http://identitymodel.codeplex.com/

https://identityserver.github.io/

Windows Identity Foundation

6.1.7600.16394

Windows Identity Foundation enables .NET developers to externalize identity logic from their application, improving developer productivity, enhancing application security, and enabling interoperable federation. Enjoy greater productivity, applying the same tools and programming model to build on-premises software as well as cloud services. Create more secure applications by reducing custom implementations and using a single simplified identity model based on claims. Enjoy greater flexibility in application deployment through interoperability based on industry standard protocols, allowing applications and identity infrastructure services to communicate via claims.

To install Windows Identity Foundation, run the following command in the Package Manager Console

CORS support in WebAPI, MVC and IIS with Thinktecture.IdentityModel

My second contribution to the Thinktecture.IdentityModel security library is a full-featured CORS implementation. Many other sample implementations only emit the Access-Control-Allow-Origin header, but there’s more to it than that. The implementation in Thinktecture.IdentityModel follows the W3C Working Draft 3 from April 2012. There is a rich configuration API to control the various settings that are involved with CORS. These settings include which resource you want to configure, which origins are allowed, which HTTP methods are allowed, which request and/or response headers are allowed and are cookies allowed.

In this first release there is support for WebAPI, ASP.NET MVC and IIS. For WebAPI you configure your settings per controller. For MVC you can configure the settings per controller or for specific controller actions. For IIS you configure the settings per URL. If there’s enough interest, then perhaps in a future version I can add support for WCF REST and WCF Data Services.

I won’t bother explaining CORS since there are already enough posts on it elsewhere. Instead I’ll just show how to get started with the library. First, reference the NuGet package. Next, depending on the type of application (WebAPI, MVC or IIS) you need to configure how you want CORS support. Below shows each of the different environments:

WebAPI

In WebAPI the implementation is a delegating handler. This allows the CORS settings to be global or per-route (which is forthcoming post-RC). For example if you were to configure it globally then in global.asax‘s Application_Start you would have a call out to the configuration class passing the global HttpConfiguration object (this follows the new style of factoring out configuration to separate classes in the App_Start folder):

1
2
3
4
5
6
protected void Application_Start()
{
   ...
 
   CorsConfig.RegisterCors(GlobalConfiguration.Configuration);
}

And then in App_Start/CorsConfig.cs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
public class CorsConfig
{
   public static void RegisterCors(HttpConfiguration httpConfig)
   {
      WebApiCorsConfiguration corsConfig = newWebApiCorsConfiguration();
 
      // this adds the CorsMessageHandler to the HttpConfiguration's
      // MessageHandlers collection
      corsConfig.RegisterGlobal(httpConfig);
 
      // this allow all CORS requests to the Products controller
      // from the http://foo.com origin.
      corsConfig
         .ForResources("Products")
         .ForOrigins("http://foo.com")
         .AllowAll();
   }
}

In WebAPI resources are identified by the controller name as in the above example for the“Products” controller.

MVC

In MVC you need to register a HttpModule to enable CORS support, so in web.config:

1
2
3
4
5
6
<system.webServer>
   <modules runAllManagedModulesForAllRequests="true">
      <add name="MvcCorsHttpModule"
         type="Thinktecture.IdentityModel.Http.Cors.Mvc.MvcCorsHttpModule"/>
   </modules>
</system.webServer>

And then again in global.asax you would configure the settings:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
protected void Application_Start()
{
   ...
 
   RegisterCors(MvcCorsConfiguration.Configuration);
}
 
private void RegisterCors(MvcCorsConfiguration corsConfig)
{
   corsConfig
      .ForResources("Products.GetProducts")
      .ForOrigins("http://foo.com")
      .AllowAll();
}

In MVC resources can either be identified just by the controller name (with just “Controller” for the resource name) or by the controller and action (as with the above sample with the“Controller.Action” syntax).

IIS

In IIS you need to register a HttpModule (different than the one for MVC), so in web.config:

1
2
3
4
5
6
<system.webServer>
   <modules>
      <add name="CorsHttpModule"
         type="Thinktecture.IdentityModel.Http.Cors.IIS.CorsHttpModule"/>
   </modules>
</system.webServer>

And then again in global.asax you would configure the settings:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
protected void Application_Start(object sender, EventArgs e)
{
   ...
 
