我正在尝试与ASP.Net Core 3.0 Web Api项目一起使用基于cookie的身份验证。
此刻,我的ConfigureServices如下:
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("CorsPolicy",builder => builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader());
});
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
})
.AddCookie("Cookies",options =>
{
options.Cookie.Name = "auth_cookie";
options.Cookie.SameSite = SameSiteMode.None;
options.Events = new CookieAuthenticationEvents
{
OnRedirectToLogin = redirectContext =>
{
redirectContext.HttpContext.Response.StatusCode = 401;
return Task.CompletedTask;
}
};
});
services.AddAuthorization();
services.AddControllers();
}
我的Configure方法如下:
public void Configure(IApplicationBuilder app,IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseCors("CorsPolicy");
app.UseHttpsRedirection();
app.UseAuthentication();
app.UseAuthorization();
app.UseRouting();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers().RequireAuthorization();
});
}
我将[microsoft.AspNetCore.Authorization.Authorize]属性应用于默认生成的WeatherForecastController,并浏览至相关页面。我本来希望失败,因为我的请求中没有cookie,但是页面加载没有问题。
检查调试日志,可以看到以下内容:
microsoft.Extensions.Hosting.Internal.Host: Debug: Hosting started
microsoft.AspNetCore.Hosting.Diagnostics: Information: Request starting HTTP/2.0 GET https://localhost:44376/weatherforecast
microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware: Debug: Wildcard detected,all requests with hosts will be allowed.
***microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler: Debug: AuthenticationScheme: Cookies was not authenticated.***
microsoft.AspNetCore.Routing.Matching.DfaMatcher: Debug: 1 candidate(s) found for the request path '/weatherforecast'
microsoft.AspNetCore.Routing.Matching.DfaMatcher: Debug: Endpoint 'NotesApp.WebApi.Controllers.WeatherForecastController.Get (NotesApp.WebApi)' with route pattern 'WeatherForecast' is valid for the request path '/weatherforecast'
microsoft.AspNetCore.Routing.EndpointRoutingMiddleware: Debug: Request matched endpoint 'NotesApp.WebApi.Controllers.WeatherForecastController.Get (NotesApp.WebApi)'
microsoft.AspNetCore.Routing.EndpointMiddleware: Information: Executing endpoint 'NotesApp.WebApi.Controllers.WeatherForecastController.Get (NotesApp.WebApi)'
microsoft.AspNetCore.Mvc.ModelBinding.ModelBinderFactory: Debug: Registered model binder providers,in the following order: microsoft.AspNetCore.Mvc.ModelBinding.Binders.BinderTypeModelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.ServicesModelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.BodyModelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.HeaderModelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.FloatingPointTypeModelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.EnumTypeModelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.simpletypeModelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.CancellationTokenmodelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.ByteArrayModelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.FormFileModelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.formcollectionModelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.keyvaluepairModelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.DictionaryModelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.ArrayModelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.CollectionmodelBinderProvider,microsoft.AspNetCore.Mvc.ModelBinding.Binders.ComplexTypeModelBinderProvider
microsoft.AspNetCore.Mvc.Infrastructure.ControlleractionInvoker: Information: Route matched with {action = "Get",controller = "WeatherForecast"}. Executing controller action with signature System.Collections.Generic.IEnumerable`1[NotesApp.WebApi.WeatherForecast] Get() on controller NotesApp.WebApi.Controllers.WeatherForecastController (NotesApp.WebApi).
