问题描述
我对OWIN非常陌生:).我正在尝试使用一个具有开放公共区域的页面,该页面将允许通过HTTP进行匿名访问,然后是一个需要身份验证的受限制的部分.我不想强迫整个网站成为普通用户的HTTPS.
I am very new to OWIN :). I am trying to have a page with an open public area which will allow anonymous over HTTP, and then a restricted section which will require authentication. I'd like not to force the entire site to be HTTPS for general users.
我遇到的问题是我收到了以下循环:
The issue I have is that I receive the following loop:
- http://example.com/authenticatedPage -> 302重定向到AD登录
- 登录到AD页面HTTP200.触发打开指向站点的Azure AD链接.
- 到站点的链接标识这是OWIN重定向,并进行302重定向到 http://example.com/authenticatedPage
- 转到1.
- http://example.com/authenticatedPage -> 302 Redirect to AD login
- Login to AD page HTTP 200. Triggers open of the Azure AD link to site.
- Link to site identifies that this is an OWIN redirect and does a 302 redirect to http://example.com/authenticatedPage
- Go to 1.
我尝试了3种在OWIN中拦截重定向的方法,但似乎没有任何效果.
I have tried 3 ways of intercepting the redirect in OWIN but nothing seems to work.
如果我通过浏览到 https://example.com/开始会话,则单击指向authenticatedPage的链接,然后登录即可正常运行.即
If I begin the session by browsing to https://example.com/ then click on the link to authenticatedPage, then the login works as I expect. i.e.
- 加载 https://example.com/authenticatedPage -> 302重定向到AD
- 登录到AD->加载 https://example.com/
- 302重定向到 https://example.com/authenticatedPage
- Load https://example.com/authenticatedPage -> 302 redirect to AD
- Login to AD -> loads https://example.com/
- 302 redirect to https://example.com/authenticatedPage
有没有解决此问题的方法,而无需将我的整个网站标记为需要SSL?
Is there anyway to fix this without marking my whole site as requiring SSL?
推荐答案
假设我没有引入巨大的安全漏洞,那么这确实有效.覆盖authorize属性,并将其应用于您的控制器.如果您尝试从不安全的页面进行授权,它将在尝试身份验证之前先将您重定向到页面的HTTPS://.这意味着从Azure进行的重定向随后将重定向回HTTPS,它的工作原理就像一个超级按钮. Cookies保持安全,每个人都是赢家!
Assuming I haven't introduced a gaping security hole, this actually worked. Override the authorize attribute and apply this to your controller. If you try to authorise from an insecure page, it will redirect you to the HTTPS:// of the page first, prior to attempting authentication. THis means the redirect from Azure will then redirect back to HTTPS and it works like a charm. Cookies stay secure and everyone's a winner!
using System.Web.Mvc;
namespace Spenceee.Attributes
{
public class AuthorizeFromHTTPAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (!filterContext.HttpContext.Request.IsSecureConnection)
{
UriBuilder redirectUrl = new UriBuilder(
filterContext.HttpContext.Request.Url);
redirectUrl.Scheme = "HTTPS";
redirectUrl.Port = 443;
filterContext.HttpContext.Response.Redirect(redirectUrl.ToString());
return;
}
else
{
base.OnAuthorization(filterContext);
}
}
}
}
这篇关于OWIN和Azure AD HTTPS到HTTP重定向循环的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!