blocks|key|218959|text|type|unstyled|depth|inlineStyleRanges|entityRanges|data|218960|我很惊讶，在经过几个小时的Googling搜索之后，我竟然找不到一个清晰的示例来说明如何从登录屏幕到在我的ApiController方法上使用Authorize属性来验证用户身份。|blockquote|218961|218962|218963|这是因为你把这两个概念搞混了：|218964|218965|Authentication是系统可以安全地识别其用户的机制。身份验证系统提供了以下问题的答案：|unordered-list-item|218966|218967|-+Who+is+the+user?
-+Is+the+user+really+who+he/she+represents+himself+to+be?|code-block|syntax|javascript|218968|​|218969|218970|授权是一种机制，系统通过该机制确定特定的经过身份验证的用户对系统控制的受保护资源的访问权限级别。例如，数据库管理系统可以被设计成向某些特定的个人提供从数据库中检索信息的能力，而不是改变存储在数据库中的数据的能力，同时给予其他个人改变数据的能力。授权系统提供了问题的答案：|218971|218972|-+Is+user+X+authorized+to+access+resource+R?
-+Is+user+X+authorized+to+perform+operation+P?
-+Is+user+X+authorized+to+perform+operation+P+on+resource+R?|218973|218974|MVC中的Authorize属性用于应用访问规则，例如：|offset|length|style|CODE|218975|+[System.Web.Http.Authorize(Roles+=+"Admin,+Super+User")]
+public+ActionResult+AdministratorsOnly()
+{
+++++return+View();
+}|218976|上述规则将仅允许管理员和超级用户角色中的超级用户访问方法|BOLD|218977|还可以使用location元素在web.config文件中设置这些规则。示例：|218978|++<location+path="Home/AdministratorsOnly">
++++<system.web>
++++++<authorization>
++++++++<allow+roles="Administrators"/>
++++++++<deny+users="*"/>
++++++</authorization>
++++</system.web>
++</location>|218979|但是，在执行这些授权规则之前，您必须对当前网站的进行身份验证。|218980|218981|尽管这些解释了如何处理未经授权的请求，但它们并没有清楚地演示LoginController之类的东西来请求用户凭据并验证它们。|218982|218983|218984|从这里开始，我们可以将问题一分为二：|218985|在同一个Web应用程序中使用Web服务时的|218986|Authenticate用户|218987|218988|这将是最简单的方法，因为您将依赖于Authentication+in+ASP.Net|218989|这是一个简单的例子：|218990|Web.config|218991|218992|用户将被重定向到帐户/登录路由，在那里您将呈现自定义控件以请求用户凭据，然后您将使用以下命令设置身份验证cookie：|218993|if+(ModelState.IsValid)+{+if+(Membership.ValidateUser(model.UserName，model.Password))+{Membership.ValidateUser+model.RememberMe)；return+RedirectToAction(“索引”，“主页”)；}+else+{+ModelState.AddModelError(""，“提供的用户名或密码不正确。”)；}}+//如果到目前为止，有些东西失败了，重新显示表单返回View(model);|218994|Cross+-+platform身份验证|218995|218996|这种情况发生在您仅在Web应用程序中公开Web服务时，因此，您将有另一个客户端使用这些服务，该客户端可以是另一个Web应用程序或任何.Net应用程序(Win窗体、WPF、控制台、Windows服务等)|218997|例如，假设您将使用来自同一网络域(在intranet内)上的另一个Web应用程序的web+API服务，在这种情况下，您可以依赖于ASP.Net提供的Windows身份验证。|218998|218999|如果您的服务在Internet上公开，则需要将经过身份验证的令牌传递给每个Web+API服务。|219000|有关更多信息，请访问以下文章：|219001|-+[http://stevescodingblog.co.uk/basic-authentication-with-asp-net-webapi/](http://stevescodingblog.co.uk/basic-authentication-with-asp-net-webapi/)
