OWIN Authentication and Custom Response

2019-04-29 13:36发布

站内问答 / 后端开发
401 1 4

I create a custom BasicAuthenticationMiddleware that use a BasicAuthenticationHandler to Authenticate requests from client to WebAPI.

The BasicAuthenticationHandler derives from the AuthenticationHandler< TOptions > base class.

Everything works fine and I implemented the

AuthenticateCoreAsync where the logic to authenticate happens

ApplyChallengeResponseAsync where the logic, in case of not authenticated requests, sends the WWW-Authenticate header to the client.

What I would like to achieve now is to set a Custom Body in the Response (IOwinResponse, inside the ApplyChallengeResponseAsync, with a custom object like:

{
Code="999",
Description="My failing reason"
AdditionalInfo = "My additional infos"
}

instead of the standard message that is like

{
    message="Authorization has been denied for this request."
}

Did you have any suggestion on this?

thanks

1条回答
霸刀☆藐视天下
2楼-- · 2019-04-29 14:40

The standard message you see, which is "Authorization has been denied for this request." is created by the Authorize filter. The HandleUnauthorizedRequest method sets this message in the response.

protected virtual void HandleUnauthorizedRequest(HttpActionContext actionContext)
{
    if (actionContext == null)
    {
        throw Error.ArgumentNull("actionContext");
    }

    actionContext.Response = actionContext.ControllerContext.Request
                                 .CreateErrorResponse(
                                    HttpStatusCode.Unauthorized, 
                                      SRResources.RequestNotAuthorized);
}

SRResources.RequestNotAuthorized is what you see as the standard message.

Now, ApplyChallengeResponseAsync is called from the OnSendingHeaders callback in Katana autentication micro framework. This callback is invoked when a component writes into the response stream. In our case, when the response message created by the filter (what you see above) gets serialized, that is when the callback is invoked and ApplyChallengeResponseAsync runs. By that time, it is already too late for you to change the response. The best bet will be to override the virtual method of the Authorize filter above like this.

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
    {
        var response = actionContext.Request.CreateResponse<MyError>
                                (new MyError() { Description = "My failing reason" });
        response.StatusCode = HttpStatusCode.Unauthorized;

        actionContext.Response = response;
    }
}

public class MyError
{
    public string Description { get; set; }
}

Instead of using [Authorize] on the controller or action method, use [MyAuthorize].

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)