从 ASP.NET Core 1.1 MVC 迁移到 2.0 后,自定义 cookie 身份验证不起作用
Posted
技术标签:
【中文标题】从 ASP.NET Core 1.1 MVC 迁移到 2.0 后,自定义 cookie 身份验证不起作用【英文标题】:Custom cookie authentication not working after migration from ASP.NET Core 1.1 MVC to 2.0 【发布时间】:2018-06-12 21:38:23 【问题描述】:我已将 ASP.NET Core 1.1 MVC 项目迁移到 ASP.NET Core 2.0,现在我注意到对应用程序未授权部分的请求不再导致“401 Unauthorized”响应,而是导致代码异常响应“500 内部服务器错误”。
日志文件的示例摘录(John Smith 无权访问他尝试访问的控制器操作):
2018-01-02 19:58:23 [DBG] Request successfully matched the route with name '"modules"' and template '"m/ModuleName"'.
2018-01-02 19:58:23 [DBG] Executing action "Team.Controllers.ModulesController.Index (Team)"
2018-01-02 19:58:23 [INF] Authorization failed for user: "John Smith".
2018-01-02 19:58:23 [INF] Authorization failed for the request at filter '"Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter"'.
2018-01-02 19:58:23 [INF] Executing ForbidResult with authentication schemes ([]).
2018-01-02 19:58:23 [INF] Executed action "Team.Controllers.ModulesController.Index (Team)" in 146.1146ms
2018-01-02 19:58:23 [DBG] System.InvalidOperationException occurred, checking if Entity Framework recorded this exception as resulting from a failed database operation.
2018-01-02 19:58:23 [DBG] Entity Framework did not record any exceptions due to failed database operations. This means the current exception is not a failed Entity Framework database operation, or the current exception occurred from a DbContext that was not obtained from request services.
2018-01-02 19:58:23 [ERR] An unhandled exception has occurred while executing the request
System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultForbidScheme found.
at Microsoft.AspNetCore.Authentication.AuthenticationService.<ForbidAsync>d__12.MoveNext()
...
我使用自定义 cookie 身份验证,作为中间件实现。这是我的 Startup.cs(app.UseTeamAuthentication() 是对中间件的调用):
public class Startup
public Startup(IHostingEnvironment env)
var builder = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
.AddJsonFile($"appsettings.env.EnvironmentName.json", optional: true);
builder.AddEnvironmentVariables();
Configuration = builder.Build();
public IConfigurationRoot Configuration get;
public void ConfigureServices(IServiceCollection services)
services.Configure<MyAppOptions>(Configuration);
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services.AddDbContext<ApplicationDbContext>(options => options
.ConfigureWarnings(warnings => warnings.Throw(CoreEventId.IncludeIgnoredWarning))
.ConfigureWarnings(warnings => warnings.Throw(RelationalEventId.QueryClientEvaluationWarning)));
services.AddAuthorization(options =>
options.AddPolicy(Security.TeamAdmin, policyBuilder => policyBuilder.RequireClaim(ClaimTypes.Role, Security.TeamAdmin));
options.AddPolicy(Security.SuperAdmin, policyBuilder => policyBuilder.RequireClaim(ClaimTypes.Role, Security.SuperAdmin));
);
services.AddDistributedMemoryCache();
services.AddSession(options =>
options.IdleTimeout = System.TimeSpan.FromMinutes(5);
options.Cookie.HttpOnly = true;
);
services.AddMvc()
.AddJsonOptions(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver())
.AddViewLocalization(
LanguageViewLocationExpanderFormat.SubFolder,
options => options.ResourcesPath = "Resources"; )
.AddDataAnnotationsLocalization();
services.Configure<RequestLocalizationOptions>(options =>
options.DefaultRequestCulture = new RequestCulture("en-US");
options.SupportedCultures = TeamConfig.SupportedCultures;
options.SupportedUICultures = TeamConfig.SupportedCultures;
options.RequestCultureProviders.Insert(0, new MyCultureProvider(options.DefaultRequestCulture));
);
services.AddScoped<IViewLists, ViewLists>();
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
Log.Logger = new LoggerConfiguration()
.MinimumLevel.Debug()
.WriteTo.File("log.txt", outputTemplate: "Timestamp:yyyy-MM-dd HH:mm:ss [Level:u3] MessageNewLineException")
.CreateLogger();
loggerFactory.AddSerilog();
if (env.IsDevelopment())
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
