ASP.NET Core 實現基本認證
HTTP基本認證
在HTTP中,HTTP基本認證(Basic Authentication)是一種用來容許網頁瀏覽器或其餘客戶端程序在請求資源時提供用戶名和口令形式的身份憑證的一種登陸驗證方式,不要求cookie,session identifier、login page等標記或載體。 編程
- 全部瀏覽器據支持HTTP基本認證方式瀏覽器
- 基自己證原理不保證傳輸憑證的安全性,他們僅僅只是被based64編碼,並無encrypted或者hashed,通常部署在客戶端和服務端相互信任的網絡,在公開網絡中部署BA認證一般要與https結合使用安全
https://en.wikipedia.org/wiki/Basic_access_authentication服務器
BA標準協議
BA認證協議的實施主要依靠約定的請求頭/響應頭, 典型的瀏覽器和服務器的BA認證流程:cookie
① 瀏覽器請求須要Basic authentication的網站,服務端響應一個401認證失敗響應碼,並寫入一個WWW-Authenticate響應頭網絡
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="our site" # WWW-Authenticate響應頭包含一個realm域屬性,指明HTTP基本認證的是這個資源集
② 大多數Web客戶端經過請求用戶的用戶ID和密碼來處理此響應session
③ 瀏覽器得到輸入的用戶名/口令,它將使用Authorization標頭從新發送原始請求。app
Authorization: Basic userid:password
或者,客戶端能夠在發出原始請求時發送Authorization標頭,服務器能夠接受此標頭,從而避免了質詢和響應過程。async
因此在HTTP基本認證中,瀏覽器要額外作兩個事情(如上圖紅框部分):ide
- 識別WWW-Authenticate響應頭,彈出口令質詢窗體
- 向特定的realm域發起帶Authorization請求頭的新請求, 將用戶名/口令 以冒號分隔以後使用based64編碼。
BA編程實踐
項目中利用StaticFileMiddleware+DirectoryBrowserMiddleware完成一個網頁文件服務器, 現對該文件服務器設置 HTTP基本認證。
ASP.NET Core服務端實現BA認證:
① 實現服務端基本認證的認證過程、質詢過程
② 實現基自己份認證交互中間件 BasicAuthenticationMiddleware
③ ASPNetCore 添加以上認證計劃 , 待認證資源啓用以上中間件
using System; using System.Net.Http.Headers; using System.Security.Claims; using System.Text; using System.Text.Encodings.Web; using System.Threading.Tasks; using Microsoft.AspNetCore.Authentication; using Microsoft.Extensions.Logging; using Microsoft.Extensions.Options; namespace EqidManager.Services { public static class BasicAuthenticationScheme { public const string DefaultScheme = "Basic"; } public class BasicAuthenticationOption:AuthenticationSchemeOptions { public string Realm { get; set; } public string UserName { get; set; } public string UserPwd { get; set; } } public class BasicAuthenticationHandler : AuthenticationHandler<BasicAuthenticationOption> { private readonly BasicAuthenticationOption authOptions; public BasicAuthenticationHandler( IOptionsMonitor<BasicAuthenticationOption> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock) : base(options, logger, encoder, clock) { authOptions = options.CurrentValue; } /// <summary> /// 認證 /// </summary> /// <returns></returns> protected override async Task<AuthenticateResult> HandleAuthenticateAsync() { if (!Request.Headers.ContainsKey("Authorization")) return AuthenticateResult.Fail("Missing Authorization Header"); string username, password; try { var authHeader = AuthenticationHeaderValue.Parse(Request.Headers["Authorization"]); var credentialBytes = Convert.FromBase64String(authHeader.Parameter); var credentials = Encoding.UTF8.GetString(credentialBytes).Split(':'); username = credentials[0]; password = credentials[1]; var isValidUser= IsAuthorized(username,password); if(isValidUser== false) { return AuthenticateResult.Fail("Invalid username or password"); } } catch { return AuthenticateResult.Fail("Invalid Authorization Header"); } var claims = new[] { new Claim(ClaimTypes.NameIdentifier,username), new Claim(ClaimTypes.Name,username), }; var identity = new ClaimsIdentity(claims, Scheme.Name); var principal = new ClaimsPrincipal(identity); var ticket = new AuthenticationTicket(principal, Scheme.Name); return await Task.FromResult(AuthenticateResult.Success(ticket)); } /// <summary> /// 質詢 /// </summary> /// <param name="properties"></param> /// <returns></returns> protected override async Task HandleChallengeAsync(AuthenticationProperties properties) { Response.Headers["WWW-Authenticate"] = $"Basic realm=\"{Options.Realm}\""; await base.HandleChallengeAsync(properties); } /// <summary> /// 認證失敗 /// </summary> /// <param name="properties"></param> /// <returns></returns> protected override async Task HandleForbiddenAsync(AuthenticationProperties properties) { await base.HandleForbiddenAsync(properties); } private bool IsAuthorized(string username, string password) { return username.Equals(authOptions.UserName, StringComparison.InvariantCultureIgnoreCase) && password.Equals(authOptions.UserPwd); } } }
