ASP.NET Core 实现基本认证
HTTP基本认证
在HTTP中,HTTP基本认证(Basic Authentication)是一种用来容许网页浏览器或其余客户端程序在请求资源时提供用户名和口令形式的身份凭证的一种登陆验证方式,不要求cookie,session identifier、login page等标记或载体。 编程
- 全部浏览器据支持HTTP基本认证方式浏览器
- 基自己证原理不保证传输凭证的安全性,他们仅仅只是被based64编码,并无encrypted或者hashed,通常部署在客户端和服务端相互信任的网络,在公开网络中部署BA认证一般要与https结合使用安全
https://en.wikipedia.org/wiki/Basic_access_authentication服务器
BA标准协议
BA认证协议的实施主要依靠约定的请求头/响应头, 典型的浏览器和服务器的BA认证流程:cookie
① 浏览器请求须要Basic authentication的网站,服务端响应一个401认证失败响应码,并写入一个WWW-Authenticate响应头网络
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="our site" # WWW-Authenticate响应头包含一个realm域属性,指明HTTP基本认证的是这个资源集
② 大多数Web客户端经过请求用户的用户ID和密码来处理此响应session
③ 浏览器得到输入的用户名/口令,它将使用Authorization标头从新发送原始请求。app
Authorization: Basic userid:password
或者,客户端能够在发出原始请求时发送Authorization标头,服务器能够接受此标头,从而避免了质询和响应过程。async
因此在HTTP基本认证中,浏览器要额外作两个事情(如上图红框部分):ide
- 识别WWW-Authenticate响应头,弹出口令质询窗体
- 向特定的realm域发起带Authorization请求头的新请求, 将用户名/口令 以冒号分隔以后使用based64编码。
BA编程实践
项目中利用StaticFileMiddleware+DirectoryBrowserMiddleware完成一个网页文件服务器, 现对该文件服务器设置 HTTP基本认证。
ASP.NET Core服务端实现BA认证:
① 实现服务端基本认证的认证过程、质询过程
② 实现基自己份认证交互中间件 BasicAuthenticationMiddleware
③ ASPNetCore 添加以上认证计划 , 待认证资源启用以上中间件
using System; using System.Net.Http.Headers; using System.Security.Claims; using System.Text; using System.Text.Encodings.Web; using System.Threading.Tasks; using Microsoft.AspNetCore.Authentication; using Microsoft.Extensions.Logging; using Microsoft.Extensions.Options; namespace EqidManager.Services { public static class BasicAuthenticationScheme { public const string DefaultScheme = "Basic"; } public class BasicAuthenticationOption:AuthenticationSchemeOptions { public string Realm { get; set; } public string UserName { get; set; } public string UserPwd { get; set; } } public class BasicAuthenticationHandler : AuthenticationHandler<BasicAuthenticationOption> { private readonly BasicAuthenticationOption authOptions; public BasicAuthenticationHandler( IOptionsMonitor<BasicAuthenticationOption> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock) : base(options, logger, encoder, clock) { authOptions = options.CurrentValue; } /// <summary> /// 认证 /// </summary> /// <returns></returns> protected override async Task<AuthenticateResult> HandleAuthenticateAsync() { if (!Request.Headers.ContainsKey("Authorization")) return AuthenticateResult.Fail("Missing Authorization Header"); string username, password; try { var authHeader = AuthenticationHeaderValue.Parse(Request.Headers["Authorization"]); var credentialBytes = Convert.FromBase64String(authHeader.Parameter); var credentials = Encoding.UTF8.GetString(credentialBytes).Split(':'); username = credentials[0]; password = credentials[1]; var isValidUser= IsAuthorized(username,password); if(isValidUser== false) { return AuthenticateResult.Fail("Invalid username or password"); } } catch { return AuthenticateResult.Fail("Invalid Authorization Header"); } var claims = new[] { new Claim(ClaimTypes.NameIdentifier,username), new Claim(ClaimTypes.Name,username), }; var identity = new ClaimsIdentity(claims, Scheme.Name); var principal = new ClaimsPrincipal(identity); var ticket = new AuthenticationTicket(principal, Scheme.Name); return await Task.FromResult(AuthenticateResult.Success(ticket)); } /// <summary> /// 质询 /// </summary> /// <param name="properties"></param> /// <returns></returns> protected override async Task HandleChallengeAsync(AuthenticationProperties properties) { Response.Headers["WWW-Authenticate"] = $"Basic realm=\"{Options.Realm}\""; await base.HandleChallengeAsync(properties); } /// <summary> /// 认证失败 /// </summary> /// <param name="properties"></param> /// <returns></returns> protected override async Task HandleForbiddenAsync(AuthenticationProperties properties) { await base.HandleForbiddenAsync(properties); } private bool IsAuthorized(string username, string password) { return username.Equals(authOptions.UserName, StringComparison.InvariantCultureIgnoreCase) && password.Equals(authOptions.UserPwd); } } }