***microsoft.AspNetCore.Mvc.Infrastructure.ControlleractionInvoker: Debug: Execution plan of authorization filters (in the following order): None***
microsoft.AspNetCore.Mvc.Infrastructure.ControlleractionInvoker: Debug: Execution plan of resource filters (in the following order): None
microsoft.AspNetCore.Mvc.Infrastructure.ControlleractionInvoker: Debug: Execution plan of action filters (in the following order): microsoft.AspNetCore.Mvc.ModelBinding.UnsupportedContentTypeFilter (Order: -3000),microsoft.AspNetCore.Mvc.Infrastructure.ModelStateInvalidFilter (Order: -2000)
microsoft.AspNetCore.Mvc.Infrastructure.ControlleractionInvoker: Debug: Execution plan of exception filters (in the following order): None
microsoft.AspNetCore.Mvc.Infrastructure.ControlleractionInvoker: Debug: Execution plan of result filters (in the following order): microsoft.AspNetCore.Mvc.Infrastructure.ClientErrorResultFilter (Order: -2000)
microsoft.AspNetCore.Mvc.Infrastructure.ControlleractionInvoker: Debug: Executing controller factory for controller NotesApp.WebApi.Controllers.WeatherForecastController (NotesApp.WebApi)
microsoft.AspNetCore.Mvc.Infrastructure.ControlleractionInvoker: Debug: Executed controller factory for controller NotesApp.WebApi.Controllers.WeatherForecastController (NotesApp.WebApi)
microsoft.AspNetCore.Mvc.Infrastructure.DefaultOutputFormatterSelector: Debug: List of registered output formatters,in the following order: microsoft.AspNetCore.Mvc.Formatters.HttpNoContentOutputFormatter,microsoft.AspNetCore.Mvc.Formatters.StringOutputFormatter,microsoft.AspNetCore.Mvc.Formatters.StreamOutputFormatter,microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonOutputFormatter
microsoft.AspNetCore.Mvc.Infrastructure.DefaultOutputFormatterSelector: Debug: No information found on request to perform content negotiation.
microsoft.AspNetCore.Mvc.Infrastructure.DefaultOutputFormatterSelector: Debug: Attempting to select an output formatter without using a content type as no explicit content types were specified for the response.
microsoft.AspNetCore.Mvc.Infrastructure.DefaultOutputFormatterSelector: Debug: Attempting to select the first formatter in the output formatters list which can write the result.
microsoft.AspNetCore.Mvc.Infrastructure.DefaultOutputFormatterSelector: Debug: Selected output formatter 'microsoft.AspNetCore.Mvc.Formatters.SystemTextJsonOutputFormatter' and content type 'application/json' to write the response.
microsoft.AspNetCore.Mvc.Infrastructure.ObjectResultExecutor: Information: Executing ObjectResult,writing value of type 'NotesApp.WebApi.WeatherForecast[]'.
microsoft.AspNetCore.Mvc.Infrastructure.ControlleractionInvoker: Information: Executed action NotesApp.WebApi.Controllers.WeatherForecastController.Get (NotesApp.WebApi) in 65.9499ms
microsoft.AspNetCore.Routing.EndpointMiddleware: Information: Executed endpoint 'NotesApp.WebApi.Controllers.WeatherForecastController.Get (NotesApp.WebApi)'
microsoft.AspNetCore.Hosting.Diagnostics: Information: Request finished in 182.95000000000002ms 200 application/json; charset=utf-8
请注意,我已加注星标的两行-第一个正确标识我们未通过Cookie计划的身份验证。但是,第二个参数指示控制器上没有授权过滤器,这令人费解,因为存在。这大概就是为什么请求被允许的原因。
[ApiController]
[Route("[controller]")]
[Authorize]
public class WeatherForecastController : ControllerBase
{
private static readonly string[] Summaries = new[]
{
"Freezing","Bracing","Chilly","Cool","Mild","Warm","Balmy","Hot","Sweltering","Scorching"
};
private readonly ILogger<WeatherForecastController> _logger;
public WeatherForecastController(ILogger<WeatherForecastController> logger)
{
_logger = logger;
}
[HttpGet]
public IEnumerable<WeatherForecast> Get()
{
var rng = new Random();
return Enumerable.Range(1,5).Select(index => new WeatherForecast
{
Date = DateTime.Now.AddDays(index),TemperatureC = rng.Next(-20,55),Summary = Summaries[rng.Next(Summaries.Length)]
})
.ToArray();
}
}
任何人都可以阐明为什么运行时未检测到Authorize属性并对其进行操作的原因吗?
在这一点上,我不太在乎cookie的机制,我只是希望控制器被正确阻止。
非常感谢