问题:
从ASP.NET Core 1.1 MVC迁移到2.0后,自定义cookie身份验证不起作用
孙俊彦
日志文件中的一个示例摘录(John Smith无权访问他试图访问的控制器操作):
2018-01-02 19:58:23 [DBG] Request successfully matched the route with name '"modules"' and template '"m/{ModuleName}"'.
2018-01-02 19:58:23 [DBG] Executing action "Team.Controllers.ModulesController.Index (Team)"
2018-01-02 19:58:23 [INF] Authorization failed for user: "John Smith".
2018-01-02 19:58:23 [INF] Authorization failed for the request at filter '"Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter"'.
2018-01-02 19:58:23 [INF] Executing ForbidResult with authentication schemes ([]).
2018-01-02 19:58:23 [INF] Executed action "Team.Controllers.ModulesController.Index (Team)" in 146.1146ms
2018-01-02 19:58:23 [DBG] System.InvalidOperationException occurred, checking if Entity Framework recorded this exception as resulting from a failed database operation.
2018-01-02 19:58:23 [DBG] Entity Framework did not record any exceptions due to failed database operations. This means the current exception is not a failed Entity Framework database operation, or the current exception occurred from a DbContext that was not obtained from request services.
2018-01-02 19:58:23 [ERR] An unhandled exception has occurred while executing the request
System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultForbidScheme found.
at Microsoft.AspNetCore.Authentication.AuthenticationService.<ForbidAsync>d__12.MoveNext()
...
我使用自定义cookie身份验证,作为中间件实现。下面是我的startup.cs(app.useteamauthentication()是对中间件的调用):
public class Startup
{
public Startup(IHostingEnvironment env)
{
var builder = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);
builder.AddEnvironmentVariables();
Configuration = builder.Build();
}
public IConfigurationRoot Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.Configure<MyAppOptions>(Configuration);
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services.AddDbContext<ApplicationDbContext>(options => options
.ConfigureWarnings(warnings => warnings.Throw(CoreEventId.IncludeIgnoredWarning))
.ConfigureWarnings(warnings => warnings.Throw(RelationalEventId.QueryClientEvaluationWarning)));
services.AddAuthorization(options =>
{
options.AddPolicy(Security.TeamAdmin, policyBuilder => policyBuilder.RequireClaim(ClaimTypes.Role, Security.TeamAdmin));
options.AddPolicy(Security.SuperAdmin, policyBuilder => policyBuilder.RequireClaim(ClaimTypes.Role, Security.SuperAdmin));
});
services.AddDistributedMemoryCache();
services.AddSession(options =>
{
options.IdleTimeout = System.TimeSpan.FromMinutes(5);
options.Cookie.HttpOnly = true;
});
services.AddMvc()
.AddJsonOptions(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver())
.AddViewLocalization(
LanguageViewLocationExpanderFormat.SubFolder,
options => { options.ResourcesPath = "Resources"; })
.AddDataAnnotationsLocalization();
services.Configure<RequestLocalizationOptions>(options =>
{
options.DefaultRequestCulture = new RequestCulture("en-US");
options.SupportedCultures = TeamConfig.SupportedCultures;
options.SupportedUICultures = TeamConfig.SupportedCultures;
options.RequestCultureProviders.Insert(0, new MyCultureProvider(options.DefaultRequestCulture));
});
services.AddScoped<IViewLists, ViewLists>();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
Log.Logger = new LoggerConfiguration()
.MinimumLevel.Debug()
.WriteTo.File("log.txt", outputTemplate: "{Timestamp:yyyy-MM-dd HH:mm:ss} [{Level:u3}] {Message}{NewLine}{Exception}")
.CreateLogger();
loggerFactory.AddSerilog();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
}
bool UseHttps = Configuration.GetValue("Https", false);
if (UseHttps)
{
app.UseRewriter(new RewriteOptions().AddRedirectToHttps());
}
app.UseStaticFiles();
app.UseTeamDatabaseSelector();
app.UseTeamAuthentication();
