我已经考虑过使用我的本地域AD来实现一种可能冒充AD用户来保护我的Web API的方法。 我发现他们使用基本或令牌认证的所有样本。或使用Azure AD保护它。
我想使用我的本地域AD /模拟来实现我的自定义授权业务逻辑。我所能实现的只是使用BASIC身份验证,挑战总是POPS UP表单输入用户名/密码。我想绕过它并使用我的本地域+自定义逻辑来验证/授权用户。
有没有办法可以模仿Windows用户在我的网络API中验证和授权资源?
这就是我的挑战功能:
void Challenge(HttpRequestMessage request, HttpResponseMessage response)
{
var host = request.RequestUri.DnsSafeHost;
response.Headers.Add(WWWAuthenticateHeader, string.Format("Basic realm=\"{0}\"", host));
}
非常感谢!
答案 0 :(得分:1)
首先,您应该阅读:
How to get HttpClient to pass credentials along with the request?
第二个(如果你正在做#34;一跳")。
如果启用" Windows身份验证"并禁用"匿名身份验证" (在IIS下#34;身份验证").......你可以获得Windows身份。
您想要编写自定义AuthorizeAttribute。
这是一个尝试的基本方法:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Security.Principal;
using System.Web;
using System.Web.Http;
using System.Web.Http.Controllers;
namespace MyLibrary.CustomAttributes.WebApi
{
public class IdentityWhiteListAuthorizationAttribute : System.Web.Http.AuthorizeAttribute
{
public const string ErrorMessageBadIdentityContent = "IIdentity.Name was empty or IIdentity was not a WindowsIdentity. CurrentAction='{0}'";
public const string ErrorMessageBadIdentityReasonPhrase = "IIdentity.Name was empty or IIdentity was not a WindowsIdentity. The most likely reason is that the web service is not setup for WindowsAuthentication and/or Anonymous Authentication is enabled.";
public const string ErrorMessageNotAuthenticated = "IIdentity.IsAuthenticated was false. '{0}'";
public IdentityWhiteListAuthorizationAttribute()
{
}
private string CurrentActionName { get; set; }
public override void OnAuthorization(HttpActionContext actionContext)
{
this.CurrentActionName = actionContext.ActionDescriptor.ActionName;
base.OnAuthorization(actionContext);
}
protected override bool IsAuthorized(HttpActionContext actionContext)
{
/* this will authenticate if the authorization-header contained a "Negotiate" windows Identity. Note, WebApi must be running in Windows-Authentication mode (and the WebApi-web.config must be set for "<authentication mode="Windows" />") for this to work. (the client will send the windows identity via the DefaultRequestHeaders.Authorization header */
string currentActionName = this.CurrentActionName;
IPrincipal httpContextCurrentUserPrinc = HttpContext.Current.User; /* */
IIdentity ident = httpContextCurrentUserPrinc.Identity;
bool badIdentity = false;
string errorMessageContent = string.Empty;
string errorMessageReasonPhrase = string.Empty;
if (null == ident)
{
badIdentity = true;
errorMessageContent = string.Format(ErrorMessageBadIdentityContent, currentActionName);
errorMessageReasonPhrase = ErrorMessageBadIdentityReasonPhrase;
}
if (!badIdentity)
{
/* Ensure that we have an actual userName which means windows-authentication was setup properly */
if (string.IsNullOrEmpty(ident.Name))
{
badIdentity = true;
errorMessageContent = string.Format(ErrorMessageBadIdentityContent, currentActionName);
errorMessageReasonPhrase = ErrorMessageBadIdentityReasonPhrase;
}
}
if (!badIdentity)
{
if (!ident.IsAuthenticated)
{
badIdentity = true;
errorMessageContent = string.Format(ErrorMessageNotAuthenticated, ident.Name);
errorMessageReasonPhrase = string.Format(ErrorMessageNotAuthenticated, ident.Name);
}
}
if (!badIdentity)
{
if (ident.GetType() != typeof(WindowsIdentity))
{
badIdentity = true;
errorMessageContent = string.Format(ErrorMessageBadIdentityContent, currentActionName);
errorMessageReasonPhrase = ErrorMessageBadIdentityReasonPhrase;
}
}
if (badIdentity)
{
HttpResponseMessage resp = new HttpResponseMessage(HttpStatusCode.BadRequest)
{
Content = new StringContent(errorMessageContent),
ReasonPhrase = errorMessageReasonPhrase
};
throw new HttpResponseException(resp);
}
return true;
}
}
}
将该属性应用于webapi控制器和/或方法。
您也可以编写DelegatingHandler ...并使用上面相同的代码......