logo标签列表

Asmx Web服务基本身份验证

web-servicesasmxbasic-authentication
15

我想要在我的asmx Web服务中实现基本身份验证,其中包括对用户名和密码的验证。
我不想使用WCF,也知道这不是一个安全的方式,但我需要在不使用HTTPS的情况下使用基本身份验证。

我的Web服务如下所示:

[WebService(Namespace = "http://www.mywebsite.com/")]
public class Service1
{
    [WebMethod]
    public string HelloWorld()
    {
        return "Hello world";
    }
}

我使用这个自定义的HttpModule:

public class BasicAuthHttpModule : IHttpModule
{
    void IHttpModule.Init(HttpApplication context)
    {
        context.AuthenticateRequest += new EventHandler(OnAuthenticateRequest);
    }

    void OnAuthenticateRequest(object sender, EventArgs e)
    {
        string header = HttpContext.Current.Request.Headers["Authorization"];

        if (header != null && header.StartsWith("Basic"))  //if has header
        {
            string encodedUserPass = header.Substring(6).Trim();  //remove the "Basic"
            Encoding encoding = Encoding.GetEncoding("iso-8859-1");
            string userPass = encoding.GetString(Convert.FromBase64String(encodedUserPass));
            string[] credentials = userPass.Split(':');
            string username = credentials[0];
            string password = credentials[1];

            if(!MyUserValidator.Validate(username, password))
            {
                HttpContext.Current.Response.StatusCode = 401;
                HttpContext.Current.Response.End();
            }
        }
        else
        {
            //send request header for the 1st round
            HttpContext context = HttpContext.Current;
            context.Response.StatusCode = 401;
            context.Response.AddHeader("WWW-Authenticate", String.Format("Basic realm=\"{0}\"", string.Empty));
        }
    }

    void IHttpModule.Dispose()
    {
    }
}

在web.config文件中,我使用了以下内容:

<?xml version="1.0"?>
<configuration>
    <appSettings/>
    <connectionStrings/>
    <system.web>
        <customErrors mode="Off" />
        <compilation debug="true" targetFramework="4.0"/>
        <authentication mode="None"/>
    </system.web>
    <system.webServer>
        <modules runAllManagedModulesForAllRequests="true">
            <add name="BasicAuthHttpModule"
                 type="AuthService.BasicAuthHttpModule, AuthService" />
        </modules>
    </system.webServer>
</configuration>

调用代码为:

static void Main(string[] args)
{
    var proxy = new Service1.Service1()
                    {
                        Credentials = new NetworkCredential("user1", "p@ssw0rd"),
                        PreAuthenticate = true
                    };
    try
    {
        var result = proxy.HelloWorld();
        Console.WriteLine(result);
    }
    catch (Exception e)
    {
        Console.WriteLine(e.Message);
    }
    Console.ReadKey();
}

当我使用这个 web service 时,服务要求基本身份验证,但是在 OnAuthenticateRequest 方法中的 header 变量总是为空,MyUserValidator.Validate() 从未运行。

编辑

fiddler 结果:

POST http://www.mywebsite.com/Service1.asmx HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.4927)
VsDebuggerCausalityData: uIDPo+drc57U77xGu/ZaOdYvw6IAAAAA8AjKQNpkV06FEWDEs2Oja2C+h3kM7dlDvnFfE1VlIIIACQAA
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://www.mywebsite.com/HelloWorld"
Host: www.mywebsite.com
Content-Length: 291
Expect: 100-continue
Connection: Keep-Alive

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 

xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><HelloWorld xmlns="http://www.mywebsite.com/" /></soap:Body></soap:Envelope>
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic realm=""
X-AspNet-Version: 4.0.30319
WWW-Authenticate: Basic realm="www.mywebsite.com"
X-Powered-By: ASP.NET
Date: Sun, 03 Jun 2012 07:14:40 GMT
Content-Length: 1293
------------------------------------------------------------------

POST http://www.mywebsite.com/Service1.asmx HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.4927)
VsDebuggerCausalityData: uIDPo+drc57U77xGu/ZaOdYvw6IAAAAA8AjKQNpkV06FEWDEs2Oja2C+h3kM7dlDvnFfE1VlIIIACQAA
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://www.mywebsite.com/HelloWorld"
Authorization: Basic dXNlcjE6cEBzc3cwcmQ=
Host: www.mywebsite.com
Content-Length: 291
Expect: 100-continue

