问题
I am trying to use Bearer Authentication with ASP.NET Core RC2. It is working with user authenticad and has the role, but when the user is not authorized (authenticad but dont have the role) I get a 404 error instead of 403 expected.
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("CorsPolicy",
builder =>
{
builder
.WithOrigins("*")
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials();
}
);
});
services.AddIdentity<AppUser, AppRole>().AddEntityFrameworkStores<AppIdentityDbContext, int>();
services.AddAuthorization();
services.AddMvc(config => {
var policy = new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser()
.Build();
config.Filters.Add(new AuthorizeFilter(policy));
}).AddJsonOptions(options =>
options.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver()
);
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
app.UseBrowserLink();
}
else
{
app.UseExceptionHandler("/home/error");
}
app.UseStaticFiles();
var signingKey = GetSigningKey();
app.UseJwtBearerAuthentication(new JwtBearerOptions()
{
AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme,
AutomaticAuthenticate = true,
AutomaticChallenge = true,
TokenValidationParameters = new TokenValidationParameters()
{
IssuerSigningKey = signingKey,
ValidateIssuerSigningKey = true,
ValidateLifetime = true,
ValidAudience = "MyAudience",
ValidIssuer = "MyIssuer"
}
});
app.UseCors(config =>
{
config.AllowCredentials();
config.AllowAnyOrigin();
config.AllowAnyHeader();
config.AllowAnyMethod();
});
app.UseIdentity();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
public static SecurityKey GetSigningKey()
{
var plainTextSecurityKey = "This is my shared, not so secret, secret!";
return new SymmetricSecurityKey(Encoding.UTF8.GetBytes(plainTextSecurityKey));
}
回答1:
Using app.UseIdentity() will add CookieAuthentication to your application and hence all unauthenticated requests will redirect to /Account/Login.
Probably you haven't added any routes to handle this so it gave you a 404.
Source: https://github.com/aspnet/Identity/blob/dev/src/Microsoft.AspNetCore.Identity/BuilderExtensions.cs
回答2:
Please check position app.UseIdentity() also MVC routing app.UseMvc().authenicate code should be below of app.useIdenetity() and above of Mvc rotuing. like this: app.UseApplicationInsightsExceptionTelemetry();
app.UseStaticFiles();
app.UseIdentity();
app.UseCors(builder =>
builder.AllowAnyOrigin()
.AllowAnyHeader()
.AllowAnyMethod()
);
app.UseSwagger();
app.UseSwaggerUi();
ConfigureAuth(app);
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "index");
});
来源:https://stackoverflow.com/questions/37355684/bearer-authentication-with-asp-net-core-rc2-404-instead-of-403