我已在IIS7中爲我的站點啓用基本身份驗證,並按照此link爲基本身份驗證請求創建處理程序。 問題是,無論用戶輸入什麼憑證,即使輸入正確的憑證,網站也會返回401。這只是一個測試,憑據會根據硬編碼值進行檢查。基本身份驗證IHttpModule意外行爲
下面是相關的代碼:
public class BasicAuthenticationHttpModule : IHttpModule
{
public void Init(HttpApplication context)
{
context.BeginRequest+=context_BeginRequest;
context.AuthenticateRequest += context_AuthenticateRequest;
}
void context_AuthenticateRequest(object sender, EventArgs e)
{
HttpApplication application = (HttpApplication)sender;
TryAuthenticate(application);
}
private void context_BeginRequest(object sender, EventArgs e)
{
HttpApplication application = (HttpApplication)sender;
TryAuthenticate(application);
}
private static void TryAuthenticate(HttpApplication application)
{
if (!Authenticate(application.Context))
{
application.Context.Response.Status = "401 Unauthorized";
application.Context.Response.StatusCode = 401;
application.Context.Response.AddHeader("WWW-Authenticate", "Basic");
application.CompleteRequest();
}
}
private static bool Authenticate(HttpContext context)
{
if (context.User!=null && context.User.Identity.IsAuthenticated)
{
return true;
}
if (!context.Request.Headers.AllKeys.Contains("Authorization"))
return false;
string authHeader = HttpContext.Current.Request.Headers["Authorization"];
IPrincipal principal;
if (TryGetPrincipal(authHeader, out principal))
{
context.User = principal;
return true;
}
return false;
}
private static bool TryGetPrincipal(string[] creds, out IPrincipal principal)
{
if (creds[0] == "Administrator" && creds[1] == "SecurePassword")
{
principal = new GenericPrincipal(
new GenericIdentity("Administrator"),
new string[] { "Administrator", "User" }
);
return true;
}
if (creds[0] == "BasicUser" && creds[1] == "Password")
{
principal = new GenericPrincipal(
new GenericIdentity("BasicUser"),
new string[] { "User", "SystemUser" }
);
return true;
}
else
{
principal = null;
return false;
}
}
當客戶端進入正確的憑據(即「BasicUser」,「密碼」),則創建GenericPrincipal對象和分配給的HttpContext的用戶屬性。展望Request.IsAuthenticated告訴它它是true
。
這就是爲什麼我不明白爲什麼客戶端一次又一次地接收401。
我不知道所有的管道是如何工作的 - 可能是基本身份驗證進一步到一些IIS HttpModule,它也服務於請求?或者可能代碼不完整,需要擴展context_BeginRequest
? (我知道,在表單身份驗證類型的情況下,你做類似Response.Redirect(goodguy.aspx))
無論如何,任何幫助/問題的讚賞。
忘了提及,在web.config中我還擺放
<system.webServer>
<modules>
<add name="BasicAuthenticationHttpModule" type="Analytics.BasicAuthenticationHttpModule" />
</modules>
</system.webServer>