使用 user/pass 向 web.config 添加基本身份验证的最简单方法

Simplest way to add Basic authentication to web.config with user/pass

我正在设置一个 Azure API 管理,背后有一个 ASP.NET WebApi 2 应用程序。 API 管理建议在 API 管理代理和 ASP.NET WebApi 之间设置基本身份验证,以确保只能通过 API 管理代理访问 WebApi。

(当然,OAuth 令牌仍将与 "real" 身份验证请求一起发送,但我稍后会添加。)

考虑到这一点,我真的不想在应用程序中实现基本身份验证,我希望通过 Web.config.

由 IIS 专门处理它

问题如何设置我的 Web.config 以使用存储在 [=53= 中的 username/password 进行基本验证]?

我试过的:

我尝试关注这篇文章Apply ASP.NET Authentication and Authorization Rules to Static Content with IIS 7.0's Integrated Pipeline Feature,但运气不佳。

这个问题没有答案,但他们可能会问类似的问题:web.config single user basic auth

我在这里找到的其他答案包括在我不想做的应用程序中添加身份验证。

这是我的 Web.config:

<?xml version="1.0"?>
<configuration>
  <configSections>
    <!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false"/>
  </configSections>
  <appSettings configSource="bin\debug-appSettings.config"/>
  <connectionStrings configSource="bin\debug-connectionStrings.config"/>
  <system.web>
    <compilation targetFramework="4.5.2"/>
    <httpRuntime targetFramework="4.5.2"/>
    <authentication mode="Forms">
      <forms>
        <credentials passwordFormat="Clear">
          <user name="test" password="test" />
        </credentials>
      </forms>
    </authentication>
    <authorization>
      <allow users="test" />
      <deny users="*" />
    </authorization>
  </system.web>
  <system.webServer>
    <handlers>
      <remove name="ExtensionlessUrlHandler-Integrated-4.0"/>
      <remove name="OPTIONSVerbHandler"/>
      <remove name="TRACEVerbHandler"/>
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0"/>
    </handlers>
    <modules>
      <remove name="FormsAuthenticationModule" />
      <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
      <remove name="UrlAuthorization" />
      <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
    </modules>
    <security>
      <authentication>
        <basicAuthentication enabled="true" />
      </authentication>
    </security>
  </system.webServer>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.Azure.AppService.ApiApps.Service" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-0.9.64.0" newVersion="0.9.64.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Newtonsoft.Json" culture="neutral" publicKeyToken="30ad4fe6b2a6aeed"/>
        <bindingRedirect oldVersion="0.0.0.0-7.0.0.0" newVersion="7.0.0.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Net.Http.Formatting" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Http" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="MiniProfiler" publicKeyToken="b44f9351044011a3" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-3.2.0.157" newVersion="3.2.0.157"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.IdentityModel.Tokens.Jwt" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-4.0.20622.1351" newVersion="4.0.20622.1351"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.WindowsAzure.Storage" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-6.1.0.0" newVersion="6.1.0.0"/>
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
  <entityFramework>
    <defaultConnectionFactory type="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, EntityFramework">
      <parameters>
        <parameter value="mssqllocaldb"/>
      </parameters>
    </defaultConnectionFactory>
    <providers>
      <provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer"/>
    </providers>
  </entityFramework>
</configuration>

我使用 PostMan 发送请求,其中包含以下内容 headers:

Authorization: Basic dGVzdDp0ZXN0
Content-Type: application/json

但我得到的只是 IIS 的 401.1 页面。

我错过了什么?

我最终将 BasicAuthentication 实现为 HttpModule。我稍后会用详细信息更新这个答案。

编辑:

NuGet 包:https://www.nuget.org/packages/Hexasoft.BasicAuthentication

来源:https://github.com/hexasoftuk/Hexasoft.BasicAuthentication