- c - 在位数组中找到第一个零
- linux - Unix 显示有关匹配两种模式之一的文件的信息
- 正则表达式替换多个文件
- linux - 隐藏来自 xtrace 的命令
我已将 ASP.NET Core 1.1 MVC 项目迁移到 ASP.NET Core 2.0,现在我注意到对应用程序的未授权部分的请求不再导致“401 未授权”响应,而是代码异常导致响应“500 内部服务器错误”。
日志文件的示例摘录(John Smith 无权访问他试图访问的 Controller 操作):
2018-01-02 19:58:23 [DBG] Request successfully matched the route with name '"modules"' and template '"m/{ModuleName}"'.
2018-01-02 19:58:23 [DBG] Executing action "Team.Controllers.ModulesController.Index (Team)"
2018-01-02 19:58:23 [INF] Authorization failed for user: "John Smith".
2018-01-02 19:58:23 [INF] Authorization failed for the request at filter '"Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter"'.
2018-01-02 19:58:23 [INF] Executing ForbidResult with authentication schemes ([]).
2018-01-02 19:58:23 [INF] Executed action "Team.Controllers.ModulesController.Index (Team)" in 146.1146ms
2018-01-02 19:58:23 [DBG] System.InvalidOperationException occurred, checking if Entity Framework recorded this exception as resulting from a failed database operation.
2018-01-02 19:58:23 [DBG] Entity Framework did not record any exceptions due to failed database operations. This means the current exception is not a failed Entity Framework database operation, or the current exception occurred from a DbContext that was not obtained from request services.
2018-01-02 19:58:23 [ERR] An unhandled exception has occurred while executing the request
System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultForbidScheme found.
at Microsoft.AspNetCore.Authentication.AuthenticationService.<ForbidAsync>d__12.MoveNext()
...
我使用自定义 cookie 身份验证,作为中间件实现。这是我的 Startup.cs(app.UseTeamAuthentication() 是对中间件的调用):
public class Startup
{
public Startup(IHostingEnvironment env)
{
var builder = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);
builder.AddEnvironmentVariables();
Configuration = builder.Build();
}
public IConfigurationRoot Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.Configure<MyAppOptions>(Configuration);
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services.AddDbContext<ApplicationDbContext>(options => options
.ConfigureWarnings(warnings => warnings.Throw(CoreEventId.IncludeIgnoredWarning))
.ConfigureWarnings(warnings => warnings.Throw(RelationalEventId.QueryClientEvaluationWarning)));
services.AddAuthorization(options =>
{
options.AddPolicy(Security.TeamAdmin, policyBuilder => policyBuilder.RequireClaim(ClaimTypes.Role, Security.TeamAdmin));
options.AddPolicy(Security.SuperAdmin, policyBuilder => policyBuilder.RequireClaim(ClaimTypes.Role, Security.SuperAdmin));
});
services.AddDistributedMemoryCache();
services.AddSession(options =>
{
options.IdleTimeout = System.TimeSpan.FromMinutes(5);
options.Cookie.HttpOnly = true;
});
services.AddMvc()
.AddJsonOptions(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver())
.AddViewLocalization(
LanguageViewLocationExpanderFormat.SubFolder,
options => { options.ResourcesPath = "Resources"; })
.AddDataAnnotationsLocalization();
services.Configure<RequestLocalizationOptions>(options =>
{
options.DefaultRequestCulture = new RequestCulture("en-US");
options.SupportedCultures = TeamConfig.SupportedCultures;
options.SupportedUICultures = TeamConfig.SupportedCultures;
options.RequestCultureProviders.Insert(0, new MyCultureProvider(options.DefaultRequestCulture));
});
services.AddScoped<IViewLists, ViewLists>();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
Log.Logger = new LoggerConfiguration()
.MinimumLevel.Debug()
.WriteTo.File("log.txt", outputTemplate: "{Timestamp:yyyy-MM-dd HH:mm:ss} [{Level:u3}] {Message}{NewLine}{Exception}")
.CreateLogger();
loggerFactory.AddSerilog();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
}
bool UseHttps = Configuration.GetValue("Https", false);
if (UseHttps)
{
app.UseRewriter(new RewriteOptions().AddRedirectToHttps());
}
app.UseStaticFiles();
app.UseTeamDatabaseSelector();
