我有一个自托管的 C# consol Web API。它为多个使用 AngularJS 执行异步 http 请求的 Web 应用程序提供服务。它需要同时支持 CORS 和 NTLM 身份验证。
我目前都启用了这两个功能,但看起来我实现它们的方式会导致它们自行取消。我相信这是由服务器最初的 401 响应造成的。这通常会导致两者之间进行身份验证握手,但在 Fiddler 中查看,这个初始 401 响应缺少 Access-Control-Allow-Origin 标记,这会导致浏览器放弃握手。我已经采用了一个应用程序并为它们提供了相同的主机名以禁用对 CORS 的需求,并且握手非常有效。我已通过将自定义 NtlmSelfHostConfiguration 替换为原始 HttpSelfHostConfiguration 来禁用 NTLM 身份验证,并且 Access-Control-Allow-Origin 标记完美执行以允许 CORS。只有当它们都处于事件状态时,事情才不起作用。
更新:我在我的 CorsHandle 中放置了一个不需要断点的请求,只是为了确保网络服务器可以在使用 NtlmSelfHostConfiguration 时实际调用它,并且成功命中。我只是想确保 NtlmSelfHostConfiguration 中没有任何内容会在物理上阻止 Corshandle 被调用。一切正常,显然我需要找到一种方法来调用 CorsHandle,即使是在身份验证失败的请求上也是如此。
这是我的实现:
程序.cs:
using System.Web.Http;
using System.Web.Http.Validation.Providers;
using System.Web.Http.SelfHost;
namespace DCMAPI
{
class Program
{
static void Main(string[] args)
{
string BaseAddress = "http://localhost:8080/";
//NtlmSelfHostConfiguration is defined in HttpSelfHostConfiguration.cs
//it inherits from HttpSelfHostConfiguration
//and enables Ntlm Authentication.
var config = new NtlmSelfHostConfiguration(BaseAddress);
config.Routes.MapHttpRoute(
"API Default",
"api/{controller}/{id}",
new { id = RouteParameter.Optional });
//CorsHandler is also defined in CorsHandler.cs. It is what enables CORS
config.MessageHandlers.Add(new CorsHandler());
var appXmlType =
config.Formatters.XmlFormatter.SupportedMediaTypes.FirstOrDefault
(t => t.MediaType == "application/xml");
config.Formatters.XmlFormatter.SupportedMediaTypes.Remove(appXmlType);
config.Services.RemoveAll
(typeof(System.Web.Http.Validation.ModelValidatorProvider),
v => v is InvalidModelValidatorProvider);
using (HttpSelfHostServer server = new HttpSelfHostServer(config))
{
server.OpenAsync().Wait();
Console.WriteLine("running");
Console.ReadLine();
}
}
}
}
NtlmSelfHostConfiguration.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Web.Http;
using System.Web.Http.SelfHost;
using System.Web.Http.SelfHost.Channels;
using System.ServiceModel;
using System.ServiceModel.Channels;
namespace DCMAPI
{
public class NtlmSelfHostConfiguration : HttpSelfHostConfiguration
{
public NtlmSelfHostConfiguration(string baseAddress)
: base(baseAddress)
{ }
public NtlmSelfHostConfiguration(Uri baseAddress)
: base(baseAddress)
{ }
protected override BindingParameterCollection OnConfigureBinding
(HttpBinding httpBinding)
{
httpBinding.Security.Mode =
HttpBindingSecurityMode.TransportCredentialOnly;
httpBinding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Ntlm;
return base.OnConfigureBinding(httpBinding);
}
}
}
CorsHandle.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Net.Http;
using System.Threading.Tasks;
using System.Threading;
using System.Net;
namespace DCMAPI
{
public class CorsHandler : DelegatingHandler
{
const string Origin = "Origin";
const string AccessControlRequestMethod = "Access-Control-Request-Method";
const string AccessControlRequestHeaders = "Access-Control-Request-Headers";
const string AccessControlAllowOrigin = "Access-Control-Allow-Origin";
const string AccessControlAllowMethods = "Access-Control-Allow-Methods";
const string AccessControlAllowHeaders = "Access-Control-Allow-Headers";
protected override Task<HttpResponseMessage> SendAsync
(HttpRequestMessage request, CancellationToken cancellationToken)
{
bool isCorsRequest = request.Headers.Contains(Origin);
bool isPreflightRequest = request.Method == HttpMethod.Options;
if (isCorsRequest)
{
if (isPreflightRequest)
{
HttpResponseMessage response =
new HttpResponseMessage(HttpStatusCode.OK);
response.Headers.Add(AccessControlAllowOrigin,
request.Headers.GetValues(Origin).First());
string accessControlRequestMethod =
request.Headers.GetValues(AccessControlRequestMethod)
.FirstOrDefault();
if (accessControlRequestMethod != null)
{
response.Headers.Add(
AccessControlAllowMethods, accessControlRequestMethod);
}
string requestedHeaders = string.Join(", ",
request.Headers.GetValues(AccessControlRequestHeaders));
if (!string.IsNullOrEmpty(requestedHeaders))
{
response.Headers.Add(AccessControlAllowHeaders,
requestedHeaders);
}
TaskCompletionSource<HttpResponseMessage> tcs =
new TaskCompletionSource<HttpResponseMessage>();
tcs.SetResult(response);
return tcs.Task;
}
else
{
return base.SendAsync(request,
cancellationToken).ContinueWith<HttpResponseMessage>(t =>
{
HttpResponseMessage resp = t.Result;
resp.Headers.Add(
AccessControlAllowOrigin,
request.Headers.GetValues(Origin).First());
return resp;
});
}
}
else
{
return base.SendAsync(request, cancellationToken);
}
}
}
}
最佳答案
这可能有点晚了,我不确定它是否会对您有所帮助,但它可能会对希望同时启用 NTLM 和 CORS 的其他人有所帮助。
我正在为后端 REST API 使用 Web API 2。和用于前端的 AngularJS。
首先,由于您使用的是 NTLM,因此您的调用 XMLHttpRequest 必须发送凭据。在 AngularJs 中,您可以这样做:
$http.get(url, { withCredentials: true });
然后,您必须在后端启用 CORS(在 WebApiConfig.Register() 中):
var enableCorsAttribute = new EnableCorsAttribute("*", "*", "*")
{
SupportsCredentials = true
};
config.EnableCors(enableCorsAttribute);
SupportsCredentials = true 表示我们将在响应中添加 Access-Control-Allow-Credentials。
通配符意味着我们允许:
- 来自任何来源的 CORS
- 所有请求 header
- 任何 HTTP 动词(方法)
关于c# - 如何启用 CORS 支持和 NTLM 身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/16269365/