-+[http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/](http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/)|219002|219003|entityMap|0|LINK|mutability|MUTABLE|url|http://msdn.microsoft.com/en-us/library/eeyk640h.aspx^0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|5|9|0|0|8|K|0|5|8|0|0|Q|5|0|0|0|1R|0|0|0|0|I|0|0|L|0|0|E|0|0|0|16|H|P|0|0|0|A|0|0|A|0|0|0|1N|0|0|77|0|0|K|0|0|0|H|0|0|0|0|0|0|0^^$0|@$1|2|3|-4|4|5|6|2R|7|@]|8|@]|9|$]]|$1|A|3|B|4|C|6|2S|7|@]|8|@]|9|$]]|$1|D|3|-4|4|5|6|2T|7|@]|8|@]|9|$]]|$1|E|3|-4|4|5|6|2U|7|@]|8|@]|9|$]]|$1|F|3|G|4|5|6|2V|7|@]|8|@]|9|$]]|$1|H|3|-4|4|5|6|2W|7|@]|8|@]|9|$]]|$1|I|3|J|4|K|6|2X|7|@]|8|@]|9|$]]|$1|L|3|-4|4|5|6|2Y|7|@]|8|@]|9|$]]|$1|M|3|N|4|O|6|2Z|7|@]|8|@]|9|$P|Q]]|$1|R|3|S|4|5|6|30|7|@]|8|@]|9|$]]|$1|T|3|-4|4|5|6|31|7|@]|8|@]|9|$]]|$1|U|3|V|4|K|6|32|7|@]|8|@]|9|$]]|$1|W|3|-4|4|5|6|33|7|@]|8|@]|9|$]]|$1|X|3|Y|4|O|6|34|7|@]|8|@]|9|$P|Q]]|$1|Z|3|S|4|5|6|35|7|@]|8|@]|9|$]]|$1|10|3|11|4|5|6|36|7|@$12|37|13|38|14|15]]|8|@]|9|$]]|$1|16|3|17|4|O|6|39|7|@]|8|@]|9|$P|Q]]|$1|18|3|19|4|5|6|3A|7|@$12|3B|13|3C|14|1A]]|8|@]|9|$]]|$1|1B|3|1C|4|5|6|3D|7|@$12|3E|13|3F|14|15]]|8|@]|9|$]]|$1|1D|3|1E|4|O|6|3G|7|@]|8|@]|9|$P|Q]]|$1|1F|3|1G|4|5|6|3H|7|@$12|3I|13|3J|14|1A]]|8|@]|9|$]]|$1|1H|3|-4|4|5|6|3K|7|@]|8|@]|9|$]]|$1|1I|3|1J|4|C|6|3L|7|@$12|3M|13|3N|14|1A]]|8|@]|9|$]]|$1|1K|3|-4|4|5|6|3O|7|@]|8|@]|9|$]]|$1|1L|3|-4|4|5|6|3P|7|@]|8|@]|9|$]]|$1|1M|3|1N|4|5|6|3Q|7|@$12|3R|13|3S|14|1A]]|8|@]|9|$]]|$1|1O|3|1P|4|5|6|3T|7|@$12|3U|13|3V|14|1A]]|8|@]|9|$]]|$1|1Q|3|1R|4|K|6|3W|7|@$12|3X|13|3Y|14|1A]]|8|@]|9|$]]|$1|1S|3|-4|4|5|6|3Z|7|@]|8|@]|9|$]]|$1|1T|3|1U|4|5|6|40|7|@$12|41|13|42|14|1A]]|8|@$12|43|13|44|1|45]]|9|$]]|$1|1V|3|1W|4|5|6|46|7|@$12|47|13|48|14|1A]]|8|@]|9|$]]|$1|1X|3|1Y|4|5|6|49|7|@$12|4A|13|4B|14|1A]]|8|@]|9|$]]|$1|1Z|3|-4|4|5|6|4C|7|@]|8|@]|9|$]]|$1|20|3|21|4|5|6|4D|7|@$12|4E|13|4F|14|1A]]|8|@]|9|$]]|$1|22|3|23|4|5|6|4G|7|@$12|4H|13|4I|14|1A]]|8|@]|9|$]]|$1|24|3|25|4|K|6|4J|7|@$12|4K|13|4L|14|1A]]|8|@]|9|$]]|$1|26|3|-4|4|5|6|4M|7|@]|8|@]|9|$]]|$1|27|3|28|4|5|6|4N|7|@$12|4O|13|4P|14|1A]]|8|@]|9|$]]|$1|29|3|2A|4|5|6|4Q|7|@]|8|@]|9|$]]|$1|2B|3|-4|4|5|6|4R|7|@]|8|@]|9|$]]|$1|2C|3|2D|4|5|6|4S|7|@]|8|@]|9|$]]|$1|2E|3|2F|4|5|6|4T|7|@]|8|@]|9|$]]|$1|2G|3|2H|4|O|6|4U|7|@]|8|@]|9|$P|Q]]|$1|2I|3|S|4|5|6|4V|7|@]|8|@]|9|$]]|$1|2J|3|-4|4|5|6|4W|7|@]|8|@]|9|$]]]|2K|$2L|$4|2M|2N|2O|9|$2P|2Q]]]]