app.UseTeamAuthentication();
var localizationOptions = app.ApplicationServices.GetService<IOptions<RequestLocalizationOptions>>();
app.UseRequestLocalization(localizationOptions.Value);
app.UseSession();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "modules",
template: "m/{ModuleName}",
defaults: new { controller = "Modules", action = "Index" }
);
routes.MapRoute(
name: "actions",
template: "a/{action}",
defaults: new { controller = "Actions" }
);
routes.MapRoute(
name: "modules_ex",
template: "mex/{action}",
defaults: new { controller = "ModulesEx" }
);
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
}
这是中间件:
public class TeamAuthentication
{
private readonly RequestDelegate next;
private readonly ILogger<TeamAuthentication> logger;
public TeamAuthentication(RequestDelegate _next, ILogger<TeamAuthentication> _logger)
{
next = _next;
logger = _logger;
}
public async Task Invoke(HttpContext context, ApplicationDbContext db)
{
if (TeamConfig.AuthDebug)
{
logger.LogDebug("Auth-Invoke: " + context.Request.Path);
}
const string LoginPath = "/Login";
const string LoginPathTimeout = "/Login?timeout";
const string LogoutPath = "/Logout";
bool Login =
(context.Request.Path == LoginPath ||
context.Request.Path == LoginPathTimeout);
bool Logout = (context.Request.Path == LogoutPath);
string TokenContent = context.Request.Cookies["t"];
bool DatabaseSelected = context.Items["ConnectionString"] != null;
bool Authenticated = false;
bool SessionTimeout = false;
// provjera tokena
if (!Login && !Logout && DatabaseSelected && TokenContent != null)
{
try
{
var token = await Security.CheckToken(db, logger, TokenContent, context.Response);
if (token.Status == Models.TokenStatus.OK)
{
Authenticated = true;
context.Items["UserID"] = token.UserID;
List<Claim> userClaims = new List<Claim>();
var person = await db.Person.AsNoTracking()
.Where(x => x.UserID == token.UserID)
.FirstOrDefaultAsync();
if (person != null)
{
var emp = await db.Employee.AsNoTracking()
.Where(x => x.PersonID == person.ID)
.FirstOrDefaultAsync();
if (emp != null)
{
context.Items["EmployeeID"] = emp.ID;
}
}
string UserName = "";
if (person != null && person.FullName != null)
{
UserName = person.FullName;
}
else
{
var user = await db.User.AsNoTracking()
.Where(x => x.ID == token.UserID)
.Select(x => new { x.Login }).FirstOrDefaultAsync();
UserName = user.Login;
}
context.Items["UserName"] = UserName;
userClaims.Add(new Claim(ClaimTypes.Name, UserName));
if ((token.Roles & (int)Security.TeamRoles.TeamAdmin) == (int)Security.TeamRoles.TeamAdmin)
{
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
}
if ((token.Roles & (int)Security.TeamRoles.SuperAdmin) == (int)Security.TeamRoles.SuperAdmin)
{
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
userClaims.Add(new Claim(ClaimTypes.Role, Security.SuperAdmin));
}
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(userClaims, "local"));
context.User = principal;
}
else if (token.Status == Models.TokenStatus.Expired)
{
SessionTimeout = true;
}
}
catch (System.Exception ex)
{
logger.LogCritical(ex.Message);
}
}
if (Login || (Logout && DatabaseSelected) || Authenticated)
{
await next.Invoke(context);
}
else
{
if (Utility.IsAjaxRequest(context.Request))
{
if (TeamConfig.AuthDebug)
{
logger.LogDebug("Auth-Invoke => AJAX 401");
}
context.Response.StatusCode = 401;
context.Response.Headers.Add(SessionTimeout ? "X-Team-Timeout" : "X-Team-Login", "1");
}
else
{
string RedirectPath = SessionTimeout ? LoginPathTimeout : LoginPath;
if (TeamConfig.AuthDebug)
{
logger.LogDebug("Auth-Invoke => " + RedirectPath);
}
context.Response.Redirect(RedirectPath);
}
}
}
}
}
这是相同的中间件,我认为对问题不重要的代码被删除了:
public class TeamAuthentication
{
private readonly RequestDelegate next;
private readonly ILogger<TeamAuthentication> logger;
public async Task Invoke(HttpContext context, ApplicationDbContext db)
{
// preparatory actions...
