0

如标题所述,我有一个 ASP.NET Core 5 MVC 应用程序,它部署在 Windows 2019 服务器上的 IIS 上。

这些是一些细节

ASP.NET Core version ->
dotnet --version 5.0.301
IIS Version: 10.0.17763.1

的输出dotnet --info

.NET SDK (reflecting any global.json):
Version: 5.0.301
Commit: ef17233f86

当我使用 POST 方法发送 ajax 请求时,它无法通过身份验证,这要求 cookie 中存在一些声明。

请求很简单:

$.ajax({
           url: '@Url.Action("Index", "ControllerTest")',
           type: "POST",
           dataType: "json",
           data: formData,
           success: function (response) {
               if (response.success) {
                   window.location.href = '@Url.Action("Index", "Controller2", new { Area = "MyArea" })?ID=' + response.ID;
               }
               else
                   window.location.href = '@Url.Action("Index", "Controller2", new { Area = "MyArea" })';
           },
           error: function (xhr, textStatus, errorThrown) {
               // Error code
           }
       });

并且控制器上的授权是

[Authorize(Policy = "Require.Ldap.User", AuthenticationSchemes = CookieAuthenticationDefaults.AuthenticationScheme)]

非常奇怪的是:在 localhost 上它可以工作。在我使用 IIS 放置的 Azure VM 上,它可以工作。在装有 IIS 的客户机器上,我收到此错误。

我设置了这样的 cookie 身份验证:

var cookiesConfig = this.Configuration.GetSection("CookiesOptions")
                                      .Get<CookiesOptions>();

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
         .AddCookie(options =>
                {
                    options.Cookie.Name = cookiesConfig.CookieName;
                    options.LoginPath = cookiesConfig.LoginPath;
                    options.LogoutPath = cookiesConfig.LogoutPath;
                    options.AccessDeniedPath = cookiesConfig.AccessDeniedPath;
                    options.ReturnUrlParameter = cookiesConfig.ReturnUrlParameter;
                    options.ExpireTimeSpan = TimeSpan.FromSeconds(cookiesConfig.TokenExpireInSeconds);
                });
 
    services.AddAuthorization(options =>
            {
                options.AddPolicy("Require.Ldap.User", policy =>
                                  policy.RequireClaim("MYAPP_ENABLED_USER", "true")
                                        .AddAuthenticationSchemes(CookieAuthenticationDefaults.AuthenticationScheme)
                                      );
            });

然后在调用Login(使用[AllowAnonymous])后的控制器上我使用它

var userClaims = new List<Claim>
                        {
                            new Claim(ClaimTypes.Name, user.Username),
                            new Claim(ClaimTypes.WindowsAccountName, userDescription),
                        };

var claimsIdentity = new ClaimsIdentity(userClaims, authService.GetType().Name);

claimsIdentity.AddClaim(new Claim("MYAPP_ENABLED_USER", "true"));

await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(claimsIdentity),
                            new AuthenticationProperties
                            {
                                IsPersistent = model.RememberMe
                            }
                        );

return Redirect(Url.IsLocalUrl(model.ReturnUrl)
                            ? model.ReturnUrl
                            : "/");

在 Chrome 开发者控制台中,我得到了一个常见的

POST MyApplication/Controller/Action 401 (Unauthorized)

没有任何其他细节

我的控制器有这个身份验证

[Authorize(Policy = "Require.Ldap.User", AuthenticationSchemes = CookieAuthenticationDefaults.AuthenticationScheme)]

真正的奥秘在于:

  • 本地主机 Visual Studio 工作
  • 我使用与上面指定的相同版本的 IIS 设置的带有 Windows Server 2019 的 Azure VM 运行良好且完美无缺。
  • 具有 Windows Server 2019 和相同 IIS 版本的客户虚拟机会产生该错误。

我还添加了一些登录到事件查看器,方法是将其放入appsettings.json

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    },
    //This sets our debug level in event view
    "EventLog": {
      "LogLevel": {
        "Default": "Information"
      }
    }
  },

这就是客户服务器上的事件查看器中出现的内容:

##################################### 类别:Microsoft.AspNetCore.Hosting.Diagnostics EventId:1 SpanId:ab3998eb3f2a4048 TraceId:180f1ccebad55449a5c211e9dabf3c20 ParentId:0000000000000000 RequestId:800000a7-0001-ff00-b63f-84710c7967bb RequestPath:/MyApplication/Home/Login

请求开始 HTTP/1.1 POST http://CustomerVirtualMachineHost/MyApplication/Home/Login application/json;+charset=UTF-8 59

