问题
I have a simple REST Web Service. I have tried to implement SimpleWebToken security therefor I created a custom SecurityTokenHandler with overridden CanreadToken and ReadToken then I registered it in web.cofig file.
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<clear/>
<add type="TestTokens.SimpleWebTokenHandler, TestTokens"></add>
</securityTokenHandlers>
<audienceUris>
<clear/>
<add value="http://mytestrealm/"/>
</audienceUris>
</identityConfiguration>
I thought that CanReadToken() is always called, in order to make sure that the incoming request can be handled. Why it is not called?
回答1:
IFAIK, this collection of security handlers is only called when the WIF plumbing needs it. This can be p.e. when you offer a WS-Trust service. It is not called on all requests.
回答2:
That is correct, WIF plumbing can be used to authenticate users. It looks like you are looking for more of a WebAPI solution. I would recommend using Jwt tokens as everyone seems to be leaning that way. Have a look here: http://www.cloudidentity.com/blog/2013/06/06/the-json-web-token-handler-for-net-4-5-reaches-ga/
We put in some features that help when validating jwt's for WebAPI's.
来源:https://stackoverflow.com/questions/19377021/when-custom-securitytokenhandler-gets-triggered