开源的Owin 的身份验证支持 和跨域支持

http://identitymodel.codeplex.com/

https://identityserver.github.io/

Windows Identity Foundation

6.1.7600.16394

Windows Identity Foundation enables .NET developers to externalize identity logic from their application, improving developer productivity, enhancing application security, and enabling interoperable federation. Enjoy greater productivity, applying the same tools and programming model to build on-premises software as well as cloud services. Create more secure applications by reducing custom implementations and using a single simplified identity model based on claims. Enjoy greater flexibility in application deployment through interoperability based on industry standard protocols, allowing applications and identity infrastructure services to communicate via claims.

To install Windows Identity Foundation, run the following command in the Package Manager Console

CORS support in WebAPI, MVC and IIS with Thinktecture.IdentityModel

My second contribution to the Thinktecture.IdentityModel security library is a full-featured CORS implementation. Many other sample implementations only emit the Access-Control-Allow-Origin header, but there’s more to it than that. The implementation in Thinktecture.IdentityModel follows the W3C Working Draft 3 from April 2012. There is a rich configuration API to control the various settings that are involved with CORS. These settings include which resource you want to configure, which origins are allowed, which HTTP methods are allowed, which request and/or response headers are allowed and are cookies allowed.

In this first release there is support for WebAPI, ASP.NET MVC and IIS. For WebAPI you configure your settings per controller. For MVC you can configure the settings per controller or for specific controller actions. For IIS you configure the settings per URL. If there’s enough interest, then perhaps in a future version I can add support for WCF REST and WCF Data Services.

I won’t bother explaining CORS since there are already enough posts on it elsewhere. Instead I’ll just show how to get started with the library. First, reference the NuGet package. Next, depending on the type of application (WebAPI, MVC or IIS) you need to configure how you want CORS support. Below shows each of the different environments:

WebAPI

In WebAPI the implementation is a delegating handler. This allows the CORS settings to be global or per-route (which is forthcoming post-RC). For example if you were to configure it globally then in global.asax‘s Application_Start you would have a call out to the configuration class passing the global HttpConfiguration object (this follows the new style of factoring out configuration to separate classes in the App_Start folder):


1

2

3

4

5

6

protected void Application_Start()

{

   ...

   CorsConfig.RegisterCors(GlobalConfiguration.Configuration);

}

And then in App_Start/CorsConfig.cs:


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

public class CorsConfig

{

   public static void RegisterCors(HttpConfiguration httpConfig)

   {

      WebApiCorsConfiguration corsConfig = newWebApiCorsConfiguration();

      // this adds the CorsMessageHandler to the HttpConfiguration‘s

      // MessageHandlers collection

      corsConfig.RegisterGlobal(httpConfig);

      // this allow all CORS requests to the Products controller

      // from the http://foo.com origin.

      corsConfig

         .ForResources("Products")

         .ForOrigins("http://foo.com")

         .AllowAll();

   }

}

In WebAPI resources are identified by the controller name as in the above example for the“Products” controller.

MVC

In MVC you need to register a HttpModule to enable CORS support, so in web.config:


1

2

3

4

5

6

<system.webServer>

   <modules runAllManagedModulesForAllRequests="true">

      <add name="MvcCorsHttpModule"

         type="Thinktecture.IdentityModel.Http.Cors.Mvc.MvcCorsHttpModule"/>

   </modules>

</system.webServer>

And then again in global.asax you would configure the settings:


1

2

3

4

5

6

7

8

9

10

11

12

13

14

protected void Application_Start()

{

   ...

   RegisterCors(MvcCorsConfiguration.Configuration);

}

private void RegisterCors(MvcCorsConfiguration corsConfig)

{

   corsConfig

      .ForResources("Products.GetProducts")

      .ForOrigins("http://foo.com")

      .AllowAll();

}

In MVC resources can either be identified just by the controller name (with just “Controller” for the resource name) or by the controller and action (as with the above sample with the“Controller.Action” syntax).

IIS

In IIS you need to register a HttpModule (different than the one for MVC), so in web.config:


1

2

3

4

5

6

<system.webServer>

   <modules>

      <add name="CorsHttpModule"

         type="Thinktecture.IdentityModel.Http.Cors.IIS.CorsHttpModule"/>

   </modules>

</system.webServer>

And then again in global.asax you would configure the settings:


1

2

3

4

5

6

7

8

9

10

11

12

13

14

protected void Application_Start(object sender, EventArgs e)

{

   ...

   ConfigureCors(UrlBasedCorsConfiguration.Configuration);

}

void ConfigureCors(CorsConfiguration corsConfig)

{

   corsConfig

      .ForResources("~/Handler1.ashx")

      .ForOrigins("http://foo.com", "http://bar.com")

      .AllowAll();

}

In IIS resources are identified by the application relative path (thus the “~/path/resource”syntax).

Other Configuration Options

While the above samples show a minimal amount of code to get CORS enabled and running in your app, these are some of the least restrictive settings. Typically more thought should go into the settings and so there is a rich API for configuring the various CORS settings. Here are some more examples:


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

public static void ConfigureCors(CorsConfiguration corsConfig)

{

   // this allows http://foo.com to do GET or POST on Values1 controller

   corsConfig

      .ForResources("Values1")

      .ForOrigins("http://foo.com")

      .AllowMethods("GET", "POST");

   // this allows http://foo.com to do GET and POST, pass cookies and

   // read the Foo response header on Values2 controller

   corsConfig

      .ForResources("Values2")

      .ForOrigins("http://foo.com")

      .AllowMethods("GET", "POST")

      .AllowCookies()

      .AllowResponseHeaders("Foo");

   // this allows http://foo.com and http://foo.com to do GET, POST,

   // and PUT and pass the Content-Type header to Values3 controller

   corsConfig

      .ForResources("Values3")

