【问题标题】:Testing a Web App Protected by Passive Federated Auth测试受被动联合身份验证保护的 Web 应用程序
【发布时间】:2015-02-26 08:27:12
【问题描述】:

我的团队有一个基于 ASP.NET MVC 的网站和受被动联合身份验证保护的 WebAPI。一切正常。我们遇到的问题是我们需要在自动部署后测试网站和 Web API。假设测试代码由有权访问网站的用户运行,我们如何验证并从自动测试代码获取网站的 FEDAUTH cookie?

【问题讨论】:

    标签: asp.net authentication wif adfs ws-federation


    【解决方案1】:

    您可以让您的 Web API 支持主动身份验证。它需要一些工作来更改配置和身份验证处理程序,但它也会使您的 Web API 也可以从程序客户端轻松访问。如果您只想在您的自动化测试代码中获取 FEDAUTH cookie,则可以使用以下代码示例。它模仿浏览器将用户令牌发布到网站并获取 cookie。

            // The code needs the STS server and the website url
            var stsUrl = "https://your_STS";
            var serviceUrl = "https://your_Service";
    
            // Use Windows Credential to get the token 
            var binding = new WSHttpBinding(SecurityMode.Transport);
            binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
            var factory = new WSTrustChannelFactory(binding, stsUrl) { TrustVersion = TrustVersion.WSTrust13 };
            // Override current login user credential if needed:
            // factory.Credentials.Windows.ClientCredential = userCredential;
    
            var rst = new RequestSecurityToken
            {
                RequestType = RequestTypes.Issue,
                KeyType = KeyTypes.Bearer,
                AppliesTo = new EndpointReference(serviceUrl)
            };
    
            RequestSecurityTokenResponse rstr;
            var token = factory.CreateChannel().Issue(rst, out rstr);
            var fedSerializer = new System.IdentityModel.Services.WSFederationSerializer();
            var rstrContent = fedSerializer.GetResponseAsString(rstr, new WSTrustSerializationContext());
    
            // After this the security token is acquired and saved in rstrContent
    
            var client = new HttpClient();
    
            // Initiate a request to the service, which will be redirected to STS. Read WS fed fields from redirected URL.
            var response = client.GetAsync(serviceUrl).Result;
            response.EnsureSuccessStatusCode();
            var redirectQuery = response.RequestMessage.RequestUri.Query;
            var queryParams = System.Web.HttpUtility.ParseQueryString(redirectQuery);
    
            // construct a authentication form
            var formData = new Dictionary<string, string>
            {
                {"wa", queryParams["wa"]},
                {"wresult", rstrContent},
                {"wctx", queryParams["wctx"] },
    
            };
    
            // post the authentication form to the website. 
            response = client.PostAsync(serviceUrl, new FormUrlEncodedContent(formData)).Result;
            response.EnsureSuccessStatusCode();
    
            // After this, the auth cookie is set in this HttpClient that you can use to access your service
    

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2012-09-04
      • 1970-01-01
      • 2014-11-20
      • 1970-01-01
      • 2018-09-11
      • 2014-07-10
      • 1970-01-01
      • 2018-08-11
      相关资源
      最近更新 更多