如何向IIS添加令牌身份验证，以保护文件夹中的文件?

I have a Windows Azure WebAPI application with

我有一个Windows Azure WebAPI应用程序

OWIN
OWIN
Oauth 2
Oauth 2
token authentication
令牌验证
Identity 2 Framework
身份2框架
VS2013 Update 2
VS2013更新2
IIS (I am not sure which version. As I just updated everything in the stack then I assume the latest version)
IIS(我不确定是哪个版本。因为我刚刚更新了堆栈中的所有内容，所以我假设是最新的版本)

Before a user is authenticated when there's a <script> in my index.html file I notice cookies sent to the server looking like this:

当索引中有

Accept-Language: en-US,en;q=0.8
Cookie: .AspNet.Cookies=GWLL4LgeFkn7jDndAwf-Pk_eZAPZ5LYZugSmv- ...

After a user is authenticated I notice the cookies change:

经过用户认证后，我注意到cookie发生了变化:

Accept-Language: en-US,en;q=0.8
Cookie: .AspNet.Cookies=OqLMSpIv2aQ8KUcw3pWdAYtPYUI_tYMl4rEYKe16N ...

I thought I was using token authentication so my first question is "why do the cookies get changed and why are they sent at all"?

我以为我在使用令牌认证，所以我的第一个问题是“为什么要更改cookie，为什么要发送它们?”

Once a user is authenticated then with each $http request to the server I send a header like this:

一旦用户通过了身份验证，那么对于每个$http请求，我就会向服务器发送这样的报头:

Authorization: Bearer abcdefgetc....

My authorization on the server works when I have WebAPI methods decorated like:

当我对WebAPI方法进行修饰时，比如:

[Authorize(Roles = "Admin")]

Here is the main web-config that shows the security settings:

以下是显示安全设置的主要web配置:

<system.web>
    <authentication mode="None" />
    <compilation debug="true" targetFramework="4.5.1" />
    <httpRuntime targetFramework="4.5.1" />
</system.web>
<system.webServer>
    <modules>
      <remove name="FormsAuthenticationModule" />
    </modules>
</system.webServer>

Now I would like to add some security to some static javascript files that I have on the server. I know how I can code it so the files can be retrieved by my client and added to the DOM in two ways. Either way is okay for me to use although I prefer the first way if when I do that way then there can be authentication happen through cookies or otherwise:

现在我想为服务器上的一些静态javascript文件添加一些安全性。我知道如何编写代码，这样文件就可以被我的客户机检索，并以两种方式添加到DOM中。任何一种方式都可以使用，尽管我更喜欢第一种方式，如果我这样做，那么可以通过cookie或其他方式进行身份验证:

With a script tag and a load

带有脚本标记和加载

var el = doc.createElement("script"),
loaded = false;
el.onload = el.onreadystatechange = function () {
  if ((el.readyState && el.readyState !== "complete" && el.readyState !== "loaded") || loaded) {
    return false;
  }
  el.onload = el.onreadystatechange = null;
  loaded = true;
  // done!
};
el.async = true;
el.src = path;
document.getElementsByTagName('head')[0].insertBefore(el, head.firstChild);

With a $http call and then adding it directly to the DOM (I can supply bearer token)

使用$http调用，然后将其直接添加到DOM(我可以提供承载令牌)

$http({
    url: '/Bundles/admin/admin1Bundle.js',
    method: "GET"
})
.success(function (result) {
   var m = document.createElement('script');
   m.appendChild(document.createTextNode(result));
   document.getElementsByTagName('head')[0].appendChild(m);

Once added the javascript becomes available. To add security I created a web.config in the folder to protect these files and allow only users with Admin role to have access:

一旦添加了javascript就变得可用。为了增加安全性，我创建了一个web。在文件夹中配置，以保护这些文件，并只允许具有管理角色的用户访问:

Here is the folders web-config that shows the security settings:

下面是显示安全设置的文件夹web-config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <security>
      <authorization>
        <remove users="*" roles="" verbs="" />
        <add accessType="Allow" roles="Admin" verbs='GET'/>
      </authorization>
    </security>
  </system.webServer>
</configuration>

When a user with the role of Admin tries to access files in the folder with a GET that a has a bearer token they get a message saying:

当一个具有管理员角色的用户试图访问文件夹中的文件时，他们会得到一条消息:

Most likely causes:
•No authentication protocol (including anonymous) is selected in IIS.
•Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.
•Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.
•The Web server is not configured for anonymous access and a required authorization header was not received.
•The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access.

