post/13/jwt-authentication-with-aspnet-core-2-web-api-angular-5-net-core-identity-and-facebook-login </A> </p> <P> 确保使用身份验证过滤器类型 </p> <P> 的<strong> [授权(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)] </强> </p> </DIV>
编辑
6#
回复此人
部落用户
|
2019-08-31 10-32
<div class =“post-text”itemprop =“text”> <P> 您可以实现处理基本身份验证的中间件。 </p> <pre> <code> public async Task Invoke(HttpContext context) { var authHeader = context.Request.Headers.Get("Authorization"); if (authHeader != null && authHeader.StartsWith("basic", StringComparison.OrdinalIgnoreCase)) { var token = authHeader.Substring("Basic ".Length).Trim(); System.Console.WriteLine(token); var credentialstring = Encoding.UTF8.GetString(Convert.FromBase64String(token)); var credentials = credentialstring.Split(':'); if(credentials[0] == "admin" && credentials[1] == "admin") { var claims = new[] { new Claim("name", credentials[0]), new Claim(ClaimTypes.Role, "Admin") }; var identity = new ClaimsIdentity(claims, "Basic"); context.User = new ClaimsPrincipal(identity); } } else { context.Response.StatusCode = 401; context.Response.Headers.Set("WWW-Authenticate", "Basic realm=\"dotnetthoughts.net\""); } await _next(context); } </code> </pre> <P> 此代码是在asp.net核心的beta版本中编写的。希望能帮助到你。 </p> </DIV>
编辑
登录
后才能参与评论
