IIS7 中的自定义基本身份验证失败
我有一个 ASP.NET MVC 应用程序,其中包含一些 RESTful 服务,我试图使用自定义基本身份验证来保护这些服务(它们根据我自己的数据库进行身份验证)。我通过编写 HTTPModule 来实现这一点。
我有一个方法附加到 HttpApplication.AuthenticateRequest 事件,在身份验证失败的情况下调用此方法: 此
private static void RejectWith401(HttpApplication app)
{
app.Response.StatusCode = 401;
app.Response.StatusDescription = "Access Denied";
app.CompleteRequest();
}
方法附加到 HttpApplication.EndRequest 事件:
public void OnEndRequest(object source, EventArgs eventArgs)
{
var app = (HttpApplication) source;
if (app.Response.StatusCode == 401)
{
string val = String.Format("Basic Realm=\"{0}\"", "MyCustomBasicAuthentication");
app.Response.AppendHeader("WWW-Authenticate", val);
}
}
此代码添加“WWW-Authenticate”标头,告诉浏览器抛出弹出登录对话框。当我使用 Visual Studio 的 Web 服务器进行本地调试时,这非常有效。但是当我在IIS7中运行它时,它失败了。
对于 IIS7,我将内置身份验证模块全部关闭,除了匿名。它仍然返回 HTTP 401 响应,但似乎正在删除 WWW-Authenticate 标头。
有什么想法吗?
I have an ASP.NET MVC application, with some RESTful services that I'm trying to secure using custom basic authentication (they are authenticated against my own database). I have implemented this by writing an HTTPModule.
I have one method attached to the HttpApplication.AuthenticateRequest event, which calls this method in the case of authentication failure:
private static void RejectWith401(HttpApplication app)
{
app.Response.StatusCode = 401;
app.Response.StatusDescription = "Access Denied";
app.CompleteRequest();
}
This method is attached to the HttpApplication.EndRequest event:
public void OnEndRequest(object source, EventArgs eventArgs)
{
var app = (HttpApplication) source;
if (app.Response.StatusCode == 401)
{
string val = String.Format("Basic Realm=\"{0}\"", "MyCustomBasicAuthentication");
app.Response.AppendHeader("WWW-Authenticate", val);
}
}
This code adds the "WWW-Authenticate" header which tells the browser to throw up the login dialog. This works perfectly when I debug locally using Visual Studio's web server. But it fails when I run it in IIS7.
For IIS7 I have the built-in authentication modules all turned off, except anonymous. It still returns an HTTP 401 response, but it appears to be removing the WWW-Authenticate header.
Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我想通了。问题是我将此模块命名为“BasicAuthenticationModule”,它与 IIS 内置的另一个模块冲突。一旦我重命名了该模块,一切就正常了!
I figured it out. The problem was that I named this module, "BasicAuthenticationModule" which conflicted with another module IIS had built in. Once I renamed the module things worked just fine!
即使您可以正常工作,还需要考虑其他事项:
http://wcfrestcontrib.codeplex.com/wikipage?title=Web%20Authentication%20Overview&referringTitle=Home
Even though you have it working, this is something else to consider:
http://wcfrestcontrib.codeplex.com/wikipage?title=Web%20Authentication%20Overview&referringTitle=Home