c# - Core 2 在 API Controller 上授权

标签 c# asp.net-mvc asp.net-core asp.net-core-webapi asp.net-core-2.0

我有一个 Web 应用程序,它是使用 .NET Core 2 MVC 和个人用户帐户构建的。该应用程序运行正常, Controller 上的授权运行良好,仅显示允许的 View 等。

这一切都是标准的,是在各种在线教程的指导下构建的。它没有做任何太聪明的事情,基本形式进行 CRUD 操作。

我想添加一些交换 JSON 到此应用程序的 REST 端点,并使用 JWT 作为授权(承载) header 授权端点。根据所有教程,这应该是相当简单的,因为它们已经组合在一起,但我似乎无法让任何东西工作。

似乎发生的情况是,MVC 授权覆盖了 JWTBearer 授权,因此我只能在登录 cookie 时访问 API 操作(我想将其路由为/api/{action})。

  1. 我需要 MVC 的东西在授权的情况下单独使用。效果很好。
  2. 我想在/api/{controller}/{action}/{id} 添加 API 端点我不介意这是在同一个 Controller 还是不同的 Controller
  3. 作为标准,/api 上的授权应该通过 JWT 不记名 token 和 MVC 内容通过登录 cookie。但是,两者都映射到同一用户 (ownerID)

谁能指出我正确的方向? 3 天来,我一直在尝试实现一个简单的 GET 方法,但总是碰壁。

编辑:进一步的测试揭示了一些有趣的东西。我已经安装了 Swagger 来测试请求。

我添加了第二个 Controller 来处理我的 API 方法。这是在 api/Races 上。该 Controller 将 JWTBearerDefaults 作为身份验证方案。

[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[Route("api/[controller]")]
  • 如果我没有通过 MVC 应用程序登录,并且在没有不记名 token 的情况下发出请求,它会将我重定向到登录。
  • 如果我没有通过 MVC 应用程序登录,并使用(有效) token 发出请求,它会将我重定向到登录。
  • 当我通过 MVC 登录并在没有 Bearer token 的情况下执行我的请求时,我收到 401 Unauthorized(预期)
  • 当我(仍然)登录并使用有效的不记名 token 执行我的请求时,我会收到有效的响应。
  • 当我仍然登录并使用无效的不记名 token 执行我的请求时,我收到 401 未经授权(预期)

所以看起来它是使用Token认证作为第二层授权。我希望它做的是,在/api Controller 上,将其用作唯一的授权方法。

这是我的 startup.cs

中的代码 
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using TechsportiseOnline.Data;
using TechsportiseOnline.Models;
using TechsportiseOnline.Services;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc.Authorization;
using TechsportiseOnline.Authorization;
using TechsportiseOnline.Helpers;
using Swashbuckle.AspNetCore.Swagger;
using System.IO;
using Microsoft.Extensions.PlatformAbstractions;
using static TechsportiseOnline.Helpers.Swagger;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using System.Text;

namespace TechsportiseOnline
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlServer(Configuration.GetConnectionString("TechsportiseDB")));
                                                        //options.UseInMemoryDatabase("Teschsportise"));

            services.AddIdentity<ApplicationUser, IdentityRole>(config =>
                {
                    config.SignIn.RequireConfirmedEmail = true;
                })
                .AddEntityFrameworkStores<ApplicationDbContext>()
                .AddDefaultTokenProviders();

            services.Configure<IdentityOptions>(options =>
            {
                // Password settings
                options.Password.RequireDigit = true;
                options.Password.RequiredLength = 6;
                options.Password.RequireNonAlphanumeric = false;
                options.Password.RequireUppercase = false;
                options.Password.RequireLowercase = false;
                options.Password.RequiredUniqueChars = 2;

                // Lockout settings
                options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(30);
                options.Lockout.MaxFailedAccessAttempts = 10;
                options.Lockout.AllowedForNewUsers = true;

