use*_*776 8 c# asp.net authentication authorization asp.net-web-api
我已经创建了一个MVC webApi项目,现在我想使用身份验证和授权.我认为我已经实现了这种安全性,但由于某些原因,一些事情变得糟糕,当我编写我的凭据并尝试调用一些webApi方法时,会显示消息"此请求已被拒绝授权".
这是我实现的代码.
WebApiConfig:
public static void Register(HttpConfiguration config)
{
// Web API configuration and services
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
config.Filters.Add(new AuthorizeAttribute());
}
路由配置:
public static void RegisterRoutes(RouteCollection routes)
{
routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
routes.MapRoute(
name: "Default",
url: "{controller}/{action}/{id}",
defaults: new { controller = "Routing", action = "LogIn", id = UrlParameter.Optional }
);
}
控制器:
public class RoutingController : Controller
{
//
// GET: /Routing/
public ActionResult Index()
{
return View();
}
public ActionResult Projects()
{
return View();
}
public ActionResult Users()
{
return View();
}
public ActionResult LogIn()
{
return View();
}
[HttpPost]
public JsonResult LogInPost(string userName, string password)
{
User user = new User();
RoleByUser rByU = new RoleByUser();
password = UserController.EncriptPassword(password);
string url = string.Empty;
var checkUser = user.Get(userName);
var userExists = (from userInList in checkUser where userInList.UserName == userName && userInList.Password == password select userInList).FirstOrDefault();
if(userExists!= null)
{
var roles = (from roleByUser in userExists.listOfRole select roleByUser.RoleName.Trim()).ToArray();
IPrincipal principal = new GenericPrincipal(
new GenericIdentity(userExists.UserName), roles);
SetPrincipal(principal);
url = "Routing/Users";
}
return Json(url);
}
private void SetPrincipal(IPrincipal principal)
{
Thread.CurrentPrincipal = principal;
if (System.Web.HttpContext.Current != null)
{
System.Web.HttpContext.Current.User = principal;
}
}
}
HTML:
<link href="~/css/Style.css" rel="stylesheet" type="text/css" />
<div class="container">
<div class="card card-container">
<img id="STK" class="profile-img-card" src="Images/Softtek.png" />
<p id="profile-name" class="profile-name-card"></p>
<form class="form-signin">
<span id="reauth-email" class="reauth-email"></span>
<input type="text" id="txtUserName" class="form-control" placeholder="Email address" required autofocus />
<input type="password" id="txtPassword" class="form-control" placeholder="Password" required />
<div id="remember" class="checkbox">
<label>
<input type="checkbox" value="remember-me" /> Remember me
</label>
</div>
@*<button id="btnLogIn" class="btn btn-lg btn-primary btn-block btn-signin" >Sing In</button>*@
</form><!-- /form -->
<button id="btnLogIn" class="btn btn-lg btn-primary">Sing In</button>
<a href="#" class="forgot-password">
Forgot the password?
</a>
</div><!-- /card-container -->
</div><!-- /container -->
JS:
$(document).ready(function(){$('#btnLogIn').click(logIn);});
function logIn() {
$.ajax({
type: "POST",
url: "http://localhost:21294/Routing/LogInPost",
dataType: "json",
data: { userName: $('#txtUserName').val(), password: $('#txtPassword').val() },
success: function (data) {
if(data!= "" && data!= undefined && data!= null)
window.location.href = data;
},
error: function (err, e, error) {
toastr.error('Error')
}
});
Jon*_*ase 12
您应该将[AllowAnonymous]属性添加到Controller中LogInPost
当您将AuthorizeAttribute过滤器添加到过滤器时,它会导致您的控制器假定所有操作(包括用于登录的操作)都需要默认授权.