var localizationOptions = app.ApplicationServices.GetService<IOptions<RequestLocalizationOptions>>();
app.UseRequestLocalization(localizationOptions.Value);
app.UseSession();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "modules",
template: "m/{ModuleName}",
defaults: new { controller = "Modules", action = "Index" }
);
routes.MapRoute(
name: "actions",
template: "a/{action}",
defaults: new { controller = "Actions" }
);
routes.MapRoute(
name: "modules_ex",
template: "mex/{action}",
defaults: new { controller = "ModulesEx" }
);
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
}
中间件如下所示:
public class TeamAuthentication
{
private readonly RequestDelegate next;
private readonly ILogger<TeamAuthentication> logger;
public TeamAuthentication(RequestDelegate _next, ILogger<TeamAuthentication> _logger)
{
next = _next;
logger = _logger;
}
public async Task Invoke(HttpContext context, ApplicationDbContext db)
{
if (TeamConfig.AuthDebug)
{
logger.LogDebug("Auth-Invoke: " + context.Request.Path);
}
const string LoginPath = "/Login";
const string LoginPathTimeout = "/Login?timeout";
const string LogoutPath = "/Logout";
bool Login =
(context.Request.Path == LoginPath ||
context.Request.Path == LoginPathTimeout);
bool Logout = (context.Request.Path == LogoutPath);
string TokenContent = context.Request.Cookies["t"];
bool DatabaseSelected = context.Items["ConnectionString"] != null;
bool Authenticated = false;
bool SessionTimeout = false;
// provjera tokena
if (!Login && !Logout && DatabaseSelected && TokenContent != null)
{
try
{
var token = await Security.CheckToken(db, logger, TokenContent, context.Response);
if (token.Status == Models.TokenStatus.OK)
{
Authenticated = true;
context.Items["UserID"] = token.UserID;
List<Claim> userClaims = new List<Claim>();
var person = await db.Person.AsNoTracking()
.Where(x => x.UserID == token.UserID)
.FirstOrDefaultAsync();
if (person != null)
{
var emp = await db.Employee.AsNoTracking()
.Where(x => x.PersonID == person.ID)
.FirstOrDefaultAsync();
if (emp != null)
{
context.Items["EmployeeID"] = emp.ID;
}
}
string UserName = "";
if (person != null && person.FullName != null)
{
UserName = person.FullName;
}
else
{
var user = await db.User.AsNoTracking()
.Where(x => x.ID == token.UserID)
.Select(x => new { x.Login }).FirstOrDefaultAsync();
UserName = user.Login;
}
context.Items["UserName"] = UserName;
userClaims.Add(new Claim(ClaimTypes.Name, UserName));
if ((token.Roles & (int)Security.TeamRoles.TeamAdmin) == (int)Security.TeamRoles.TeamAdmin)
{
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
}
if ((token.Roles & (int)Security.TeamRoles.SuperAdmin) == (int)Security.TeamRoles.SuperAdmin)
{
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
userClaims.Add(new Claim(ClaimTypes.Role, Security.SuperAdmin));
}
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(userClaims, "local"));
context.User = principal;
}
else if (token.Status == Models.TokenStatus.Expired)
{
SessionTimeout = true;
}
}
catch (System.Exception ex)
{
logger.LogCritical(ex.Message);
}
}
if (Login || (Logout && DatabaseSelected) || Authenticated)
{
await next.Invoke(context);
}
else
{
if (Utility.IsAjaxRequest(context.Request))
{
if (TeamConfig.AuthDebug)
{
logger.LogDebug("Auth-Invoke => AJAX 401");
}
context.Response.StatusCode = 401;
context.Response.Headers.Add(SessionTimeout ? "X-Team-Timeout" : "X-Team-Login", "1");
}
else
{
string RedirectPath = SessionTimeout ? LoginPathTimeout : LoginPath;
if (TeamConfig.AuthDebug)
{
logger.LogDebug("Auth-Invoke => " + RedirectPath);
}
context.Response.Redirect(RedirectPath);
}
}
}
}
}
public class TeamAuthentication
{
private readonly RequestDelegate next;
private readonly ILogger<TeamAuthentication> logger;
public async Task Invoke(HttpContext context, ApplicationDbContext db)
{
// preparatory actions...
