使用ServiceStack进行无Cookie身份验证

Question

我正在使用ASP.NET MVC 4 Project中托管的ServiceStackV3构建REST API。想要通过SSL使用HttpBasic身份验证。

我想使用ServiceStackV3实现以下目标：

• 无Cookie验证。
• API使用者不必去/ auth / something进行身份验证，然后回到/ someservice / someaction。
• 相反，他们直接调用/ someservice / someaction并传递他们的凭据。

即使它意味着在每个请求中提供用户名/密码而不维护任何会话或缓存。

我应该使用：

• 继承自BasicAuthProvider，也许是CustomUserSession？在ServiceStack中不知道我的方式。
• 或者在Global.asax中实现Application_AuthenticateRequest，检查Authorization标头，如果凭据无效，则添加WWW-Authenticate标头以响应Http Unauthorized状态代码？但是当凭证有效时，我的服务方法如何知道呢？

这是我已经做的并且工作正常，不确定它是否是一个好方法：

（请记住我在/ api上运行ServiceStack）

protected void Application_Start()
{
    AreaRegistration.RegisterAllAreas();
    RouteConfig.RegisterRoutes(RouteTable.Routes);
    //Initialize your application
    (new ServiceAppHost()).Init();
}

protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
    var segments = Request.Url.Segments;
    //someone is at /api/something but metadata should be consumed by everyone
    if (segments.Length > 2 
        && segments[1] == "api/" 
        && segments[2].Replace("/", "") != "metadata")
    {
        //need to authenticate
        int UserID = -1;
        bool authorized = false;
        string authorization = Request.Headers["Authorization"];
        if (!string.IsNullOrWhiteSpace(authorization))
        {
            string[] parts = authorization.Split(' ');
            if (parts[0] == "Basic")//basic authentication
            {
                authorization = UTF8Encoding.UTF8.GetString(Convert.FromBase64String(parts[1]));
                string username = authorization.Split(':')[0], password = authorization.Split(':')[1];
                if (username == "mustermann" && password == "johndoe")
                {
                    authorized = true;
                    UserID = 13;//get from database
                    Request.Headers.Add("X-UserID", UserID + "");
                }
            }
        }

        if (!authorized)
        {
            HttpContext.Current.Items["NeedAuthenticate"] = true;
            Response.End();
        }
    }
}

void Application_EndRequest(object sender, EventArgs e)
{
    if ((bool?)HttpContext.Current.Items["NeedAuthenticate"] == true)
    {
        Response.Clear();
        Response.AddHeader("WWW-Authenticate", string.Format("Basic realm=\"{0}\"", Request.Url.Host));
        Response.SuppressContent = true;
        Response.StatusCode = (int)System.Net.HttpStatusCode.Unauthorized;
        Response.End();
    }
}

public class MyBasicAuthProvicer : BasicAuthProvider
{
    public override bool TryAuthenticate(IServiceBase authService,
    string userName, string password)
    {
        //username & password were already validated in Global.asax
        return true;
    }
}

public class CustomUserSession : AuthUserSession
{
    //some properties of my own
    //public Kunden CurrentKunden {get;set;}

    public override void OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary<string, string> authInfo)
    {
        base.OnAuthenticated(authService, session, tokens, authInfo);

        int UserID = 0;
        if (int.TryParse(authService.Request.Headers["X-UserID"], out UserID))
        {
            //get user by ID from DB and assign to CurrentKunden
            //or maybe put Kunden object in Session from Global.asax?!?
        }
    }
}

Answer 1

我正在使用ServiceStack v4 API做类似的事情。在我的世界中，REST API使用基于SSL的HTTP基本凭证，并且仅使用＆＃34;密码＆＃34; part（PIN＃）用于身份验证。这是我Configure(container)方法的相关部分：

IAuthProvider authProvider = new BasicAuthProvider();
AuthFeature authFeature = new AuthFeature(
    () =>
      {
        return new AuthUserSession();
      },
    new IAuthProvider[] { authProvider }
    );
authFeature.IncludeAssignRoleServices = false;
authFeature.IncludeRegistrationService = false;
authFeature.IncludeAuthMetadataProvider = false;
Plugins.Add(authFeature);

// **** MY CUSTOM AUTH REPO
container.Register<IUserAuthRepository>(new BMSUserAuthRepository(() => dbFactory.OpenDbConnection()));

另一个问题是有时Session无法访问。此全局筛选器可确保会话可用，包括用户名，身份验证角色等。

// Add a request filter storing the current session in HostContext to be
// accessible from anywhere within the scope of the current request.
this.GlobalRequestFilters.Add((httpReq, httpRes, requestDTO) =>
{
    var session = httpReq.GetSession();
    RequestContext.Instance.Items.Add("Session", session);
});

最后，来自我的Auth存储库的一两个片段。请注意，理智的人会使用缓存，而不是在每个HTTP请求上查找用户身份验证数据。

public class BMSUserAuthRepository : IUserAuthRepository
{
    private IDbConnection Db
    {
        get
        {
            return this.createDb();
        }
    }
    Func<IDbConnection> createDb;

    public BMSUserAuthRepository(Func<IDbConnection> dbConnectionFunc)
    {
        this.createDb = dbConnectionFunc;
    }

    ...

    public bool TryAuthenticate(string userName, string password, out IUserAuth userNameuserAuth)
    {
        User user = Db.Select<User>(u => /*u.UserName == userName && */ u.PIN == password).SingleOrDefault();
        if (user == null)
        {
            userNameuserAuth = new UserAuth();
            return false;
        }

        userNameuserAuth = new UserAuth()
        {
            FirstName = user.FirstName,
            LastName = user.LastName,
            Id = user.Id,
            UserName = user.UserName
        };
        return true;
    }

    public IUserAuth GetUserAuth(string userAuthId)
    {
        int id = Int32.Parse(userAuthId);
        User user = Db.SingleById<User>(id);

        List<string> roles = null;
        if (user != null) roles = Db.SqlList<string>(Db.From<Role>().Where<Role>(r => r.Id >= user.RoleId).Select(r => r.RoleName));

        return new UserAuth()
        {
            FirstName = user.FirstName,
            LastName = user.LastName,
            Id = user.Id,
            UserName = user.UserName,
            Roles = roles
        };
    }

    ...

}