// HTTP基本認證Middleware
public static class BasicAuthentication { public static void UseBasicAuthentication(this IApplicationBuilder app) { app.UseMiddleware<BasicAuthenticationMiddleware>(); } } public class BasicAuthenticationMiddleware { private readonly RequestDelegate _next; private readonly ILogger _logger; public BasicAuthenticationMiddleware(RequestDelegate next, ILoggerFactory LoggerFactory) { _next = next;
_logger = LoggerFactory.CreateLogger<BasicAuthenticationMiddleware>(); } public async Task Invoke(HttpContext httpContext, IAuthenticationService authenticationService) { var authenticated = await authenticationService.AuthenticateAsync(httpContext, BasicAuthenticationScheme.DefaultScheme); _logger.LogInformation("Access Status:" + authenticated.Succeeded); if (!authenticated.Succeeded) { await authenticationService.ChallengeAsync(httpContext, BasicAuthenticationScheme.DefaultScheme, new AuthenticationProperties { }); return; } await _next(httpContext); } }
Startup.cs 文件添加並啓用HTTP基本認證
services.AddAuthentication(BasicAuthenticationScheme.DefaultScheme)
.AddScheme<BasicAuthenticationOption, BasicAuthenticationHandler>(BasicAuthenticationScheme.DefaultScheme,null);
app.UseWhen( predicate:x => x.Request.Path.StartsWithSegments(new PathString(_protectedResourceOption.Path)), configuration:appBuilder => { appBuilder.UseBasicAuthentication(); } );
以上BA認證的服務端已經完成,如今能夠在瀏覽器測試:
進一步思考?
使用程序實現BA協議中瀏覽器的行爲: 直接向realm發起攜帶 Authentication請求頭的請求,要的同窗能夠直接拿去
/// <summary> /// BA認證請求Handler /// </summary> public class BasicAuthenticationClientHandler : HttpClientHandler { public static string BAHeaderNames = "authorization"; private RemoteBasicAuth _remoteAccount; public BasicAuthenticationClientHandler(RemoteBasicAuth remoteAccount) { _remoteAccount = remoteAccount; AllowAutoRedirect = false; UseCookies = true; } protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { var authorization = $"{_remoteAccount.UserName}:{_remoteAccount.Password}"; var authorizationBased64 = "Basic " + Convert.ToBase64String(new ASCIIEncoding().GetBytes(authorization)); request.Headers.Remove(BAHeaderNames); request.Headers.Add(BAHeaderNames, authorizationBased64); return base.SendAsync(request, cancellationToken); } } // 生成basic Authentication請求 services.AddHttpClient("eqid-ba-request", x => x.BaseAddress = new Uri(_proxyOption.Scheme +"://"+ _proxyOption.Host+":"+_proxyOption.Port ) ) .ConfigurePrimaryHttpMessageHandler(y => new BasicAuthenticationClientHandler(_remoteAccount){} ) .SetHandlerLifetime(TimeSpan.FromMinutes(2));
That's All . BA認證是隨處可見的基礎認證協議,本文期待以最清晰的方式幫助你理解協議:
實現了基本認證協議服務端;
編程實現瀏覽器在BA協議中的行爲
做者:
JulianHuang
感謝您的認真閱讀,若有問題請大膽斧正;以爲有用,請下方
或加關注。本文歡迎轉載,但請保留此段聲明,且在文章頁面明顯位置註明本文的
做者及原文連接。
或加關注。本文歡迎轉載,但請保留此段聲明,且在文章頁面明顯位置註明本文的
做者及原文連接。
相關文章
- 1. ASP.NET Core編程實現基本身份認證
- 2. ASP.NET Core WebApi基於Redis實現Token接口安全認證
- 3. ASP.NET Core WebAPI基於IdentityServer4實現Token令牌身份認證
- 4. Asp.net Core認證和受權:Cookie認證
- 5. .net core下用HttpClient和asp.net core實現https的雙向認證
- 6. ASP.NET Core 基於JWT的認證(一)
- 7. ASP.NET Core 基於JWT的認證(二)
- 8. 理解 ASP.NET Core: 認證
- 9. ASP.NET Core Identity 實戰(3)認證過程
- 10. HTTP認證之基本認證——Basic(二)
- 更多相關文章...
- • Lua 基本語法 - Lua 教程
- • C# 基本語法 - C#教程
- • ☆基於Java Instrument的Agent實現
- • Kotlin學習(二)基本類型
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. ASP.NET Core編程實現基本身份認證
- 2. ASP.NET Core WebApi基於Redis實現Token接口安全認證
- 3. ASP.NET Core WebAPI基於IdentityServer4實現Token令牌身份認證
- 4. Asp.net Core認證和受權:Cookie認證
- 5. .net core下用HttpClient和asp.net core實現https的雙向認證
- 6. ASP.NET Core 基於JWT的認證(一)
- 7. ASP.NET Core 基於JWT的認證(二)
- 8. 理解 ASP.NET Core: 認證
- 9. ASP.NET Core Identity 實戰(3)認證過程
- 10. HTTP認證之基本認證——Basic(二)