                // User settings
                options.User.RequireUniqueEmail = true;
            });

            services.Configure<AuthMessageSenderOptions>(Configuration);

            services.ConfigureApplicationCookie(options =>
            {
                // Cookie settings
                options.Cookie.HttpOnly = true;
                options.Cookie.Expiration = TimeSpan.FromDays(150);
                options.LoginPath = "/Account/Login"; // If the LoginPath is not set here, ASP.NET Core will default to /Account/Login
                options.LogoutPath = "/Account/Logout"; // If the LogoutPath is not set here, ASP.NET Core will default to /Account/Logout
                options.AccessDeniedPath = "/Account/AccessDenied"; // If the AccessDeniedPath is not set here, ASP.NET Core will default to /Account/AccessDenied
                options.SlidingExpiration = true;
            });

            // Add application services.
            services.AddTransient<IEmailSender, Email>();
            //services.AddTransient<ICreateContact>();
            //services.AddTransient<IUpdateContact>();

            services.AddSwaggerGen(c =>
            {
                c.SwaggerDoc("v1", new Info { Title = "Techsportise API", Version = "v1" });
                c.OperationFilter<AddRequiredHeaderParameter>();
                var filePath = Path.Combine(PlatformServices.Default.Application.ApplicationBasePath, "Techsportise.xml");
                c.IncludeXmlComments(filePath);
            });

            services.Configure<JWTSettings>(Configuration.GetSection("JWTSettings"));


            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(options =>
            {
                options.RequireHttpsMetadata = false;
                options.IncludeErrorDetails = true;

                var secretKey = Configuration.GetSection("JWTSettings:SecretKey").Value;
                var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey));

                options.TokenValidationParameters = new TokenValidationParameters
                {

                    ValidateIssuer = true,
                    ValidIssuer = Configuration.GetSection("JWTSettings:Issuer").Value,
                    ValidateAudience = true,
                    ValidAudience = Configuration.GetSection("JWTSettings:Audience").Value,
                    ValidateIssuerSigningKey = true,
                    IssuerSigningKey = signingKey,

                };
            });

            services.AddMvc();

            var skipSSL = Configuration.GetValue<bool>("LocalTest:skipSSL");
            // requires using Microsoft.AspNetCore.Mvc;
            services.Configure<MvcOptions>(options =>
            {
                // Set LocalTest:skipSSL to true to skip SSL requrement in 
                // debug mode. This is useful when not using Visual Studio.
                if (!skipSSL)
                {
                    options.Filters.Add(new RequireHttpsAttribute());
                }
            });


            services.AddMvc(config =>
            {
                var policy = new AuthorizationPolicyBuilder()
                                 .RequireAuthenticatedUser()
                                 .Build();
                config.Filters.Add(new AuthorizeFilter(policy));
            });

            services.AddScoped<IAuthorizationHandler,
                      OwnerRaceAuthorizationHandler>();

            services.AddSingleton<IAuthorizationHandler,
                                  AdminRaceAuthorizationHandler>();

            services.AddScoped<IAuthorizationHandler,
                      OwnerRaceEntriesAuthorizationHandler>();

            services.AddSingleton<IAuthorizationHandler,
                                  AdminRaceEntriesAuthorizationHandler>();

        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.UseBrowserLink();
                app.UseDatabaseErrorPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
            }

            app.UseStaticFiles();

            app.UseAuthentication();

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Home}/{action=Index}/{id?}");
            });

            // Enable middleware to serve generated Swagger as a JSON endpoint.
            app.UseSwagger();

            // Enable middleware to serve swagger-ui (HTML, JS, CSS etc.), specifying the Swagger JSON endpoint.
            app.UseSwaggerUI(c =>
            {
                c.SwaggerEndpoint("/swagger/v1/swagger.json", "Techsportise API V1");
            });


