6

I'm using Microsoft.Owin.Security in my application (ASP.NET MVC v 5.2.0 on .NET 4.5). But just the security part of OWIN nothing else. When a user wants to access to a protected URL, in local, the request get redirected to the login page. But when I publish the app on server, I get this window instead of redirecting:

enter image description here

my login and log-off methods are:

public void LogIn(long userId, string username, string email, bool persistent) {
    var claims = new List<Claim>{
        new Claim(ClaimTypes.NameIdentifier, userId.ToString(CultureInfo.InvariantCulture)),
        new Claim(ClaimTypes.Name, username),
        new Claim(ClaimTypes.Email, email),
        new Claim(ClaimTypes.IsPersistent, persistent.ToString())
    };
    var id = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie);
    var ctx = HttpContext.Current.Request.GetOwinContext();
    var authenticationManager = ctx.Authentication;
    authenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);
    authenticationManager.SignIn(new AuthenticationProperties {
        IsPersistent = persistent
    }, id);
}

public void LogOut() {
    var ctx = HttpContext.Current.Request.GetOwinContext();
    var authenticationManager = ctx.Authentication;
    authenticationManager.SignOut();
}

and here is my startup:

public partial class Startup {
    public void ConfigureAuth(IAppBuilder app) {
        app.UseCookieAuthentication(new CookieAuthenticationOptions {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/account/log-in/"),
            AuthenticationMode = AuthenticationMode.Active,
            CookieHttpOnly = true,
            CookieName = ".some-cookie-name",
            ExpireTimeSpan = TimeSpan.FromDays(1),
            LogoutPath = new PathString("/account/log-out/"),
            SlidingExpiration = true,
            ReturnUrlParameter = "continue"
        });
    }
}

I also have this line in global.asax::Application_Start method:

AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;

and these configuration in web.config:

<system.web>
  <authentication mode="None" />
  <httpModules>
    <remove name="FormsAuthenticationModule" />
    <remove name="RoleManager" />
  </httpModules>
</system.web>
<system.webServer>
  <validation validateIntegratedModeConfiguration="false" />
  <modules runAllManagedModulesForAllRequests="false">
    <remove name="FormsAuthenticationModule" />
    <remove name="RoleManager" />
  </modules>
</system.webServer>

and finally I'm running the application on a Windows 2008 R2 machine with IIS 7.5. Do you have any idea what should I do to make OWIN work correctly on my server, just like my local?

UPDATE: To be clear:

Assume I have these actions:

[AllowAnonymous]
public ActionResult AnonymousAction() { }

[Authorize]
public ActionResult UsersAction() { }

One for anonymous users, and another for logged-in users (which are well decorated with attributes). Anonymous users, can access AnonymousAction easily without any error or misbehavior. But when they (I mean Anonymous users) want to access UsersAction, instead of getting redirected to login page, they will see the window I mentioned above.

4

3 回答 3

3

就像 Erik 所说,您的 IIS 设置不正确,很可能是身份验证配置不正确。

转到您的 IIS,选择您的站点并选择身份验证部分。它应该如下所示: 匿名身份验证 = 已启用

确保您的匿名身份验证已启用,其他所有内容均已禁用。

于 2014-12-22T00:46:20.597 回答
2

它与您在启动中的登录页面 URL 有关吗?我注意到这条线;

LoginPath = new PathString("/account/log-in/")

始终指向服务器的根 URL。因此,如果您要部署到,比如说;

http://myserver.com/application1

然后登录页面将是

http://myserver.com/account/log-in/

但你可能是说

http://myserver.com/application1/account/log-in/

所以你可能想尝试类似的东西;

LoginPath = new PathString("~/account/log-in/")

~性格。注销网址也是如此。

于 2014-12-22T00:29:00.013 回答
1

嗯,这真的很简单。根据@trailmax 的回答(感谢他),我意识到我应该注意响应的http-code。这是一个401 - Unauthorized代码。所以,我问自己为什么会这样?直到我找到这个答案。然后,我唯一需要的是创建以下属性:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
public class AuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute {
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) {
        if (filterContext.HttpContext.Request.IsAuthenticated) {
            filterContext.Result = new HttpStatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
        } else {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}
于 2014-12-27T10:31:47.013 回答