bool UseHttps = Configuration.GetValue("Https", false);
if (UseHttps)
app.UseRewriter(new RewriteOptions().AddRedirectToHttps());
app.UseStaticFiles();
app.UseTeamDatabaseSelector();
app.UseTeamAuthentication();
var localizationOptions = app.ApplicationServices.GetService<IOptions<RequestLocalizationOptions>>();
app.UseRequestLocalization(localizationOptions.Value);
app.UseSession();
app.UseMvc(routes =>
routes.MapRoute(
name: "modules",
template: "m/ModuleName",
defaults: new controller = "Modules", action = "Index"
);
routes.MapRoute(
name: "actions",
template: "a/action",
defaults: new controller = "Actions"
);
routes.MapRoute(
name: "modules_ex",
template: "mex/action",
defaults: new controller = "ModulesEx"
);
routes.MapRoute(
name: "default",
template: "controller=Home/action=Index/id?");
);
这是中间件:
public class TeamAuthentication
private readonly RequestDelegate next;
private readonly ILogger<TeamAuthentication> logger;
public TeamAuthentication(RequestDelegate _next, ILogger<TeamAuthentication> _logger)
next = _next;
logger = _logger;
public async Task Invoke(HttpContext context, ApplicationDbContext db)
if (TeamConfig.AuthDebug)
logger.LogDebug("Auth-Invoke: " + context.Request.Path);
const string LoginPath = "/Login";
const string LoginPathTimeout = "/Login?timeout";
const string LogoutPath = "/Logout";
bool Login =
(context.Request.Path == LoginPath ||
context.Request.Path == LoginPathTimeout);
bool Logout = (context.Request.Path == LogoutPath);
string TokenContent = context.Request.Cookies["t"];
bool DatabaseSelected = context.Items["ConnectionString"] != null;
bool Authenticated = false;
bool SessionTimeout = false;
// provjera tokena
if (!Login && !Logout && DatabaseSelected && TokenContent != null)
try
var token = await Security.CheckToken(db, logger, TokenContent, context.Response);
if (token.Status == Models.TokenStatus.OK)
Authenticated = true;
context.Items["UserID"] = token.UserID;
List<Claim> userClaims = new List<Claim>();
var person = await db.Person.AsNoTracking()
.Where(x => x.UserID == token.UserID)
.FirstOrDefaultAsync();
if (person != null)
var emp = await db.Employee.AsNoTracking()
.Where(x => x.PersonID == person.ID)
.FirstOrDefaultAsync();
if (emp != null)
context.Items["EmployeeID"] = emp.ID;
string UserName = "";
if (person != null && person.FullName != null)
UserName = person.FullName;
else
var user = await db.User.AsNoTracking()
.Where(x => x.ID == token.UserID)
.Select(x => new x.Login ).FirstOrDefaultAsync();
UserName = user.Login;
context.Items["UserName"] = UserName;
userClaims.Add(new Claim(ClaimTypes.Name, UserName));
if ((token.Roles & (int)Security.TeamRoles.TeamAdmin) == (int)Security.TeamRoles.TeamAdmin)
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
if ((token.Roles & (int)Security.TeamRoles.SuperAdmin) == (int)Security.TeamRoles.SuperAdmin)
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
userClaims.Add(new Claim(ClaimTypes.Role, Security.SuperAdmin));
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(userClaims, "local"));
context.User = principal;
else if (token.Status == Models.TokenStatus.Expired)
SessionTimeout = true;
catch (System.Exception ex)
logger.LogCritical(ex.Message);
if (Login || (Logout && DatabaseSelected) || Authenticated)
await next.Invoke(context);
else
if (Utility.IsAjaxRequest(context.Request))
if (TeamConfig.AuthDebug)
logger.LogDebug("Auth-Invoke => AJAX 401");
context.Response.StatusCode = 401;
context.Response.Headers.Add(SessionTimeout ? "X-Team-Timeout" : "X-Team-Login", "1");
else
string RedirectPath = SessionTimeout ? LoginPathTimeout : LoginPath;
if (TeamConfig.AuthDebug)
logger.LogDebug("Auth-Invoke => " + RedirectPath);
context.Response.Redirect(RedirectPath);
这是相同的中间件,我认为对问题不重要的代码被删除:
public class TeamAuthentication
private readonly RequestDelegate next;
private readonly ILogger<TeamAuthentication> logger;
public async Task Invoke(HttpContext context, ApplicationDbContext db)
// preparatory actions...