   ConfigureCors(UrlBasedCorsConfiguration.Configuration);
}
 
void ConfigureCors(CorsConfiguration corsConfig)
{
   corsConfig
      .ForResources("~/Handler1.ashx")
      .ForOrigins("http://foo.com", "http://bar.com")
      .AllowAll();
}

In IIS resources are identified by the application relative path (thus the “~/path/resource”syntax).

Other Configuration Options

While the above samples show a minimal amount of code to get CORS enabled and running in your app, these are some of the least restrictive settings. Typically more thought should go into the settings and so there is a rich API for configuring the various CORS settings. Here are some more examples:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
public static void ConfigureCors(CorsConfiguration corsConfig)
{
   // this allows http://foo.com to do GET or POST on Values1 controller
   corsConfig
      .ForResources("Values1")
      .ForOrigins("http://foo.com")
      .AllowMethods("GET", "POST");
 
   // this allows http://foo.com to do GET and POST, pass cookies and
   // read the Foo response header on Values2 controller
   corsConfig
      .ForResources("Values2")
      .ForOrigins("http://foo.com")
      .AllowMethods("GET", "POST")
      .AllowCookies()
      .AllowResponseHeaders("Foo");
 
   // this allows http://foo.com and http://foo.com to do GET, POST,
   // and PUT and pass the Content-Type header to Values3 controller
   corsConfig
      .ForResources("Values3")
      .ForOrigins("http://foo.com", "http://bar.com")
      .AllowMethods("GET", "POST", "PUT")
      .AllowRequestHeaders("Content-Type");
 
   // this allows http://foo.com to use any method, pass cookies, and
   // pass the Content-Type, Foo and Authorization headers, and read
   // the Foo response header for Values4 and Values5 controllers
   corsConfig
      .ForResources("Values4", "Values5")
      .ForOrigins("http://foo.com")
      .AllowAllMethods()
      .AllowCookies()
      .AllowRequestHeaders("Content-Type", "Foo", "Authorization")
      .AllowResponseHeaders("Foo");
 
   // this allows all methods and all request headers (but no cookies)
   // from all origins to Values6 controller
   corsConfig
      .ForResources("Values6")
      .AllowAllOriginsAllMethodsAndAllRequestHeaders();
 
   // this allows all methods (but no cookies or request headers)
   // from all origins to Values7 controller
   corsConfig
      .ForResources("Values7")
      .AllowAllOriginsAllMethods();
 
   // this allows all CORS requests from origin http://bar.com
   // for all resources that have not been explicitly configured
   corsConfig
      .ForOrigins("http://bar.com")
      .AllowAll();
 
   // this allows all CORS requests to all other resources that don’t
   // have an explicit configuration. This opens them to all origins, all
   // HTTP methods, all request headers and cookies. This is the API to use
   // to get started, but it’s a sledgehammer in the sense that *everything*
   // is wide-open.
   corsConfig.AllowAll();
}

Of course, feedback is welcome. Enjoy.

Edit: Common configuration issues when enabling CORS on IIS.

开源的Owin 的身份验证支持 和跨域支持的更多相关文章

  1. 两系统用asp.net forms 身份验证方式实现跨域登录信息共享

    1.两个系统的 web.config 都配置为 forms 验证方式( system.web —> authentication 节点) 2.在两个系统的Web.config里配置相同的 sys ...

  2. Taurus.MVC 2.2 开源发布:WebAPI 功能增强(请求跨域及Json转换)

    背景: 1:有用户反馈了关于跨域请求的问题. 2:有用户反馈了参数获取的问题. 3:JsonHelper的增强. 在综合上面的条件下,有了2.2版本的更新,也因此写了此文. 开源地址: https:/ ...

  3. 浅谈Web Api配合SignalR的跨域支持

    最近接手的一个项目中,涉及到一个简单的消息模块,由于之前有简单了解过SignalR,所以打算尝试着摸索摸索~! 首先,通过Nuget管理器添加Microsoft ASP.NET SignalR引用~目 ...