// HTTP基本认证Middleware
public static class BasicAuthentication { public static void UseBasicAuthentication(this IApplicationBuilder app) { app.UseMiddleware<BasicAuthenticationMiddleware>(); } } public class BasicAuthenticationMiddleware { private readonly RequestDelegate _next; private readonly ILogger _logger; public BasicAuthenticationMiddleware(RequestDelegate next, ILoggerFactory LoggerFactory) { _next = next;
_logger = LoggerFactory.CreateLogger<BasicAuthenticationMiddleware>(); } public async Task Invoke(HttpContext httpContext, IAuthenticationService authenticationService) { var authenticated = await authenticationService.AuthenticateAsync(httpContext, BasicAuthenticationScheme.DefaultScheme); _logger.LogInformation("Access Status:" + authenticated.Succeeded); if (!authenticated.Succeeded) { await authenticationService.ChallengeAsync(httpContext, BasicAuthenticationScheme.DefaultScheme, new AuthenticationProperties { }); return; } await _next(httpContext); } }
Startup.cs 文件添加并启用HTTP基本认证
services.AddAuthentication(BasicAuthenticationScheme.DefaultScheme)
.AddScheme<BasicAuthenticationOption, BasicAuthenticationHandler>(BasicAuthenticationScheme.DefaultScheme,null);
app.UseWhen( predicate:x => x.Request.Path.StartsWithSegments(new PathString(_protectedResourceOption.Path)), configuration:appBuilder => { appBuilder.UseBasicAuthentication(); } );
以上BA认证的服务端已经完成,如今能够在浏览器测试:
进一步思考?
使用程序实现BA协议中浏览器的行为: 直接向realm发起携带 Authentication请求头的请求,要的同窗能够直接拿去
/// <summary> /// BA认证请求Handler /// </summary> public class BasicAuthenticationClientHandler : HttpClientHandler { public static string BAHeaderNames = "authorization"; private RemoteBasicAuth _remoteAccount; public BasicAuthenticationClientHandler(RemoteBasicAuth remoteAccount) { _remoteAccount = remoteAccount; AllowAutoRedirect = false; UseCookies = true; } protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { var authorization = $"{_remoteAccount.UserName}:{_remoteAccount.Password}"; var authorizationBased64 = "Basic " + Convert.ToBase64String(new ASCIIEncoding().GetBytes(authorization)); request.Headers.Remove(BAHeaderNames); request.Headers.Add(BAHeaderNames, authorizationBased64); return base.SendAsync(request, cancellationToken); } } // 生成basic Authentication请求 services.AddHttpClient("eqid-ba-request", x => x.BaseAddress = new Uri(_proxyOption.Scheme +"://"+ _proxyOption.Host+":"+_proxyOption.Port ) ) .ConfigurePrimaryHttpMessageHandler(y => new BasicAuthenticationClientHandler(_remoteAccount){} ) .SetHandlerLifetime(TimeSpan.FromMinutes(2));
That's All . BA认证是随处可见的基础认证协议,本文期待以最清晰的方式帮助你理解协议:
实现了基本认证协议服务端;
编程实现浏览器在BA协议中的行为
做者:
JulianHuang
感谢您的认真阅读,若有问题请大胆斧正;以为有用,请下方
或加关注。本文欢迎转载,但请保留此段声明,且在文章页面明显位置注明本文的
做者及原文连接。
或加关注。本文欢迎转载,但请保留此段声明,且在文章页面明显位置注明本文的
做者及原文连接。
相关文章
- 1. ASP.NET Core编程实现基本身份认证
- 2. ASP.NET Core WebApi基于Redis实现Token接口安全认证
- 3. ASP.NET Core WebAPI基于IdentityServer4实现Token令牌身份认证
- 4. Asp.net Core认证和受权:Cookie认证
- 5. .net core下用HttpClient和asp.net core实现https的双向认证
- 6. ASP.NET Core 基于JWT的认证(一)
- 7. ASP.NET Core 基于JWT的认证(二)
- 8. 理解 ASP.NET Core: 认证
- 9. ASP.NET Core Identity 实战(3)认证过程
- 10. HTTP认证之基本认证——Basic(二)
- 更多相关文章...
- • Lua 基本语法 - Lua 教程
- • C# 基本语法 - C#教程
- • ☆基于Java Instrument的Agent实现
- • Kotlin学习(二)基本类型
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
相关文章
- 1. ASP.NET Core编程实现基本身份认证
- 2. ASP.NET Core WebApi基于Redis实现Token接口安全认证
- 3. ASP.NET Core WebAPI基于IdentityServer4实现Token令牌身份认证
- 4. Asp.net Core认证和受权:Cookie认证
- 5. .net core下用HttpClient和asp.net core实现https的双向认证
- 6. ASP.NET Core 基于JWT的认证(一)
- 7. ASP.NET Core 基于JWT的认证(二)
- 8. 理解 ASP.NET Core: 认证
- 9. ASP.NET Core Identity 实战(3)认证过程
- 10. HTTP认证之基本认证——Basic(二)