        }
    }
}

已更新 startup.cs 以反射(reflect)评论中的更改。

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using TechsportiseOnline.Data;
using TechsportiseOnline.Models;
using TechsportiseOnline.Services;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc.Authorization;
using TechsportiseOnline.Authorization;
using TechsportiseOnline.Helpers;
using Swashbuckle.AspNetCore.Swagger;
using System.IO;
using Microsoft.Extensions.PlatformAbstractions;
using static TechsportiseOnline.Helpers.Swagger;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using System.Text;

namespace TechsportiseOnline
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlServer(Configuration.GetConnectionString("TechsportiseDB")));
                                                        //options.UseInMemoryDatabase("Teschsportise"));

            services.AddIdentity<ApplicationUser, IdentityRole>(config =>
                {
                    config.SignIn.RequireConfirmedEmail = true;
                })
                .AddEntityFrameworkStores<ApplicationDbContext>()
                .AddDefaultTokenProviders();

            services.Configure<IdentityOptions>(options =>
            {
                // Password settings
                options.Password.RequireDigit = true;
                options.Password.RequiredLength = 6;
                options.Password.RequireNonAlphanumeric = false;
                options.Password.RequireUppercase = false;
                options.Password.RequireLowercase = false;
                options.Password.RequiredUniqueChars = 2;

                // Lockout settings
                options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(30);
                options.Lockout.MaxFailedAccessAttempts = 10;
                options.Lockout.AllowedForNewUsers = true;

                // User settings
                options.User.RequireUniqueEmail = true;
            });

            services.Configure<AuthMessageSenderOptions>(Configuration);

            //services.ConfigureApplicationCookie(options =>
            //{
            //    // Cookie settings
            //    options.Cookie.HttpOnly = true;
            //    options.Cookie.Expiration = TimeSpan.FromDays(150);
            //    options.LoginPath = "/Account/Login"; // If the LoginPath is not set here, ASP.NET Core will default to /Account/Login
            //    options.LogoutPath = "/Account/Logout"; // If the LogoutPath is not set here, ASP.NET Core will default to /Account/Logout
            //    options.AccessDeniedPath = "/Account/AccessDenied"; // If the AccessDeniedPath is not set here, ASP.NET Core will default to /Account/AccessDenied
            //    options.SlidingExpiration = true;
            //});

            // Add application services.
            services.AddTransient<IEmailSender, Email>();
            //services.AddTransient<ICreateContact>();
            //services.AddTransient<IUpdateContact>();

            services.AddSwaggerGen(c =>
            {
                c.SwaggerDoc("v1", new Info { Title = "Techsportise API", Version = "v1" });
                c.OperationFilter<AddRequiredHeaderParameter>();
                var filePath = Path.Combine(PlatformServices.Default.Application.ApplicationBasePath, "Techsportise.xml");
                c.IncludeXmlComments(filePath);
            });

            services.Configure<JWTSettings>(Configuration.GetSection("JWTSettings"));


            //services.AddAuthentication()
            //    .AddCookie()
            //    .AddJwtBearer(options =>
            //    {
            //        options.RequireHttpsMetadata = false;
            //        options.IncludeErrorDetails = true;

            //        var secretKey = Configuration.GetSection("JWTSettings:SecretKey").Value;
            //        var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secretKey));

            //        options.TokenValidationParameters = new TokenValidationParameters
            //        {

            //            ValidateIssuer = true,
            //            ValidIssuer = Configuration.GetSection("JWTSettings:Issuer").Value,
            //            ValidateAudience = true,
            //            ValidAudience = Configuration.GetSection("JWTSettings:Audience").Value,
            //            ValidateIssuerSigningKey = true,
            //            IssuerSigningKey = signingKey,

