JWT持票人不保护路线

2018-06-07 07:28:27

我按照教程在Net Core 2.0上配置了身份验证的JWT：https://medium.com/@lugrugzo/asp-net-core-2-0-webapi-jwt-authentication-with-identity-mysql-3698eeba6ff8

作者明确指出，需要添加[Authorize]来保护端点，但我想保护所有端点，除非明确指定[AllowAnonymous]。我阅读了关于JWT Bearer的其他教程，他们看起来完全一样，但作者说它应该默认请求授权...

这是我的Startup.cs

 // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            // ===== Add DbContext ======
            var connectionString = Configuration.GetConnectionString("dbContext");
            services.AddEntityFrameworkNpgsql().AddDbContext<ApplicationDbContext>(options => options.UseNpgsql(connectionString));

        // ===== Add Identity ========
        services.AddIdentity<IdentityUser, IdentityRole>()
            .AddEntityFrameworkStores<ApplicationDbContext>()
            .AddDefaultTokenProviders();

        // ===== Add JWT =====
        JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); // => remove default claims
        services
            .AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;

            })
            .AddJwtBearer(cfg =>
            {
                cfg.RequireHttpsMetadata = false;
                cfg.SaveToken = true;
                cfg.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidIssuer = Configuration.GetSection("jwt")["issuer"],
                    ValidAudience = Configuration.GetSection("jwt")["audience"],
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration.GetSection("jwt")["key"])),
                    ClockSkew = TimeSpan.Zero // remove delay of token when expire
                };
            });

        services.AddMvc();

        // Register the Swagger generator, defining one or more Swagger documents
        services.AddSwaggerGen(c =>
        {
            c.SwaggerDoc("v1", new Info { Title = "My API", Version = "v1" });
        });

    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IHostingEnvironment env, ApplicationDbContext dbContext)
    {
        if (env.IsDevelopment())
        {

            app.UseDeveloperExceptionPage();
        }


        // Enable middleware to serve generated Swagger as a JSON endpoint.
        app.UseSwagger();

        // Enable middleware to serve swagger-ui (HTML, JS, CSS, etc.), specifying the Swagger JSON endpoint.
        app.UseSwaggerUI(c =>
        {
            c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");
        });

        app.UseAuthentication();
        app.UseMvc();

        dbContext.Database.EnsureCreated();
    }
}

找不到任何文件看起来不同，所以我会知道我必须改变......我可以调用任何路径没有标题中的令牌。有没有人有想法？

你应该可以使用这样的过滤器：

using Microsoft.AspNetCore.Mvc.Authorization;
using Microsoft.AspNetCore.Authorization;
{...}
services.AddMvc(config =>
{
   var policy = new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser()
                .Build();
   config.Filters.Add(new AuthorizeFilter(policy));
});

链接地址: http://www.djcxy.com/p/22413.html

上一篇: JWT Bearer not protecting routes

下一篇: Custom authentication asp.net core web api