var token = await Security.CheckToken(db, logger, TokenContent, context.Response);
if (token.Status == Models.TokenStatus.OK)
List<Claim> userClaims = new List<Claim>();
string UserName = "";
// find out the UserName...
userClaims.Add(new Claim(ClaimTypes.Name, UserName));
if ((token.Roles & (int)Security.TeamRoles.TeamAdmin) == (int)Security.TeamRoles.TeamAdmin)
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
if ((token.Roles & (int)Security.TeamRoles.SuperAdmin) == (int)Security.TeamRoles.SuperAdmin)
userClaims.Add(new Claim(ClaimTypes.Role, Security.TeamAdmin));
userClaims.Add(new Claim(ClaimTypes.Role, Security.SuperAdmin));
ClaimsPrincipal principal = new ClaimsPrincipal(new ClaimsIdentity(userClaims, "local"));
// ...
这是我授权访问控制器的方式:
namespace Team.Controllers
[Authorize(Policy = Security.TeamAdmin)]
public class ModulesController : Controller
// ...
我尝试通过 Google-ing 研究这个问题,发现类似 https://docs.microsoft.com/en-us/aspnet/core/migration/1x-to-2x/identity-2x 和一些类似的文章,但它们并没有帮助我解决问题。
【问题讨论】:
您的项目是否引用了 Microsoft.AspNetCore.Server.IISIntegration ?从 Nuget 获取 .NET Core 2.0 的最新版本 我需要这个参考做什么?如果缺少依赖,会导致编译错误。 【参考方案1】:恕我直言您可能想要切换到内置的Role base authorization 而不是滚动您自己的custom policy authorization 肯定会出现您没有想到的情况由它处理(避免重新发明*** :)。
对于身份验证,您应该使用
设置 cookie 身份验证方案services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie();
了解它为没有 ASP.Net Identity 的自定义方案提供的设置 here。
至于授权,您在这里混合了身份验证和授权,中间件两者兼而有之,但命名为 UseTeamAuthentication 差异解释为 here,因此这两个东西在 ASP.Net Core 基础架构中是分开的。
您已经完成的授权(自定义)需要通过IAuthorizationRequirement 接口实现要求来完成,您可以在上面的自定义策略链接中阅读如何执行此操作。但我强烈建议您使用内置的角色机制。
干杯:)
【讨论】:
我编写自定义 cookie 身份验证的原因是,无论 Microsoft 对较新版本的 .NET Core 引入何种更改,它都能正常工作。它完全在我的控制之下,我可以解决任何问题并改变它的行为。中间件确实分配了策略,但是当我看到“自动”过滤器作为授权点时,我认为中间件名称仍然足够匹配它的用途。在使用与安全相关的代码之前,我确实阅读了所有链接的文档。但是,我仍然想念为什么在一个版本的 .NET Core 上运行良好的代码在另一个版本上会失败。 很公平 :),但问题是大多数安全架构已从 v1 更改为 v2,而且正如您所见,您的代码确实依赖于底层的 asp.net Core 架构,所以即使您已经与安全性(你没有使用授权和策略)分离,你仍然依赖它并且那里的更改确实会影响你的代码,所以不要指望事情会继续工作。对于您的具体情况,我认为这将引导您朝着正确的方向前进:github.com/aspnet/Security/issues/1219以上是关于从 ASP.NET Core 1.1 MVC 迁移到 2.0 后,自定义 cookie 身份验证不起作用的主要内容,如果未能解决你的问题,请参考以下文章
从 MVC 迁移到 ASP.NET Core 3.1 中的端点路由时,具有角色的 AuthorizeAttribute 不起作用
如何先用asp.net身份框架数据库将asp.net mvc迁移到asp.net core
如何使用 EF Core 代码优先迁移为 ASP.NET Core MVC 配置 N 层架构
使用 System.IdentityModel.Tokens.Jwt 从 1.1 迁移到 2.0 后,JWTAuthentication 在 asp.net core 2.0 中不起作用 - 5.1.