<blockquote>
 I am amazed how I've not been able to find a clear example of how to authenticate an user right from the login screen down to using the Authorize attribute over my ApiController methods after several hours of Googling.
</blockquote>

That's because you are getting confused about these two concepts:

<ul>
<li>Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions:

<ul>
<li>Who is the user?</li>
<li>Is the user really who he/she represents himself to be?</li>
</ul></li>
<li>Authorization is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:

<ul>
<li>Is user X authorized to access resource R?</li>
<li>Is user X authorized to perform operation P?</li>
<li>Is user X authorized to perform operation P on resource R?</li>
</ul></li>
</ul>

The <code>Authorize</code> attribute in MVC is used to apply access rules, for example:

<pre><code> [System.Web.Http.Authorize(Roles = "Admin, Super User")]
 public ActionResult AdministratorsOnly()
 {
 return View();
 }
</code></pre>

The above rule will allow only users in the Admin and Super User roles to access the method

These rules can also be set in the web.config file, using the <code>location</code> element. Example:

<pre><code> &lt;location path="Home/AdministratorsOnly"&gt;
 &lt;system.web&gt;
 &lt;authorization&gt;
 &lt;allow roles="Administrators"/&gt;
 &lt;deny users="*"/&gt;
 &lt;/authorization&gt;
 &lt;/system.web&gt;
 &lt;/location&gt;
</code></pre>

However, before those authorization rules are executed, you have to be authenticated to the current web site. 

<blockquote>
 Even though these explain how to handle unauthorized requests, these do not demonstrate clearly something like a LoginController or something like that to ask for user credentials and validate them.
</blockquote>

From here, we could split the problem in two:

<ul>
<li>Authenticate users when consuming the Web API services within the same Web application

This would be the simplest approach, because you would rely on the <a href="http://msdn.microsoft.com/en-us/library/eeyk640h.aspx" rel="noreferrer">Authentication in ASP.Net</a>

This is a simple example:

<h3>Web.config</h3>

<pre><code>&lt;authentication mode="Forms"&gt;
 &lt;forms
 protection="All"
 slidingExpiration="true"
 loginUrl="account/login"
 cookieless="UseCookies"
 enableCrossAppRedirects="false"
 name="cookieName"
 /&gt;
&lt;/authentication&gt;
</code></pre>

Users will be redirected to the account/login route, there you would render custom controls to ask for user credentials and then you would set the authentication cookie using:

<pre><code> if (ModelState.IsValid)
 {
 if (Membership.ValidateUser(model.UserName, model.Password))
 {
 FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
 return RedirectToAction("Index", "Home");
 }
 else
 {
 ModelState.AddModelError("", "The user name or password provided is incorrect.");
 }
 }

 // If we got this far, something failed, redisplay form
 return View(model);
</code></pre></li>
<li>Cross - platform authentication

This case would be when you are only exposing Web API services within the Web application therefore, you would have another client consuming the services, the client could be another Web application or any .Net application (Win Forms, WPF, console, Windows service, etc)

For example assume that you will be consuming the Web API service from another web application on the same network domain (within an intranet), in this case you could rely on the Windows authentication provided by ASP.Net. 

<pre><code>&lt;authentication mode="Windows" /&gt;
</code></pre>

If your services are exposed on the Internet, then you would need to pass the authenticated tokens to each Web API service.

