测试被动联合身份验证保护的Web应用程序

时间:2015-01-09 21:05:38

标签: asp.net authentication wif adfs ws-federation

我的团队有一个基于ASP.NET MVC的网站和受可靠联合身份验证保护的WebAPI。一切正常。我们遇到的问题是我们需要在自动部署后测试网站和Web API。假设测试代码由有权访问网站的用户运行,我们如何从自动化测试代码中验证并获取FEDAUTH cookie到网站?

1 个答案:

答案 0 :(得分:0)

您可以使用Web API支持主动身份验证。它需要一些工作来更改配置和身份验证处理程序,但它也将使您的Web API也可以从程序客户端轻松访问。如果您只想在自动化测试代码中获取FEDAUTH cookie,则以下代码示例可以正常工作。它模仿浏览器将用户令牌发布到网站并获取cookie。

        // The code needs the STS server and the website url
        var stsUrl = "https://your_STS";
        var serviceUrl = "https://your_Service";

        // Use Windows Credential to get the token 
        var binding = new WSHttpBinding(SecurityMode.Transport);
        binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
        var factory = new WSTrustChannelFactory(binding, stsUrl) { TrustVersion = TrustVersion.WSTrust13 };
        // Override current login user credential if needed:
        // factory.Credentials.Windows.ClientCredential = userCredential;

        var rst = new RequestSecurityToken
        {
            RequestType = RequestTypes.Issue,
            KeyType = KeyTypes.Bearer,
            AppliesTo = new EndpointReference(serviceUrl)
        };

        RequestSecurityTokenResponse rstr;
        var token = factory.CreateChannel().Issue(rst, out rstr);
        var fedSerializer = new System.IdentityModel.Services.WSFederationSerializer();
        var rstrContent = fedSerializer.GetResponseAsString(rstr, new WSTrustSerializationContext());

        // After this the security token is acquired and saved in rstrContent

        var client = new HttpClient();

        // Initiate a request to the service, which will be redirected to STS. Read WS fed fields from redirected URL.
        var response = client.GetAsync(serviceUrl).Result;
        response.EnsureSuccessStatusCode();
        var redirectQuery = response.RequestMessage.RequestUri.Query;
        var queryParams = System.Web.HttpUtility.ParseQueryString(redirectQuery);

        // construct a authentication form
        var formData = new Dictionary<string, string>
        {
            {"wa", queryParams["wa"]},
            {"wresult", rstrContent},
            {"wctx", queryParams["wctx"] },

        };

        // post the authentication form to the website. 
        response = client.PostAsync(serviceUrl, new FormUrlEncodedContent(formData)).Result;
        response.EnsureSuccessStatusCode();

        // After this, the auth cookie is set in this HttpClient that you can use to access your service
相关问题
最新问题