禁用WCF调用的表单身份验证

时间:2013-12-23 05:35:13

标签: asp.net wcf forms-authentication

我正在使用ASP.NET4.5 with C#。在我的Web应用程序中,实现了form authentication,使用cookie来存储身份验证信息。

web.config中,它被指定为:

<authentication mode="Forms">
      <forms loginUrl="~/login.aspx" />
</authentication>

现在,我有一个WCF RESTfull服务,我正在使用custom basic authentication。对于每个服务调用,我需要设置一个身份验证标头,如果它无效,那么我必须返回带有401代码的响应。

代码如下:

public class BasicAuthenticationInterceptor : RequestInterceptor
{
    MembershipProvider provider;
    string realm;

    public BasicAuthenticationInterceptor(MembershipProvider provider, string realm)
        : base(false)
    {
        this.provider = provider;
        this.realm = realm;
    }

    protected string Realm
    {
        get { return realm; }
    }

    protected MembershipProvider Provider
    {
        get { return provider; }
    }

    public override void ProcessRequest(ref RequestContext requestContext)
    {
        HttpRequestMessageProperty request = (HttpRequestMessageProperty)requestContext.RequestMessage.Properties[HttpRequestMessageProperty.Name];
        string[] credentials = ExtractCredentials(requestContext.RequestMessage);

        if (credentials.Length > 0 && AuthenticateUser(credentials[0], credentials[1]))
        {
            InitializeSecurityContext(requestContext.RequestMessage, credentials[0]);
        }
        else
        {
            try
            {
                Message reply = Message.CreateMessage(MessageVersion.None, "Invalid Action", "Access Denied");
                HttpResponseMessageProperty responseProperty = new HttpResponseMessageProperty() { StatusCode = HttpStatusCode.Unauthorized };

                responseProperty.Headers.Add("WWW-Authenticate",
                String.Format("Basic realm=\"{0}\"", Realm));
                responseProperty.Headers[HttpResponseHeader.ContentType] = "text/html";
                reply.Properties[HttpResponseMessageProperty.Name] = responseProperty;
                requestContext.Reply(reply);
                requestContext = null;
            }
            catch (Exception ex)
            {
                throw ex.InnerException;
            }
        }
    }
}

现在,为防止form authetication WCF来电,我在web.config添加了以下标记:

<location path="MyService.svc">
   <system.web>
      <authorization>
          <allow users="*"/>
      </authorization>
   </system.web>
</location>

请注意,WCF位于我项目的“Service”目录中,我尝试在位置标签中使用path="~/service/MyService.svc"path="service/MyService.svc"path="service",但它是返回200,而不是401代码。

现在,我已使用Fire-fox RESTClient add-on对服务电话进行了测试,发现对于invalid request,它仍然会返回200 code而在row-body我正在HTML我的login.aspx页面。这意味着它仍然会重定向到login.aspx

如果我将authetication mode中的web.config更改为“None”,则服务调用可以正常返回401的{​​{1}}代码。但我无法将身份验证模式设置为“无”。

请告诉我如何阻止WCF呼叫的表单身份验证。

1 个答案:

答案 0 :(得分:2)

解决了我自己:

我在Application_AuthenticateRequest() Global.asax事件中添加了以下代码,现在工作正常:

HttpApplication context = (HttpApplication)sender;

if (context.Request.Url.ToString().Contains(".svc"))
{
    context.Response.SuppressFormsAuthenticationRedirect = true;
}
相关问题
最新问题