var token = await Security.CheckToken(db, logger, TokenContent, context.Response);
if (token.Status == Models.TokenStatus.OK)
{
List<Claim> userClaims = new List<Claim>();
string UserName = "";
// find out the UserName...
userClaims.Add(new Claim(ClaimTypes.Name, UserName));
if ((token.Roles & (int)Security.TeamRoles.TeamAdmin) == (int)Security.TeamRoles.TeamAdmin)
{
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
}
if ((token.Roles & (int)Security.TeamRoles.SuperAdmin) == (int)Security.TeamRoles.SuperAdmin)
{
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
userClaims.Add(new Claim(ClaimTypes.Role, Security.SuperAdmin));
}
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(userClaims, "local"));
}
// ...
这是我授权访问 Controller 的方式:
namespace Team.Controllers
{
[Authorize(Policy = Security.TeamAdmin)]
public class ModulesController : Controller
{
// ...
我尝试通过 Google 搜索这个问题,发现了类似 https://learn.microsoft.com/en-us/aspnet/core/migration/1x-to-2x/identity-2x 的文章和一些类似的,但他们没有帮助我解决问题。
最佳答案
恕我直言您可能想切换到内置 Role base authorization而不是自己滚动 custom policy authorization肯定会有一些您没有想到的情况由它处理(避免重新发明轮子:)。
对于身份验证,您应该使用
设置 cookie 身份验证方案services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie();
阅读它提供的设置 here ,对于没有 ASP.Net Identity 的自定义方案。
至于授权,您在这里混合了身份验证和授权,中间件同时执行这两种操作,但名为 UseTeamAuthentication
,解释了差异 here ,因此这两件事在 ASP.Net Core 基础设施中是分开的。
您已经完成的授权(自定义)需要通过 IAuthorizationRequirement
接口(interface)实现要求来完成,您可以在上面的自定义策略链接中阅读如何执行此操作。但我强烈建议您使用内置的角色机制。
干杯:)
关于c# - 从 ASP.NET Core 1.1 MVC 迁移到 2.0 后自定义 cookie 身份验证不起作用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/48073548/
今天有小伙伴给我留言问到,try{...}catch(){...}是什么意思?它用来干什么? 简单的说 他们是用来捕获异常的 下面我们通过一个例子来详细讲解下
我正在努力提高网站的可访问性,但我不知道如何在页脚中标记社交媒体链接列表。这些链接指向我在 facecook、twitter 等上的帐户。我不想用 role="navigation" 标记这些链接,因
说现在是 6 点,我有一个 Timer 并在 10 点安排了一个 TimerTask。之后,System DateTime 被其他服务(例如 ntp)调整为 9 点钟。我仍然希望我的 TimerTas
就目前而言,这个问题不适合我们的问答形式。我们希望答案得到事实、引用资料或专业知识的支持,但这个问题可能会引发辩论、争论、投票或扩展讨论。如果您觉得这个问题可以改进并可能重新打开,visit the
我就废话不多说了,大家还是直接看代码吧~ ? 1
Maven系列1 1.什么是Maven? Maven是一个项目管理工具,它包含了一个对象模型。一组标准集合,一个依赖管理系统。和用来运行定义在生命周期阶段中插件目标和逻辑。 核心功能 Mav
我是一名优秀的程序员,十分优秀!