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 

xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><HelloWorld xmlns="http://www.mywebsite.com/" /></soap:Body></soap:Envelope>
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic realm="www.mywebsite.com"
X-Powered-By: ASP.NET
Date: Sun, 03 Jun 2012 07:14:41 GMT
Content-Length: 1293
------------------------------------------------------------------
你确定它从未运行过吗?你是否设置了断点来确认这一点? - Preet Sangha
是的,我确定。始终会运行 else 块。 - Majid Shamkhani
还要看一下你的Service1类实际上在做什么。并使用像Fiddler这样的工具查看正在传输的内容。 - Preet Sangha
我还把Fiddler的结果添加到了问题中。 - Majid Shamkhani
客户端消息怎么样?您需要按照以下方式进行调试。1. 确定客户端是否发送凭据。2. 确定服务器是否接收到它们。3. 如果这些都正确,那么您需要调试您的代码和IIS服务器,以查看HTTP请求发生了什么。您需要首先建立所有基础知识。 - Preet Sangha
2个回答
19

将您的自定义HttpModule代码更改为以下内容:

public class BasicAuthHttpModule : IHttpModule
{
    public void Dispose()
    {
    }

    public void Init(HttpApplication application)
    {
        application.AuthenticateRequest += new 
            EventHandler(this.OnAuthenticateRequest);
        application.EndRequest += new 
            EventHandler(this.OnEndRequest);
    }

    public void OnAuthenticateRequest(object source, EventArgs
                        eventArgs)
    {
        HttpApplication app = (HttpApplication)source;

        string authHeader = app.Request.Headers["Authorization"];
        if (!string.IsNullOrEmpty(authHeader))
        {
            string authStr = app.Request.Headers["Authorization"];

            if (authStr == null || authStr.Length == 0)
            {
                return;
            }

            authStr = authStr.Trim();
            if (authStr.IndexOf("Basic", 0) != 0)
            {
                return;
            }

            authStr = authStr.Trim();

            string encodedCredentials = authStr.Substring(6);

            byte[] decodedBytes =
            Convert.FromBase64String(encodedCredentials);
            string s = new ASCIIEncoding().GetString(decodedBytes);

            string[] userPass = s.Split(new char[] { ':' });
            string username = userPass[0];
            string password = userPass[1];

            if (!MyUserValidator.Validate(username, password))
            {
                DenyAccess(app);
                return;
            }
        }
        else
        {
            app.Response.StatusCode = 401;
            app.Response.End();
        }
    }
    public void OnEndRequest(object source, EventArgs eventArgs)
    {
        if (HttpContext.Current.Response.StatusCode == 401)
        {
            HttpContext context = HttpContext.Current;
            context.Response.StatusCode = 401;
            context.Response.AddHeader("WWW-Authenticate", "Basic Realm");
        }
    }

    private void DenyAccess(HttpApplication app)
    {
        app.Response.StatusCode = 401;
        app.Response.StatusDescription = "Access Denied";
        app.Response.Write("401 Access Denied");
        app.CompleteRequest();
    }
}

然后在IIS中为您的网站启用匿名身份验证并禁用基本摘要Windows身份验证。

注意:此实现同样适用于WCF。

在我的情况下,我还必须禁用匿名身份验证。 <security> <authentication> <digestAuthentication enabled="false"/> <windowsAuthentication enabled="false" /> <basicAuthentication enabled="false"/> <anonymousAuthentication enabled="false" /> ... - Evilripper
对我来说,它只能在使用“集成应用程序池模式”的应用程序池中工作 - 在经典模式下无法工作。但我无法准确解释为什么会这样... - Lopo
对我来说起作用了... 我必须编辑 web.config 部分。将类型更改为 type ="BasicAuthHttpModule",而不是 type="AuthService.BasicAuthHttpModule, AuthService"。 确保我添加的类 BasicAuthHttpModule 不包含命名空间。 - Craig Nicholson
太棒了,这个解决方案真是太好了,谢谢! - Gxzzin
太棒了,真是个好办法,谢谢你! - undefined
1

看起来你需要手动发送头信息第一次:

来自Rick Strahl's Blog

    string url = "http://rasnote/wconnect/admin/wc.wc?_maintain~ShowStatus";
    HttpWebRequest req = HttpWebRequest.Create(url) as HttpWebRequest;

    string user = "ricks";
    string pwd = "secret";
    string domain = "www.west-wind.com";

    string auth = "Basic " + Convert.ToBase64String(System.Text.Encoding.Default.GetBytes(user + ":" + pwd));
    req.PreAuthenticate = true;
    req.Headers.Add("Authorization", auth);
    req.UserAgent = ": Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 4.0.20506)";
    WebResponse resp = req.GetResponse();
    resp.Close();
我使用这段代码,但在 WebResponse resp = req.GetResponse(); 上也出现了身份验证错误。 - Majid Shamkhani
你有跟进关于预认证的文章吗? - Preet Sangha
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接