我有一个.NET 6的Web API项目。在这个项目中,我有一个认证控制器和一个根据用户名和密码进行身份验证的端点。
如果我已经通过身份验证,就会得到预期的200状态码。但是,如果我没有通过身份验证并调用/api/MarketingEvent,为什么我会得到404状态码而不是401状态码?即使我在营销控制器上使用
[Route("api/[controller]")]
[ApiController]
public class AuthenticationController : ControllerBase
{
private readonly UserManager<ApplicationUser> _userManager;
private readonly SignInManager<ApplicationUser> _signInManager;
private readonly IdbContext _dbContext;
public AuthenticationController(UserManager<ApplicationUser> userManager, SignInManager<ApplicationUser> signInManager, IdbContext _dbContext)
{
_userManager = userManager;
_signInManager = signInManager;
_dbContext = dbContext;
}
[AllowAnonymous]
[HttpPost]
public async Task<IActionResult> PasswordSignInAsync([FromBody] LoginRequest loginRequest)
{
if (ModelState.IsValid)
{
var result = await _signInManager.PasswordSignInAsync(loginRequest.Username, loginRequest.Password, isPersistent: false, lockoutOnFailure: false);
if (result.Succeeded)
{
var armsUser = _dbContext.Users
.FirstOrDefault(u => u.Email == loginRequest.Username);
if (armsUser == null) {
await _signInManager.SignOutAsync();
return BadRequest();
}
ApplicationUser user = await _userManager.FindByEmailAsync(loginRequest.Username);
if (user == null)
{
return NotFound($"Unable to load user with username '{loginRequest.Username}'.");
}
user.LastSignInDate = DateTime.Now;
await _userManager.UpdateAsync(user);
await _signInManager.RefreshSignInAsync(user);
return Ok("Authenticated!");
}
await _signInManager.SignOutAsync();
return BadRequest("Invalid username or password.");
}
return BadRequest(ModelState);
}
}
这是受保护的资源。
[Route("api/[controller]")]
[ApiController]
public class MarketingEventController : ControllerBase
{
private readonly IMediator _mediator;
/// <summary>
///
/// </summary>
/// <param name="mediator"></param>
public MarketingEventController(IMediator mediator)
{
_mediator = mediator;
}
/// <summary>
///
/// </summary>
/// <returns></returns>
[HttpGet]
[ProducesResponseType(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
[ProducesResponseType(StatusCodes.Status500InternalServerError)]
public async Task<ActionResult> GetLatest()
{
try
{
var query = new GetLatestQuery();
var result = await _mediator.Send(query);
return Ok(result);
}
catch (Exception ex)
{
return Problem(ex.Message);
}
}
}
和一些相关的代码在 program.cs
中
...
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers().RequireAuthorization();
如果我已经通过身份验证,就会得到预期的200状态码。但是,如果我没有通过身份验证并调用/api/MarketingEvent,为什么我会得到404状态码而不是401状态码?即使我在营销控制器上使用
[Authorize]
修饰符,它的行为仍然相同。
RequireAuthorization
注册了一个公约,将[Authorize]
应用于所有控制器,因此手动执行不应有任何区别。 另外,我想询问一下框架 - 您提到的是.NET 6,标签是ASP.NET。我推测这与ASP.NET Core有关,而不是ASP.NET 4。 - Zdeněk Jelínek