var token = await Security.CheckToken(db, logger, TokenContent, context.Response);
if (token.Status == Models.TokenStatus.OK)
{
List<Claim> userClaims = new List<Claim>();
string UserName = "";
// find out the UserName...
userClaims.Add(new Claim(ClaimTypes.Name, UserName));
if ((token.Roles & (int)Security.TeamRoles.TeamAdmin) == (int)Security.TeamRoles.TeamAdmin)
{
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
}
if ((token.Roles & (int)Security.TeamRoles.SuperAdmin) == (int)Security.TeamRoles.SuperAdmin)
{
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
userClaims.Add(new Claim(ClaimTypes.Role, Security.SuperAdmin));
}
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(userClaims, "local"));
}
// ...
这是我授权访问控制器的方式:
namespace Team.Controllers
{
[Authorize(Policy = Security.TeamAdmin)]
public class ModulesController : Controller
{
// ...
我试图通过Google-ing来研究这个问题,并找到了https://docs.microsoft.com/en-us/aspnet/core/migration/1x-to-2x/identity-2x等文章,但它们并没有帮助我解决这个问题。
共有1个答案
晏阳飙
由于您可能希望切换到内置的基于角色的授权,而不是使用您自己的自定义策略授权,因此一定会有一些您没有想到的情况由它来处理(避免重新发明轮子:)。
对于身份验证,您应该使用以下方法设置cookie身份验证方案
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie();
请在此处阅读它为没有ASP.NET标识的自定义方案提供的设置。
类似资料:
-
我有一个基于Java/Spring的web应用程序,它使用Oracle11g。当前,用户在登录时直接通过用户名/密码对系统表进行身份验证。 这不得不改变,所以我们创建了一个(常规的)新表,在那里存储所有的用户数据。我们将所有现有密码插入到新创建的表中。然而,密码似乎是以本站点描述的方式加密/散列的 我使用了ora_hash和dbms_obfuscation_toolkit.desdecrypt,但
-
我正在尝试将wildfly身份验证迁移到elytron,并且除了一个问题之外,几乎所有内容都可以按照我想要的方式工作。 我们正在使用quartz调度程序运行作业。这些作业不受调用方原则的约束。使用 我能够将原则传播到以下EJB调用。这不再有效,原则始终是“匿名”。有没有一种方法可以对Elytron做同样的事情?
-
问题内容: 我正在使用sencha touch,HTML5和phonegap作为包装的移动Web应用程序。 我正在使用PHP身份验证(Cookie)和ajax请求。一切都可以在Safari或chrome上正常运行,但是在通过phonegap(webview)进行部署后,它不再起作用了… 任何帮助,将不胜感激 :) 一些更多的细节: 我的应用程序的所有数据都通过ajax请求加载到服务器组件“ mob
-
问题内容: 这是我的情况: 一个Web应用程序对许多应用程序执行某种SSO 登录的用户,而不是单击链接,该应用就会向正确的应用发布包含用户信息(名称,pwd [无用],角色)的帖子 我正在其中一个应用程序上实现SpringSecurity以从其功能中受益(会话中的权限,其类提供的方法等) 因此,我需要开发一个 自定义过滤器 -我猜想-能够从请求中检索用户信息,通过自定义 DetailsUserSe
-
问题内容: 我可以使用Google帐户在AppEngine中对用户进行身份验证的方式非常好。 但是,我需要使用 自定义的身份验证登录系统 。 我将有一个AppUsers表,其中包含用户名和加密密码。 我阅读了有关gae会话的内容,但在启动应用安全性方面需要帮助。 如何跟踪经过身份验证的用户会话?设置cookie? 初学者。 问题答案: 您可以使用cookie来做到这一点……其实并不难。您可以使用C
-
我在spring MVC项目中实现了一个自定义身份验证提供程序。在我自己的重载authenticate()方法中,我实现了自己的身份验证,其中我构造了自己的UserPasswordAuthenticationToken()并返回对象。 现在,上述对象“UserPasswordAuthentictionToken”中的用户ID被匿名化,密码为null,权限设置为授予该用户的权限。 问题: 这是否会导