Asp.netコア2.0 JWTはのAllowAnonymous

Question

私はここ（ https://github.com/aspnet/Security）

は私Startup.cs

 /// <summary> 
     ///  This method gets called by the runtime. Use this method to add services to the container. 
     /// </summary> 
     /// <param name="services"></param> 
     public void ConfigureServices(IServiceCollection services) 
     { 
      // Add entity framework to services collection. 
      var sqlConnection = Configuration.GetConnectionString("SqlServerConnectionString"); 
      services.AddDbContext<RelationalDatabaseContext>(
       options => options.UseSqlServer(sqlConnection, b => b.MigrationsAssembly(nameof(Main)))); 

      // Injections configuration. 
      services.AddScoped<IUnitOfWork, UnitOfWork>(); 
      services.AddScoped<DbContext, RelationalDatabaseContext>(); 
      services.AddScoped<IEncryptionService, EncryptionService>(); 
      services.AddScoped<IIdentityService, IdentityService>(); 
      services.AddScoped<ITimeService, TimeService>(); 
      services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>(); 

      // Requirement handler. 
      services.AddScoped<IAuthorizationHandler, SolidAccountRequirementHandler>(); 
      services.AddScoped<IAuthorizationHandler, RoleRequirementHandler>(); 

      // Load jwt configuration from setting files. 
      services.Configure<JwtConfiguration>(Configuration.GetSection(nameof(JwtConfiguration))); 
      services.Configure<ApplicationSetting>(Configuration.GetSection(nameof(ApplicationSetting))); 

      // Build a service provider. 
      var serviceProvider = services.BuildServiceProvider(); 
      var jwtBearerSettings = serviceProvider.GetService<IOptions<JwtConfiguration>>().Value; 

      // Cors configuration. 
      var corsBuilder = new CorsPolicyBuilder(); 
      corsBuilder.AllowAnyHeader(); 
      corsBuilder.AllowAnyMethod(); 
      corsBuilder.AllowAnyOrigin(); 
      corsBuilder.AllowCredentials(); 

      // Add cors configuration to service configuration. 
      services.AddCors(options => { options.AddPolicy("AllowAll", corsBuilder.Build()); }); 
      services.AddOptions(); 

      // This can be removed after https://github.com/aspnet/IISIntegration/issues/371 
      var authenticationBuilder = services.AddAuthentication(options => 
      { 
       options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; 
       options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; 
      }); 

      authenticationBuilder.AddJwtBearer(o => 
      { 
       // You also need to update /wwwroot/app/scripts/app.js 
       o.Authority = jwtBearerSettings.Authority; 
       o.Audience = jwtBearerSettings.Audience; 
       o.RequireHttpsMetadata = false; 

       o.SecurityTokenValidators.Clear(); 
       o.SecurityTokenValidators.Add(new JwtBearerValidator()); 

       o.Events = new JwtBearerEvents() 
       { 
        OnAuthenticationFailed = c => 
        { 
         c.NoResult(); 

         c.Response.StatusCode = 500; 
         c.Response.ContentType = "text/plain"; 
         if ("dev".Equals(Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT"))) 
         { 
          // Debug only, in production do not share exceptions with the remote host. 
          return c.Response.WriteAsync(c.Exception.ToString()); 
         } 
         return c.Response.WriteAsync("An error occurred processing your authentication."); 
        } 
       }; 
      }); 

      #region Mvc builder 

      // Construct mvc options. 
      var mvcBuilder = 
       services.AddMvc(mvcOptions => 
       { 
        //only allow authenticated users 
        var policy = new AuthorizationPolicyBuilder() 
         .RequireAuthenticatedUser() 
         .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme) 
         .AddRequirements(new SolidAccountRequirement()) 
         .Build(); 

        mvcOptions.Filters.Add(new AuthorizeFilter(policy)); 
       }); 

      // Add json configuration/ 
      mvcBuilder.AddJsonOptions(options => 
      { 
       options.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver(); 
      }); 

      #endregion 
     } 

     /// <summary> 
     ///  This method gets called by the runtime. Use this method to configure the HTTP request pipeline. 
     /// </summary> 
     /// <param name="app"></param> 
     /// <param name="env"></param> 
     /// <param name="loggerFactory"></param> 
     /// <param name="serviceProvider"></param> 
     public void Configure(IApplicationBuilder app, 
      IHostingEnvironment env, 
      ILoggerFactory loggerFactory, IServiceProvider serviceProvider) 
     { 
      // Enable logging. 
      loggerFactory.AddConsole(Configuration.GetSection("Logging")); 
      loggerFactory.AddDebug(); 

      // Use JWT Bearer authentication in the system. 
      app.UseAuthentication(); 

      // Enable cors. 
      app.UseCors("AllowAll"); 

      // Enable MVC features. 
      app.UseMvc(); 
     } 

されている.NETコア2.0とJWTベアラー認証を使用して小さな新しいプロジェクトを作ってるんだ

を無視していません

これらの設定では、jwtがWebアプリケーションで有効になっています。私は私の要求、に認証ヘッダを渡すと、（[のAllowAnonymous]属性下に置かれた）の認証を必要としないAPIで

• OnAuthenticationFailed：しかし、私は現在で直面しています一つのことがありますイベントが発生します（トークンが検出されないため）。

私の質問は：どのように私は私のJWT認証が自動的のAllowAnonymousとしてマークされている方法またはコントローラを無視することができますか？

あなたは、同時に2つの認証、このコードのJWTと他の1と1を追加しているので、それはだ、

Answer 1

私が思うに、ありがとうございます。

var mvcBuilder = 
       services.AddMvc(mvcOptions => 
       { 
        //only allow authenticated users 
        var policy = new AuthorizationPolicyBuilder() 
         .RequireAuthenticatedUser() 
         .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme) 
         .AddRequirements(new SolidAccountRequirement()) 
         .Build(); 

        mvcOptions.Filters.Add(new AuthorizeFilter(policy)); 
       }); 

だけでJWTをしてください、あなたはあなたが二回許可を設定しない

services.AddAuthorization(options => 
       { 
        options.AddPolicy("CreateUser", policy => policy.AddRequirements(
        new UserLevelRequirement("Admin") 
       )); 
       }) 

この例のように、あなたがそれを行うことができ、ポリシーを追加する場合。

Answer 2

OnAuthenticationFailedイベントは、このイベントが「text/plainの」レスポンスContentTypeをを設定しますので、あなたのAPIが406受け入れられないを返しますraised.Butすることができますでしょう;.コードc.Response.ContentType = "text/plain";をc.Response.ContentType = "application/json";に変更することができます。