WebAPI 基本身份验证授权过滤器和机器密钥
WebAPI Basic Authentication Authorization Filter and machine keys
我正在使用 [WebAPI Basic Authentication Authorization Filter] 授权用户使用我的简单网络 api 数据服务。
问题是:在本地主机上一切正常,但是当我将服务发布到网络时 (http://www.mywebsite.com),客户端应用程序总是得到 "Unauthorize" 响应。
这一行是我从本地主机切换到网络时(在客户端)所做的全部更改
//client.BaseAddress = new Uri("http://localhost:11992/"); // on localhost work
client.BaseAddress = new Uri("http://mywebsite.com/"); // returns 401 Unauthorized
尝试使用远程 IIS 管理器添加机器密钥,但同样的事情发生了。
在 system.web 中引用此机器密钥 (web.config)
IIS上的认证方式如下
还是不行。显然我在这里遗漏了一些东西。
更新
我正在扩展基本身份验证。我稍后将过滤器应用于我的控制器操作(我从客户端访问的那个)
[MyBasicAuthenticationFilter]
public class DataController : RavenController { ... }
并在此自定义身份验证中。过滤有硬编码的用户名并通过
public class MyBasicAuthenticationFilter : BasicAuthenticationFilter
{
public MyBasicAuthenticationFilter()
{ }
public MyBasicAuthenticationFilter(bool active)
: base(active)
{ }
protected override bool OnAuthorizeUser(string username, string password, HttpActionContext actionContext)
{
if (username == "myuser" && password == "mypass")
return true;
else
return false;
}
}
从客户端(wpf 客户端)
client.BaseAddress = new Uri("http://mywebsite.com/");
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic",
Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(
string.Format("{0}:{1}", "myuser", "mypass"))));
我很困惑,因为相同的代码在本地主机上工作正常,但是当我发布代码并将此 client.BaseAddress 更改为我的实际网站时 url 它 returns 401 错误。
BasicAuthenticationFilter class 为 Encoding.Default Rick Strahl's Web Log uses the System's default encoding to extract the user credentials from the authorization header. As per the MSDN documentation 属性:
Different computers can use different encodings as the default, and
the default encoding can even change on a single computer. Therefore,
data streamed from one computer to another or even retrieved at
different times on the same computer might be translated incorrectly.
In addition, the encoding returned by the Default property uses
best-fit fallback to map unsupported characters to characters
supported by the code page. For these two reasons, using the default
encoding is generally not recommended. To ensure that encoded bytes
are decoded properly, you should use a Unicode encoding, such as
UTF8Encoding or UnicodeEncoding, with a preamble. Another option is to
use a higher-level protocol to ensure that the same format is used for
encoding and decoding.
根据提供的信息,这是最有可能的代码行,它可能会根据您的代码部署到的服务器的配置给出不同的结果。
因此,我会考虑替换 BasicAuthenticationFilter class 的 ParseAuthorizationHeader 方法中的以下行:
authHeader = Encoding.Default.GetString(Convert.FromBase64String(authHeader));
使用以下代码:
Encoding iso88591 = Encoding.GetEncoding("iso-8859-1");
authHeader = iso88591.GetString(Convert.FromBase64String(authHeader));
iso-8859-1 将为您提供与所有发送基本身份验证的客户端的最佳兼容性 header。请参阅以下 Whosebug 问题,了解在执行 HTTP 基本身份验证时使用的推荐编码:What encoding should I use for HTTP Basic Authentication?
或者,如果您是唯一一个将从您的 WCF 客户端调用 API 的人,那么只需确保您使用与服务器相同的字符代码对用户名和密码进行编码将其解码。
我正在使用 [WebAPI Basic Authentication Authorization Filter] 授权用户使用我的简单网络 api 数据服务。
问题是:在本地主机上一切正常,但是当我将服务发布到网络时 (http://www.mywebsite.com),客户端应用程序总是得到 "Unauthorize" 响应。
这一行是我从本地主机切换到网络时(在客户端)所做的全部更改
//client.BaseAddress = new Uri("http://localhost:11992/"); // on localhost work
client.BaseAddress = new Uri("http://mywebsite.com/"); // returns 401 Unauthorized
尝试使用远程 IIS 管理器添加机器密钥,但同样的事情发生了。
在 system.web 中引用此机器密钥 (web.config)
IIS上的认证方式如下
还是不行。显然我在这里遗漏了一些东西。
更新 我正在扩展基本身份验证。我稍后将过滤器应用于我的控制器操作(我从客户端访问的那个)
[MyBasicAuthenticationFilter]
public class DataController : RavenController { ... }
并在此自定义身份验证中。过滤有硬编码的用户名并通过
public class MyBasicAuthenticationFilter : BasicAuthenticationFilter
{
public MyBasicAuthenticationFilter()
{ }
public MyBasicAuthenticationFilter(bool active)
: base(active)
{ }
protected override bool OnAuthorizeUser(string username, string password, HttpActionContext actionContext)
{
if (username == "myuser" && password == "mypass")
return true;
else
return false;
}
}
从客户端(wpf 客户端)
client.BaseAddress = new Uri("http://mywebsite.com/");
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic",
Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(
string.Format("{0}:{1}", "myuser", "mypass"))));
我很困惑,因为相同的代码在本地主机上工作正常,但是当我发布代码并将此 client.BaseAddress 更改为我的实际网站时 url 它 returns 401 错误。
BasicAuthenticationFilter class 为 Encoding.Default Rick Strahl's Web Log uses the System's default encoding to extract the user credentials from the authorization header. As per the MSDN documentation 属性:
Different computers can use different encodings as the default, and the default encoding can even change on a single computer. Therefore, data streamed from one computer to another or even retrieved at different times on the same computer might be translated incorrectly. In addition, the encoding returned by the Default property uses best-fit fallback to map unsupported characters to characters supported by the code page. For these two reasons, using the default encoding is generally not recommended. To ensure that encoded bytes are decoded properly, you should use a Unicode encoding, such as UTF8Encoding or UnicodeEncoding, with a preamble. Another option is to use a higher-level protocol to ensure that the same format is used for encoding and decoding.
根据提供的信息,这是最有可能的代码行,它可能会根据您的代码部署到的服务器的配置给出不同的结果。
因此,我会考虑替换 BasicAuthenticationFilter class 的 ParseAuthorizationHeader 方法中的以下行:
authHeader = Encoding.Default.GetString(Convert.FromBase64String(authHeader));
使用以下代码:
Encoding iso88591 = Encoding.GetEncoding("iso-8859-1");
authHeader = iso88591.GetString(Convert.FromBase64String(authHeader));
iso-8859-1 将为您提供与所有发送基本身份验证的客户端的最佳兼容性 header。请参阅以下 Whosebug 问题,了解在执行 HTTP 基本身份验证时使用的推荐编码:What encoding should I use for HTTP Basic Authentication?
或者,如果您是唯一一个将从您的 WCF 客户端调用 API 的人,那么只需确保您使用与服务器相同的字符代码对用户名和密码进行编码将其解码。