ASP.NET WebApi FormsAuthentication 401(未经授权)问题

Question

我一直在学习ASP.Net WebApi中的授权是如何工作的,我在另一个帖子(ASP.NET Web API身份验证)中遇到了Darin Dimitrov的答案,我需要一些帮助来理解为什么我会得到401.

遵循Darin的代码,我创建了一个WebApi项目并添加了以下控制器和模型:

AccountController.cs

using System.Web.Http;
using System.Web.Security;
using AuthTest.Models;

namespace AuthTest.Controllers
{
    public class AccountController : ApiController
    {
        public bool Post(LogOnModel model)
        {
            if (model.Username == "john" && model.Password == "secret")
            {
                FormsAuthentication.SetAuthCookie(model.Username, false);
                return true;
            }

            return false;
        }
    }
}

UsersController.cs

using System.Web.Http;

namespace AuthTest.Controllers
{
    [Authorize]
    public class UsersController : ApiController
    {
        public string Get()
        {
            return "This is top secret material that only authorized users can see";
        }
    }
}

LogOnModel.cs

namespace AuthTest.Models
{
    public class LogOnModel
    {
        public string Username { get; set; }
        public string Password { get; set; }
    }
}

我创建了一个Web窗体应用程序,其中包含两个按钮和一个用于测试的标签.

Default.aspx.cs

using System;
using System.Net.Http;
using System.Threading;

namespace AuthTestWebForms
{
    public partial class _Default : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
        }

        protected void ButtonAuthorizeClick(object sender, EventArgs e)
        {
            using (var httpClient = new HttpClient())
            {
                var response = httpClient.PostAsJsonAsync(
                    "http://localhost/authtest/api/account",
                    new { username = "john", password = "secret" },
                    CancellationToken.None
                ).Result;
                response.EnsureSuccessStatusCode();

                bool success = response.Content.ReadAsAsync<bool>().Result;
                if (success)
                {
                    //LabelResponse.Text = @"Credentials provided";
                    var secret = httpClient.GetStringAsync("http://localhost/authtest/api/users");
                    LabelResponse.Text = secret.Result;
                }
                else
                {
                    LabelResponse.Text = @"Sorry, you provided the wrong credentials";
                }
            }
        }

        protected void ButtonTestAuthClick(object sender, EventArgs e)
        {
            using (var httpClient = new HttpClient())
            {
                var secret = httpClient.GetStringAsync("http://localhost/authtest/api/users");
                LabelResponse.Text = secret.Result;
            }
        }
    }
}

当我单击按钮并运行ButtonAuthorizeClick()时,它会触发Account的控制器,然后为用户激活控制器,一切都很好.

如果我然后单击ButtonTestAuthClick(),我会收到401(未授权)错误.

当我在Chrome或FireFox中查找ASPXAUTH cookie时,我没有看到它,所以我不能100%确定为什么ButtonAuthorizeClick()有效以及我需要做什么来使ButtonTestAuthClick()工作.

感谢任何人可以帮助我的任何帮助.

Answer 1

我遇到了类似的问题,但不是通过Web窗体客户端页面,而是使用JavaScript和AJAX调用.事实证明我已经离开了在"无"的web.config中的身份验证模式.显然,您必须在此处打开Forms Authentication才能使FormsAuthentication.SetAuthCookie()方法产生任何效果.

<authentication mode="Forms" />

一旦我解决了这个疏忽,一切都开始正常.:-)