How I would set up authentication with your Scenario 1:
I will force the static files to go through the server in order to ensure authentication
Web.config
<compilation>
<buildProviders>
<add extension=".html" type="System.Web.Compilation.PageBuildProvider" />
<add extension=".htm" type="System.Web.Compilation.PageBuildProvider" />
</buildProviders>
</compilation>
<system.webServer>
<handlers>
<add name="HTML" path="*.html" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
<add name="HTM" path="*.htm" verb="GET, HEAD, POST, DEBUG" type="System.Web.UI.PageHandlerFactory" resourceType="Unspecified" requireAccess="Script" />
</handlers>
</system.webServer>
This will allow me to set up <authentication>
and <authorization>
in my web.config like:
<authorization>
<allow roles="demo" />
</authorization>
or
<authorization>
<deny users="?" />
</authorization>
Additionally I will set up my login page:
<authentication mode="Forms">
<forms path="/" loginUrl="~/login"..
For Scenario 2:
Probably you will need to enable CORS, if it is the case you will need to:
Set the config option config.EnableCors();
in your Register
method; you will also need to enable CORS in your ApiController by using [EnableCors] attribute along with the declaration of the controller, here is an example how I do it:
[EnableCors(origins: "http://localhost:49595", headers: "*", methods: "*")]
public class ValuesController : ApiController
{
...
Finally to secure the WebApi we will need to use an attribute [Authorize]
in the controllers and most likely you will need to define your custom authentication method to authorize your second callers. You could follow these steps:
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…