For more info, take a loot to the following articles:

<ul>
<li><a href="http://stevescodingblog.co.uk/basic-authentication-with-asp-net-webapi/" rel="noreferrer">http://stevescodingblog.co.uk/basic-authentication-with-asp-net-webapi/</a></li>
<li><a href="http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/" rel="noreferrer">http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/</a></li>
</ul></li>
</ul>

blocks|key|3080622|text|如果您希望在没有授权cookie的情况下使用用户名和密码和进行身份验证，则MVC4+Authorize属性将无法开箱即用。但是，您可以将以下帮助器方法添加到控制器以接受基本身份验证头。从控制器方法的开始处调用它。|type|unstyled|depth|inlineStyleRanges|offset|length|style|BOLD|entityRanges|data|3080623|void+EnsureAuthenticated(string+role)
{
++++string[]+parts+=+UTF8Encoding.UTF8.GetString(Convert.FromBase64String(Request.Headers.Authorization.Parameter)).Split(':');
++++if+(parts.Length+!=+2+%7C%7C+!Membership.ValidateUser(parts[0],+parts[1]))
++++++++throw+new+HttpResponseException(Request.CreateErrorResponse(HttpStatusCode.Unauthorized,+"No+account+with+that+username+and+password"));
++++if+(role+!=+null+&&+!Roles.IsUserInRole(parts[0],+role))
++++++++throw+new+HttpResponseException(Request.CreateErrorResponse(HttpStatusCode.Unauthorized,+"An+administrator+account+is+required"));
}|code-block|syntax|javascript|3080624|在客户端，这个帮助器创建一个带有身份验证头的HttpClient：|CODE|3080625|static+HttpClient+CreateBasicAuthenticationHttpClient(string+userName,+string+password)
{
++++var+client+=+new+HttpClient();
++++client.DefaultRequestHeaders.Authorization+=+new+AuthenticationHeaderValue("Basic",+Convert.ToBase64String(UTF8Encoding.UTF8.GetBytes(userName+%2B+':'+%2B+password)));
++++return+client;
}|3080626|entityMap|0|LINK|mutability|MUTABLE|url|http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx^0|M|6|T|25|16|9|0|0|0|0|X|M|A|0|0^^$0|@$1|2|3|4|5|6|7|X|8|@$9|Y|A|Z|B|C]|$9|10|A|11|B|C]]|D|@$9|12|A|13|1|14]]|E|$]]|$1|F|3|G|5|H|7|15|8|@]|D|@]|E|$I|J]]|$1|K|3|L|5|6|7|16|8|@$9|17|A|18|B|C]|$9|19|A|1A|B|M]]|D|@]|E|$]]|$1|N|3|O|5|H|7|1B|8|@]|D|@]|E|$I|J]]|$1|P|3|-4|5|6|7|1C|8|@]|D|@]|E|$]]]|Q|$R|$5|S|T|U|E|$V|W]]]]

If you want to authenticate against a user name and password and without an authorization cookie, the MVC4 <a href="http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx">Authorize</a> attribute won't work out of the box. However, you can add the following helper method to your controller to accept basic authentication headers. Call it from the beginning of your controller's methods.

<pre><code>void EnsureAuthenticated(string role)
{
 string[] parts = UTF8Encoding.UTF8.GetString(Convert.FromBase64String(Request.Headers.Authorization.Parameter)).Split(':');
 if (parts.Length != 2 || !Membership.ValidateUser(parts[0], parts[1]))
 throw new HttpResponseException(Request.CreateErrorResponse(HttpStatusCode.Unauthorized, "No account with that username and password"));
 if (role != null &amp;&amp; !Roles.IsUserInRole(parts[0], role))
 throw new HttpResponseException(Request.CreateErrorResponse(HttpStatusCode.Unauthorized, "An administrator account is required"));
}
</code></pre>

From the client side, this helper creates a <code>HttpClient</code> with the authentication header in place:

<pre><code>static HttpClient CreateBasicAuthenticationHttpClient(string userName, string password)
{
 var client = new HttpClient();
 client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(UTF8Encoding.UTF8.GetBytes(userName + ':' + password)));
 return client;
}
</code></pre>

blocks|key|216061|text|我正在处理一个MVC5/Web+API项目，需要能够获得Web+Api方法的授权。当我的索引视图第一次加载时，我调用了一个'token‘Web方法，我相信它是自动创建的。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|216062|获取令牌的客户端代码(CoffeeScript)为：|216063|getAuthenticationToken+=+(username,+password)+->
++++dataToSend+=+"username="+%2B+username+%2B+"&password="+%2B+password
++++dataToSend+%2B=+"&grant_type=password"
++++$.post("/token",+dataToSend).success+saveAccessToken|code-block|syntax|javascript|216064|如果成功，将调用以下命令，将身份验证令牌保存在本地：|216065|saveAccessToken+=+(response)+->
++++window.authenticationToken+=+response.access_token|216066|然后，如果我需要对具有Authorize标记的Web+API方法进行Ajax调用，我只需将以下标头添加到Ajax调用中：|216067|{+"Authorization":+"Bearer+"+%2B+window.authenticationToken+}|216068|entityMap^0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|S|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|T|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|U|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|V|8|@]|9|@]|A|$]]|$1|K|3|L|5|F|7|W|8|@]|9|@]|A|$G|H]]|$1|M|3|N|5|6|7|X|8|@]|9|@]|A|$]]|$1|O|3|P|5|F|7|Y|8|@]|9|@]|A|$G|H]]|$1|Q|3|-4|5|6|7|Z|8|@]|9|@]|A|$]]]|R|$]]

I am working on a MVC5/Web API project and needed to be able to get authorization for the Web Api methods. When my index view is first loaded I make a call to the 'token' Web API method which I believe is created automatically.

The client side code (CoffeeScript) to get the token is:

<pre><code>getAuthenticationToken = (username, password) -&gt;
 dataToSend = "username=" + username + "&amp;password=" + password
 dataToSend += "&amp;grant_type=password"
 $.post("/token", dataToSend).success saveAccessToken
</code></pre>

If successful the following is called, which saves the authentication token locally:

<pre><code>saveAccessToken = (response) -&gt;
 window.authenticationToken = response.access_token
</code></pre>

Then if I need to make an Ajax call to a Web API method that has the [Authorize] tag I simply add the following header to my Ajax call:

<pre><code>{ "Authorization": "Bearer " + window.authenticationToken }
</code></pre>

This topic has been incredibly confusing for me. I am a rookie in HTTP apps but need to develop an iPhone client that consumes JSON data from somewhere. I chose Web API from MS because it seemed easy enough but when it comes to authenticating users, things get quite frustrating.

I am amazed how I've not been able to find a clear example of how to authenticate an user right from the login screen down to using the <code>Authorize</code> attribute over my <code>ApiController</code> methods after several hours of Googling.

This is not a question but a request for an example of how to do this exactly. I have looked at the following pages:

<ul>
<li><a href="http://codebetter.com/johnvpetersen/2012/04/02/making-your-asp-net-web-apis-secure/">Making your ASP.NET Web API's Secure</a></li>
<li><a href="http://stevescodingblog.co.uk/basic-authentication-with-asp-net-webapi/">Basic Authentication With ASP.NET Web API</a></li>
</ul>

Even though these explain how to handle unauthorized requests, these do not demonstrate clearly something like a <code>LoginController</code> or something like that to ask for user credentials and validate them.

Anyone willing to write a nice simple example or point me in the right direction, please?

Thanks.

User Authentication in ASP.NET Web API

数据库管理系统

数据库管理

身份验证

数据库

Windows

路由

JSON

这个话题让我感到难以置信的困惑。我是一个新手在超文本传输协议应用程序，但需要开发一个iPhone客户端，从某个地方消费JSON数据。我选择了微软的Web API，因为它看起来很简单，但当涉及到用户身份验证时，事情就变得相当令人沮丧。我很惊讶，在谷歌搜索了几个小时之后，我竟然找不到一个清晰的示例来说明如何从登录屏幕一直到...

问ASP.NET网络应用编程接口中的用户身份验证
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问ASP.NET网络应用编程接口中的用户身份验证EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问ASP.NET网络应用编程接口中的用户身份验证
EN