This error occurs when the WWW-Authenticate header sent to the Web server is not supported by the 
server configuration. Check the authentication method for the resource, and verify which authentication 
method the client used. The error occurs when the authentication methods are different. To determine 
which type of authentication the client is using, check the authentication settings for the client.

It seems like my IIS (the version I am using on my development environment when I click Debug > Start Debugging) is using a different kind of authentication from that used by my WebAPI. Can someone explain to me:

看起来我的IIS(我在开发环境中单击Debug >开始调试时使用的版本)使用的是与WebAPI使用的不同的认证。谁能给我解释一下:

Should I be using <system.web> or <system.webServer> for the security?
我应该使用吗?网络>或 <系统。网络服务器安全> 吗?
How can I make the IIS use the same security path as WebAPI is using when I decorate my WebAPI methods? Note that I need a way to do this with web.config as I don't have access to make changes to the IIS directly once the application is published to the cloud.
当我修饰WebAPI方法时，如何使IIS使用与WebAPI相同的安全路径?注意，我需要一种使用web的方法。当应用程序发布到云上时，我无法直接对IIS进行更改。
I am using token authentication so why is the cookie information sent? Could I just use this cookie information to secure my javascript files from getting downloaded?
我正在使用令牌身份验证，那么为什么要发送cookie信息呢?我可以使用这个cookie信息来保护我的javascript文件不被下载吗?

Notes:

注:

Here is the way I have authentication set up in Startup.Auth.cs

这里是我在start . auth.cs中设置身份验证的方式

        // Configure the application for OAuth based flow
        PublicClientId = "self";
        OAuthOptions = new OAuthAuthorizationServerOptions
        {
            TokenEndpointPath = new PathString("/Token"),
            Provider = new ApplicationOAuthProvider(PublicClientId),
            AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
            AllowInsecureHttp = true
        };

        // Enable the application to use bearer tokens to authenticate users
        app.UseOAuthBearerTokens(OAuthOptions);

1 个解决方案

#1

Should I be using or for the security? How can I make the IIS use the same security path as WebAPI is using when I decorate my WebAPI methods? Note that I need a way to do this with web.config as I don't have access to make changes to the IIS directly once the application is published to the cloud.

我应该使用还是用于安全?当我修饰WebAPI方法时，如何使IIS使用与WebAPI相同的安全路径?注意，我需要一种使用web的方法。当应用程序发布到云上时，我无法直接对IIS进行更改。

You could use the authorization attribute in the webconfig to restrict files and folders, the example below restricts restricts a specific js file to admins only.

您可以使用webconfig中的授权属性来限制文件和文件夹，下面的示例仅将特定的js文件限制为管理员。

<location path="resources/scripts/yourtopsecretjsfile.js">
     <system.webServer>
         <security>
             <authorization>
                 <remove users="*" roles="" verbs="" />
                 <add accessType="Allow" roles="Administrators" />
             </authorization>
         </security>
     </system.webServer>
 </location>

I am using token authentication so why is the cookie information sent?

我正在使用令牌身份验证，那么为什么要发送cookie信息呢?

It is used by the server to identify the authenticated user. If you don't want to do without sending the cookie info you can look at doing at sending a signed token with every request instead. Check out this article, loosely covers how to do that (but that with an angular JS/ Web API 2 point of view) http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/

服务器使用它来标识经过身份验证的用户。如果您不想在不发送cookie信息的情况下执行此操作，那么您可以考虑对每个请求发送一个签名令牌。查看这篇文章，大致介绍了如何做到这一点(但是使用一个有棱角的JS/ Web API 2观点)http://bitoftech.net4/06/01/token-base -authentication-asp-net- Web - API -owin- aspase -net-identity/

#1