  4. WebApi 自定义过滤器实现支持AJAX跨域的请求

    我想关于此类话题的文章,大家一搜铺天盖地都是,我写此文的目的,只是对自己学习过程的记录,能对需要的朋友有所帮助,也百感荣幸!!!废话不多说,直接上代码! 客户端:很简单的AJAX请求 <html ...

  5. SpringBoot学习(3)-SpringBoot添加支持CORS跨域访问

    SpringBoot学习(3)-SpringBoot添加支持CORS跨域访问 https://blog.csdn.net/yft_android/article/details/80307672

  6. 支持ajax跨域调用的WCF搭建示例

    支持ajax 跨域调用的WCF搭建 1.新建一个"ASP.NET空Web应用程序"项目. 2.新建一个“WCF服务(支持ajax)”. 3.修改WCFAjaxService.svc ...

  7. SpringMvc跨域支持

    SpringMvc跨域支持 在controller层加上注解@CrossOrigin可以实现跨域 该注解有两个参数 1,origins  : 允许可访问的域列表 2,maxAge:飞行前响应的缓存持续 ...

  8. SpringBoot添加支持CORS跨域访问

    原文:https://www.jianshu.com/p/c6ea21b64f6e CORS(Cross-Origin Resource Sharing)"跨域资源共享",是一个W ...

  9. 支持JSONP跨域的对象

    支持JSONP跨域的对象 1:img 2:iframe 3:link 4:script 为什么,JSONP 最终选择是 script 实现呢?度娘来也! 平常我们进行JSONP请求数据,因为 json ...

随机推荐

  1. curl_easy_setopt-curl库的关键函数之一

    函数原型:#include <curl/curl.h>CURLcodecurl_easy_setopt(CURL *handle, CURLoption option, parameter ...

  2. CSS3/HTML5实现漂亮的分步骤注册登录表单

    分步骤的登录注册表单现在也比较多,主要是能提高用户体验,用户可以有选择性的填写相应的表单信息,不至于让用户看到一堆表单望而却步.今天和大家分享的就是一款基于HTML5和CSS3的分步骤注册登录表单,外 ...

  3. Ubuntu 14.04 64位安装Android Studio 和 genymotion (上)

    先说下,Ubuntu 上安装Android Studio真是一路坑阿,一路坑阿,加上天  朝 防火墙挡着,折腾了快一天才弄好阿 找了n多教程,md不是抄的就是转的,而且都没说清楚具体咋装阿,一个图一个 ...

  4. ReactJS 的背景及原理

    原文链接:http://www.infoq.com/cn/articles/subversion-front-end-ui-development-framework-react 在Web开发中,我们 ...

  5. (转)Eclipse/Myeclipse 注释注释模板

    Window -->preferences --> Java --> Code Style --> Code Templates --> Comments --> ...

  6. Android 之 资源文件的介绍及使用

    Android 之 资源文件的介绍及使用 1.资源的简单介绍:  在res文件夹中定义:字符串.颜色.数组.菜单.图片.视频等:在应用程序中使用这些资源.  2.使用资源的长处:降低代码量,同一时候为 ...

  7. 数据对接—kettle使用之二

    这一篇开始进入kettle的一些常用插件的使用介绍,通过实例介绍不同插件的功能.这一篇说(Data Grid和文本文件输出)的使用. 文本文件输出介绍(可以略过,一般用不着):       1.Run ...

  8. JavaScript中的面向对象的讨论(转)

    前言 今天,WEB2.0时代的到来,给了JavaScript又一次大展身手的机会.Web2.0借助JavaScript技术,使得客户端的Web体验更加丰富多彩,同时JavaScript面对的问题域也变 ...

  9. TypedArray和obtainStyledAttributes使用

    在编写Android自定义按钮示例基础上,如果要指定字体大小产生这样的效果: 其实是不需要自定义变量的,可以直接使用TextView的配置属性: <com.easymorse.textbutto ...

  10. Lenovo k860i 移植Android 4.4 cm11进度记录【下篇--实时更新中】

    2014.8.24 k860i的cm11的移植在中断了近两三个月之后又開始继续了,进度记录的日志上一篇已经没什么写的了,就完结掉它吧,又一次开一篇日志做下篇好了.近期的战况是,在scue同学的努力之下 ...