            //        };
            //    });

            services.AddAuthentication()
                .AddCookie() 
                .AddJwtBearer(options =>
                {
                    options.Audience = "xyz";
                    options.Authority = "yzx";
                });

            services.AddMvc();

            var skipSSL = Configuration.GetValue<bool>("LocalTest:skipSSL");
            // requires using Microsoft.AspNetCore.Mvc;
            services.Configure<MvcOptions>(options =>
            {
                // Set LocalTest:skipSSL to true to skip SSL requrement in 
                // debug mode. This is useful when not using Visual Studio.
                if (!skipSSL)
                {
                    options.Filters.Add(new RequireHttpsAttribute());
                }
            });


            services.AddMvc(config =>
            {
                var policy = new AuthorizationPolicyBuilder()
                                 .RequireAuthenticatedUser()
                                 .Build();
                config.Filters.Add(new AuthorizeFilter(policy));
            });

            services.AddScoped<IAuthorizationHandler,
                      OwnerRaceAuthorizationHandler>();

            services.AddSingleton<IAuthorizationHandler,
                                  AdminRaceAuthorizationHandler>();

            services.AddScoped<IAuthorizationHandler,
                      OwnerRaceEntriesAuthorizationHandler>();

            services.AddSingleton<IAuthorizationHandler,
                                  AdminRaceEntriesAuthorizationHandler>();

        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.UseBrowserLink();
                app.UseDatabaseErrorPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
            }

            app.UseStaticFiles();


            app.UseAuthentication();

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Home}/{action=Index}/{id?}");
            });

            // Enable middleware to serve generated Swagger as a JSON endpoint.
            app.UseSwagger();

            // Enable middleware to serve swagger-ui (HTML, JS, CSS etc.), specifying the Swagger JSON endpoint.
            app.UseSwaggerUI(c =>
            {
                c.SwaggerEndpoint("/swagger/v1/swagger.json", "Techsportise API V1");
            });


        }
    }
}

添加了一个全新的 TestController,复制您的代码。

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;

namespace TechsportiseOnline.Controllers
{
    public class TestController : Controller
    {
        [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)] //Based on Scheme it will auth, for cookie mention [Authorize(AuthenticationSchemes = CookieAuthenticationDefaults.AuthenticationScheme)]
        [Route("api/[controller]")]
        public IActionResult About()
        {
            ViewData["Message"] = "Your application description page.";
            return View();
        }
    }
}

最佳答案

您的意思是,无需登录就可以通过有效 token 发出请求?您可以通过在 ConfigureServices() 级别删除 cookie 身份验证方案或 JWTbearer 方案来实现此目的。

services.AddAuthentication(   // no Authenticationschemes mentioned here  )
                .AddCookie() //CookieAuthentication
                .AddJwtBearer(options =>
                {
                    options.Audience = "xyz";
                    options.Authority = "yzx";
                });

如果您有有效的 token ,那么无需登录,您就可以点击任何 mvc Controller 或 web api Controller ,而无需重定向到任何登录页面。喜欢;

        [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)] //Based on Scheme it will auth, for cookie mention [Authorize(AuthenticationSchemes = CookieAuthenticationDefaults.AuthenticationScheme)]
        public IActionResult About()
        {
            ViewData["Message"] = "Your application description page.";
            return View();
        }

关于c# - Core 2 在 API Controller 上授权,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46711593/

上一篇:c# - 将 cefsharp 浏览器与 nancy 托管的 Angular 网络应用程序连接时遇到问题

下一篇:c# - ASP.NET Core多个dbcontext无法添加迁移

相关文章:

c# - LINQ最适用于哪些场景?

c# - 创建接受从参数类型(多态参数)派生的任何类型的参数的操作

javascript - 将 JavaScript 变量添加到模型中

c# - 升级到 .Net Core 2.1 后,IWebHost.Build() 未调用 Startup.Configure()

c# - Web Essentials 浏览器链接在 asp mvc 6 项目中不起作用

c# - 如何在使用 foreach 语句循环 winform 控件时更改循环序列

javascript - 客户端本地化

asp.net-mvc - ASP.NET 成员(member) : Custom Profile Inheritance

entity-framework - 如何升级 EF Core 工具

asp.net - 增加最大值asp.net 5 (vNext) 中的请求长度

©2024 IT工具网  联系我们