##################################### 类别:Microsoft.AspNetCore.HttpsPolicy.HstsMiddleware EventId:1 SpanId:ab3998eb3f2a4048 TraceId:180f1ccebad55449a5c211e9dabf3c20 ParentId:0000000000000000 RequestId:800000a7-0001-ff00-b63f-84710c7967bb RequestPath:/MyApplication/Home/Login

请求不安全。跳过 HSTS 标头。

#################################### 类别:Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware EventId:1 SpanId:ab3998eb3f2a4048 TraceId:180f1ccebad55449a5c211e9dabf3c20 ParentId:0000000000000000 RequestId:800000a7-0001-ff00-b63f-84710c7967bb RequestPath:/MyApplication/Home/Login

不支持 POST 请求##################################### 类别:Microsoft.AspNetCore.Routing .Matching.DfaMatcher EventId: 1001 SpanId: ab3998eb3f2a4048 TraceId: 180f1ccebad55449a5c211e9dabf3c20 ParentId: 0000000000000000 RequestId: 800000a7-0001-ff00-b63f-84710/c796 RequestbbPath: /MyApplication

为请求路径“/MyApplication/Home/Login”找到 1 个候选人

##################################### 类别:Microsoft.AspNetCore.Routing.Matching.DfaMatcher EventId : 1005 SpanId: ab3998eb3f2a4048 TraceId: 180f1ccebad55449a5c211e9dabf3c20 ParentId: 0000000000000000 RequestId: 800000a7-0001-ff00-b63f-84710c7967bb RequestPath: /MyApplication/Home/Login

路由模式为“MyApplication/{controller=Home}/{action=Index}/{id?}”的端点“MYAPPLICATION.Areas.MyApplication.Controllers.HomeController.Login (MYAPPLICATION)”对请求路径“/MyApplication/”有效主页/登录

#################################### 类别:Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware EventId:1 SpanId:ab3998eb3f2a4048 TraceId:180f1ccebad55449a5c211e9dabf3c20 ParentId:0000000000000000 RequestId:800000a7-0001-ff00-b63f-84710c7967bb RequestPath:/MyApplication/Home/Login

请求匹配的端点“MYAPPLICATION.Areas.MyApplication.Controllers.HomeController.Login (MYAPPLICATION)”

##################################### 类别:Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler EventId :7 SpanId:ab3998eb3f2a4048 TraceId:180f1ccebad55449a5c211e9dabf3c20 ParentId:0000000000000000 RequestId:800000a7-0001-ff00-b63f-84710c7967bb RequestPath:/MyApplication/Home/Login

Cookie 未通过身份验证。失败信息:票已过期

##################################### 类别:Microsoft.AspNetCore.Authorization.DefaultAuthorizationService EventId:2 SpanId:ab3998eb3f2a4048 TraceId:180f1ccebad55449a5c211e9dabf3c20 ParentId:0000000000000000 RequestId:800000a7-0001-ff00-b63f-84710c7967bb RequestPath:/MyApplication/Home/Login

授权失败。未满足这些要求: DenyAnonymousAuthorizationRequirement:需要经过身份验证的用户。ClaimsAuthorizationRequirement:Claim.Type=MYAPPLICATION_ENABLED_USER 和 Claim.Value 是以下值之一:(true)

##################################### 类别:Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler EventId :12 SpanId:ab3998eb3f2a4048 TraceId:180f1ccebad55449a5c211e9dabf3c20 ParentId:0000000000000000 RequestId:800000a7-0001-ff00-b63f-84710c7967bb RequestPath:/MyApplication/Home/Login

AuthenticationScheme:Cookie 受到质疑。

##################################### 类别:Microsoft.AspNetCore.Hosting.Diagnostics EventId:2 SpanId:ab3998eb3f2a4048 TraceId:180f1ccebad55449a5c211e9dabf3c20 ParentId:0000000000000000 RequestId:800000a7-0001-ff00-b63f-84710c7967bb RequestPath:/MyApplication/Home/Login

请求完成 HTTP/1.1 POST http://CustomerVirtualMachineHost/MyApplication/Home/Login

应用程序/json;+charset=UTF-8 59 - 401 - - 2.7820ms

会是什么?我该如何解决这个问题?是 IIS 的一些 cookie 设置吗?

我怀疑它可能与某些 IIS cookie 配置或用户浏览器和驻留在不同域上的客户服务器之间的差异有关?

谁能帮我?

4

0 回答 0