.NET Core 2.0授权筛选器导致内部错误

时间:2018-01-22 11:11:38

标签: asp.net asp.net-core authorization asp.net-core-mvc-2.0

授权过滤器将导致.NET Core 2.0 Web应用程序出现内部错误。重现问题的步骤非常简单:创建一个新的.NET Core 2.0 MVC项目,使用"无需身份验证",在控制器方法上放置授权过滤器,访问相应的URL和" 500内部服务器错误"将被退回。

[Authorize]
public IActionResult Contact()
{
    ViewData["Message"] = "Your contact page.";

    return View();
}

.NET Core 1.1中的类似代码将正确返回响应" 401 Unauthorized"。

我在这个问题上发布了一个类似的问题:Custom cookie authentication not working after migration from ASP.NET Core 1.1 MVC to 2.0虽然我还没有理解问题比我的具体情况要宽得多。

例外:

System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found.
   at Microsoft.AspNetCore.Authentication.AuthenticationService.<ChallengeAsync>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Mvc.ChallengeResult.<ExecuteResultAsync>d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeResultAsync>d__19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeFilterPipelineAsync>d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.<InvokeAsync>d__15.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Builder.RouterMiddleware.<Invoke>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.<Invoke>d__7.MoveNext()

1 个答案:

答案 0 :(得分:2)

HTTP 401未经授权的响应should contain WWW-Authenticate标头,用于定义访问资源的身份验证方法。

在未经身份验证的情况下创建的项目中,没有设置任何默认身份验证方案。这就是为什么身份验证中间件无法构建有效的401响应并选择发送500错误的原因。

修复非常简单。添加任何身份验证处理程序并设置默认身份验证方案,例如:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();

    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer();
}

通过这样的配置,未经授权的请求将通过正确设置WWW-Authenticate标题:

得到401响应

enter image description here

相关问题
最新问题