asp.net – 401向web api发送ajax请求时未经授权
发布时间:2020-12-16 04:26:14 所属栏目:asp.Net 来源:网络整理
导读:我现在已经在这2天了.我使用的是WebAPI 2.2版,我使用的是CORS.此设置适用于服务器端,我可以从我的Web客户端服务器代码获取授权内容,但在我的ajax调用中未经授权. 这是我的配置: Web API配置 WebApiConfig: public static class WebApiConfig{ public stati
|
我现在已经在这2天了.我使用的是WebAPI 2.2版,我使用的是CORS.此设置适用于服务器端,我可以从我的Web客户端服务器代码获取授权内容,但在我的ajax调用中未经授权.
这是我的配置: Web API配置 WebApiConfig: public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
// Web API configuration and services
// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
config.Filters.Add(new HostAuthenticationFilter(DefaultAuthenticationTypes.ApplicationCookie));
//enable cors
config.EnableCors();
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",routeTemplate: "api/{controller}/{id}",defaults: new { id = RouteParameter.Optional }
);
config.Filters.Add(new ValidationActionFilter());
}
}
Startup.Auth.cs: // Configure the db context and user manager to use a single instance per request
app.CreatePerOwinContext(UserContext<ApplicationUser>.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,CookieHttpOnly = true,CookieName = "Outpour.Api.Auth"
}
);
//app.UseCors(CorsOptions.AllowAll);
//app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Configure the application for OAuth based flow
PublicClientId = "self";
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),Provider = new ApplicationOAuthProvider(PublicClientId),AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),AllowInsecureHttp = true
};
// Enable the application to use bearer tokens to authenticate users
app.USEOAuthBearerTokens(OAuthOptions);
(我已经尝试过app.UseCors(CorsOptions.AllowAll)和config.EnableCors()的每个组合) 我的控制器属性: [Authorize]
[EnableCors("http://localhost:8080","*",SupportsCredentials = true)]
[RoutePrefix("api/videos")]
public class VideosController : ApiController...
Web客户端 Ajax电话: $.ajaxPrefilter(function (options,originalOptions,jqXHR) {
options.crossDomain = {
crossDomain: true
};
options.xhrFields = {
withCredentials: true
};
});
function ajaxGetVideoResolutionList() {
var request = {
type: "GET",dataType: "json",timeout: Outpour.ajaxTimeOut,url: Outpour.apiRoot + "/videos/resolutions"
};
$.ajax(request).done(onAjaxSuccess).fail(onAjaxError);
Cookie创建: var result = await WebApiService.Instance.AuthenticateAsync<SignInResult>(model.Email,model.Password);
FormsAuthentication.SetAuthCookie(result.AccessToken,model.RememberMe);
var claims = new[]
{
new Claim(ClaimTypes.Name,result.UserName),//Name is the default name claim type,and UserName is the one known also in Web API.
new Claim(ClaimTypes.NameIdentifier,result.UserName) //If you want to use User.Identity.GetUserId in Web API,you need a NameIdentifier claim.
};
var authTicket = new AuthenticationTicket(new ClaimsIdentity(claims,DefaultAuthenticationTypes.ApplicationCookie),new AuthenticationProperties
{
ExpiresUtc = result.Expires,IsPersistent = model.RememberMe,IssuedUtc = result.Issued,RedirectUri = redirectUrl
});
byte[] userData = DataSerializers.Ticket.Serialize(authTicket);
byte[] protectedData = MachineKey.Protect(userData,new[] { "Microsoft.Owin.Security.Cookies.CookieAuthenticationMiddleware",DefaultAuthenticationTypes.ApplicationCookie,"v1" });
string protectedText = TextEncodings.Base64Url.Encode(protectedData);
Response.Cookies.Add(new HttpCookie("Outpour.Api.Auth")
{
HttpOnly = true,Expires = result.Expires.UtcDateTime,Value = protectedText
});
最后但并非最不重要的是,我的标题. Remote Address:127.0.0.1:8888 Request URL:http://127.0.0.1/api/videos/resolutions Request Method:GET Status Code:401 Unauthorized **Request Headersview source** Accept:application/json,text/javascript,*/*; q=0.01 Accept-Encoding:gzip,deflate,sdch Accept-Language:en-US,en;q=0.8 Cache-Control:no-cache Host:127.0.0.1 Origin:http://localhost:8080 Pragma:no-cache Proxy-Connection:keep-alive Referer:http://localhost:8080/video/upload User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/37.0.2062.124 Safari/537.36 **Response Headersview source** Access-Control-Allow-Credentials:true Access-Control-Allow-Origin:http://localhost:8080 Cache-Control:no-cache Content-Length:61 Content-Type:application/json; charset=utf-8 Date:Wed,08 Oct 2014 04:01:19 GMT Expires:-1 Pragma:no-cache Server:Microsoft-IIS/8.0 WWW-Authenticate:Bearer X-AspNet-Version:4.0.30319 X-Powered-By:ASP.NET 开发人员工具和提琴手声称没有随请求发送的cookie. 解决方法
我相信你在这里混合了cookie身份验证和承载令牌,你没有在你的请求的Authorization标题中发送访问令牌,这就是你不断获得401的原因.
同样,您只需要使用application.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll)允许CORS;并从控制器属性甚至从配置中移除其他位置. 检查我的Repo here,我已经实现了CORS,前端也是AngularJS.它工作正常.对于此repo,开放式开发人员工具以及监视请求,这里也是live demo,您应该在看到HTTP get请求之前看到飞行前请求. 如果您只需要使用持有人令牌来保护您的API,那么我建议您阅读Token Based Authentication帖子 (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
推荐文章
站长推荐
- asp.net-mvc – RenderSection在ASP.NET MVC3中的
- asp.net-mvc-4 – 从.net 4升级到4.5会破坏Javas
- asp.net-mvc – 如何阻止用户在MVC3应用程序上登
- asp.net-mvc – ASP.NET MVC的最佳实践
- asp.net-mvc – 如何在ASP.NET MVC视图中使用扩展
- asp.net-mvc – MVC服务层 – 每个控制器或其他设
- asp.net – 如何在没有实体框架的MVC中使用Simpl
- asp.net – 使用Elmah处理Web服务中的异常
- asp.net – 会话固定 – 表单身份验证
- asp.net-mvc – 为什么HtmlHelpers需要这个HtmlH
热点阅读