Keep on getting Unauthorize Web API

≡放荡痞女 提交于 2021-01-29 09:36:21

问题


I have a project, It's a web application that requires Windows Authentication.

I've setup an Active Directory at home using my NAS virtualization. Then I've created a VMWare Server for IIS which is a member of that domain on my desktop which I also use for development. I've created the Web API and installed it into that VMWare server. When I call a routine directly, it works and return results but when I use the Web API routine from my javascript web application I keep on getting 401 error. I then put the code on the IIS server and the web application works.

I've seen a lot of solutions like changing the sequence of the Provider in IIS Authentication. Added Everyone read/write permission on the folders. I've also added entry on the web.config. But none of them work.

*****Update as per request on the comment *****

Below is when I run directly from Web API

Calling the Web API from Javascript

Here's the error I'm getting

Just FYI, I tried running the web api from Visual Studio on the same machine but also with 401 error

Is there anything I could add to AD to make my development machine as trusted?

********************A new issue after the code change **********

****************Another Update****** This is definitely weird, so I installed Fiddler 4 to see what's going on. But still no luck.

Then I made changes on the IIS HTTP Response Header

The weird thing is when I run Fiddler the error is gone but when I close it it comes back.


回答1:


There are two things going on here:

  1. A 401 response is a normal first step to Windows Authentication. The client is then expected to resend the request with credentials. AJAX requests don't do this automatically unless you tell it to.

To tell it to send credentials in a cross-domain request (more on that later), you need to set the withCredentials option when you make the request in JavaScript.

With jQuery, that looks like this:

$.ajax({
   url: url,
   xhrFields: {
      withCredentials: true
   }
}).then(callback);
  1. These problems pop up when the URL in the address bar of the browser is different than the URL of the API you are trying to connect to in the JavaScript. Browsers are very picky about when this is allowed. These are called "cross-domain requests", or "Cross-Origin Resource Sharing" (CORS).

It looks at the protocol, domain name and port. So if the website is http://localhost:8000, and it's making an AJAX request to http://localhost:8001, that is still considered a cross-domain request.

When a cross-domain AJAX request is made, the browser first sends an OPTIONS request to the URL, which contains the URL of the website that's making the request (e.g. http://localhost:8000). The API is expected to return a response with an Access-Control-Allow-Origin header that says whether the website making the request is allowed to.

If you are not planning on sending credentials, then the Access-Control-Allow-Origin header can be *, meaning that the API allows anyone to call it.

However, if you need to send credentials, like you do, you cannot use *. The Access-Control-Allow-Origin header must specifically contain the domain (and port) of your webpage, and the Access-Control-Allow-Credentials must be set to true. For example:

Access-Control-Allow-Origin: http://localhost:8000
Access-Control-Allow-Credentials: true

It's a bit of a pain in the butt, yes. But it's necessary for security.

You can read more about CORS here: Cross-Origin Resource Sharing (CORS)



来源:https://stackoverflow.com/questions/58390738/keep-on-getting-unauthorize-web-api

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!