OWIN Static File Security
I am creating a SPA that will sit in a WebAPI / OWIN application (to be hosted in IIS) that currently has no MVC components, which never does, but the route /
will be index.html
.
The entire site will require you to sign in to Azure AD before you can do anything, and we will pass a bearer token to the WebAPI calls that have been made.
How do you make every request to a static file (or at least every HTML file) to get you logged in?
source to share
I will tell you how I did it and how it works for me.
I am using Windows Authentication and this is how I set it up:
OwinHttpListener listener = appBuilder.Properties[typeof(OwinHttpListener).FullName] as OwinHttpListener;
listener.Listener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication;
Then, according to fooobar.com/questions/968907 / ... put the following code between your middleware (or auth code like the code above) and the components you want to protect.It will check to every request has been authenticated.
app.Use(async (context, next) =>
{
var user = context.Authentication.User;
if (user == null || user.Identity == null || !user.Identity.IsAuthenticated)
{
context.Authentication.Challenge();
return;
}
await next();
});
source to share
I haven't tested this, but this is what I'll try first, so I hope it puts you on the right track.
-
Configure your application so that OWIN serves all static files with
StaticFilesMiddleware
. This article explains how to do it -
Before registering the static middleware (using the extension method
.UseStaticFiles
), create and register your ownRequireAuthenticationMiddleware
that authenticates the request and if it doesn't return an appropriate response (401, 403 or whatever). You will want to register thisRequireAuthenticationMiddleware
after configuring the OWIN Auth middleware so that the authentication data is in the OWIN context.
source to share