      .ForOrigins("http://foo.com", "http://bar.com")

      .AllowMethods("GET", "POST", "PUT")

      .AllowRequestHeaders("Content-Type");

   // this allows http://foo.com to use any method, pass cookies, and

   // pass the Content-Type, Foo and Authorization headers, and read

   // the Foo response header for Values4 and Values5 controllers

   corsConfig

      .ForResources("Values4", "Values5")

      .ForOrigins("http://foo.com")

      .AllowAllMethods()

      .AllowCookies()

      .AllowRequestHeaders("Content-Type", "Foo", "Authorization")

      .AllowResponseHeaders("Foo");

   // this allows all methods and all request headers (but no cookies)

   // from all origins to Values6 controller

   corsConfig

      .ForResources("Values6")

      .AllowAllOriginsAllMethodsAndAllRequestHeaders();

   // this allows all methods (but no cookies or request headers)

   // from all origins to Values7 controller

   corsConfig

      .ForResources("Values7")

      .AllowAllOriginsAllMethods();

   // this allows all CORS requests from origin http://bar.com

   // for all resources that have not been explicitly configured

   corsConfig

      .ForOrigins("http://bar.com")

      .AllowAll();

   // this allows all CORS requests to all other resources that don’t

   // have an explicit configuration. This opens them to all origins, all

   // HTTP methods, all request headers and cookies. This is the API to use

   // to get started, but it’s a sledgehammer in the sense that *everything*

   // is wide-open.

   corsConfig.AllowAll();

}

Of course, feedback is welcome. Enjoy.

Edit: Common configuration issues when enabling CORS on IIS.

时间: 2024-11-10 16:04:34

开源的Owin 的身份验证支持 和跨域支持的相关文章

两系统用asp.net forms 身份验证方式实现跨域登录信息共享

1.两个系统的 web.config 都配置为 forms 验证方式( system.web —> authentication 节点) 2.在两个系统的Web.config里配置相同的 system.web —> machineKey 节点(节点生成:http://www.aspnetresources.com/tools/keycreator.aspx) 3.在两个系统的Web.config里配置相同的 system.web —> httpCookies 节点(<httpCoo

Taurus.MVC 2.2 开源发布:WebAPI 功能增强(请求跨域及Json转换)

背景: 1:有用户反馈了关于跨域请求的问题. 2:有用户反馈了参数获取的问题. 3:JsonHelper的增强. 在综合上面的条件下,有了2.2版本的更新,也因此写了此文. 开源地址: https://github.com/cyq1162/taurus.mvc 下面对增强的功能进行介绍: 1:跨域请求 除了常规的的JsonP跨域,Html5开始支持增强跨域,则变得更为方便,只需要服务端请求头输出: 1  if (context.Request.UrlReferrer != null && 

浅谈Web Api配合SignalR的跨域支持

最近接手的一个项目中,涉及到一个简单的消息模块,由于之前有简单了解过SignalR,所以打算尝试着摸索摸索~! 首先,通过Nuget管理器添加Microsoft ASP.NET SignalR引用~目前最新版本2.2.0,依赖项目也有点多,什么Microsoft.AspNet.SignalR.JS,Microsoft.AspNet.SignalR.SystemWeb,还有Owin相关的项目,没法咯,一起统一引用! 添加启动设置 1 [assembly: OwinStartup(typeof(Si

支持JSONP跨域的对象

支持JSONP跨域的对象 1:img 2:iframe 3:link 4:script 为什么,JSONP 最终选择是 script 实现呢?度娘来也! 平常我们进行JSONP请求数据,因为 jsonp 的参数与后台不一致的错误 现象: 1:console面板 ,报错:'Uncaught SyntaxError: Unexpected token :'  2:数据已经返回,在network面板才看到得到,却无法获取到 正确的JSONP: 因此,平常看到这个的错误,便知道这样的原因导致=>即:js

ahjesus 让我的MVC web API支持JsonP跨域

无数被跨域请求爆出翔来的人 遇到请求成功却不能进入success 总是提示parsererror 参考一下两篇文章吧 参考文章http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api and http://diaosbook.com/Post/2013/12/27/tips-for-aspnet-webapi-cors ahjesus 让我的MVC web API支持JsonP跨域

SpringMvc跨域支持

SpringMvc跨域支持 在controller层加上注解@CrossOrigin可以实现跨域 该注解有两个参数 1,origins  : 允许可访问的域列表 2,maxAge:飞行前响应的缓存持续时间的最大年龄(以秒为单位). 原文地址:https://www.cnblogs.com/cailijuan/p/8656484.html

跨域支持

跨域支持 接下来是最关键的时候了,之前我们已经实现了一个普通的REST服务,如何支持跨域就在此一举了:)我们只需要增加一个Filter,在HTTP响应中增加一些头信息,我们通过SimpleCORSFilter来实现. SimpleCORSFilter.java package com.tianmaying.crossorigin; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.Filte

ASP.NET 中通过Form身份验证 来模拟Windows 域服务身份验证的方法

This step-by-step article demonstrates how an ASP.NET   application can use Forms authentication to permit users to authenticate   against the Active Directory by using the Lightweight Directory Access Protocol   (LDAP). After the user is authenticat

本地调试 Chrome支持Ajax跨域

Ajax本身是不支持跨域的,跨域问题其实很简单,通过浏览器的相应设置可以完成两个不同的服务器或两个不同服务下的项目互相访问.希望大家给予评价及投票. 方法/步骤 1 首先谷歌快捷方式上右击,在下拉列表中选择属性. 2 打开属性窗口,切换到快捷方式选项卡下面,默认是常规选项卡. 3 在目标路径的后面添加[ --disable-web-security],格式如下:C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrom