ASP.NET MVC ,WebAPI 自定义Basic授权方式
来源:互联网 发布:史学方法导论知乎 编辑:程序博客网 时间:2024/04/28 16:53
我想大家在做接口安全这块都考虑过,其中最为直接Basic方式阻止伪造请求,其中我改造了auth加密方式,看了之前有把帐号密码进行 base64加密觉得有点不太安全,稍微做了下改造,在登录的时候 返回一个Token做为一个令牌,只有客户端拿到令牌才能请求数据接口,这里你也可以改造下 加个过期时间 下面看看如何实现:
using System;
using System.Collections.Generic;
using System.Linq;using System.Net.Http.Headers;
using System.Security.Principal;
using System.Threading;
using System.Web;
using System.Web.Http;
using System.Net;
using System.Net.Http;
using System.Web.Http.Controllers;
namespaceUtility
{
//首先这里集成 Authorize属性重写授权方法
public class OAuthAuthAttribute : AuthorizeAttribute{
TokenBiz tBiz = new TokenBiz();
public const string AuthorizationHeaderName = "Authorization";
public const string WwwAuthenticationHeaderName = "WWW-Authenticate";
public const string BasicAuthenticationScheme = "Basic";
private static readonly bool HasInterfaceAuth = Convert.ToBoolean( System.Configuration.ConfigurationManager.AppSettings["HasInterfaceAuth"]);
/// <summary>
/// 重写授权方法
/// </summary>
/// <param name="actionContext"></param>
public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
if (HasInterfaceAuth)
{
IPrincipal user;
if (this.IsAuthenticated(actionContext, out user))
{
//最关键设置 当前线程用户安全信息
Thread.CurrentPrincipal = user;if (HttpContext.Current != null)
{
HttpContext.Current.User = user;
}
}
else
{
this.ProcessUnauthenticatedRequest(actionContext);
}
}
}
/// <summary>
/// 获取Authorization 头 例如:Basic:75DE784E62224B7DAB44F1D5CF37C908
/// </summary>
/// <param name="filterContext"></param>
/// <returns></returns>
protected virtual AuthenticationHeaderValue GetAuthenticationHeaderValue(System.Web.Http.Controllers.HttpActionContext filterContext)
{
IEnumerable<string> split = new List<string>();
var rawValue = filterContext.Request.Headers.TryGetValues(AuthorizationHeaderName, out split);
if (!rawValue)
{
return null;
}
var astr = split.FirstOrDefault();
string[] asplit = astr.Split(':');
if (asplit.Length != 2)
{
return null;
}
return new AuthenticationHeaderValue(asplit[0], asplit[1]);
}
/// <summary>
/// 检索是否授权
/// </summary>
/// <param name="filterContext"></param>
/// <param name="user"></param>
/// <returns></returns>
protected virtual bool IsAuthenticated(System.Web.Http.Controllers.HttpActionContext filterContext, out IPrincipal user)
{
user = HttpContext.Current.User;
if (null != user & user.Identity.IsAuthenticated)
{
return true;
}
AuthenticationHeaderValue token = this.GetAuthenticationHeaderValue(filterContext);
if (null != token && token.Scheme == BasicAuthenticationScheme)
{
string credential = token.Parameter;
var entity = tBiz.GetEntityByToken(credential);
if (entity != null)
{
string uid = string.IsNullOrEmpty(entity.UIID) ? entity.UserID.ToString() : entity.UIID;
GenericIdentity identity = new GenericIdentity(uid);
user = new GenericPrincipal(identity, new string[0]);
filterContext.ActionArguments["AuthState"] = AuthState.Success;
return true;
}
else {
filterContext.ActionArguments["AuthState"] = AuthState.Failure;
}
}
else
{
filterContext.ActionArguments["AuthState"] = AuthState.Failure;
}
return false;
}
/// <summary>
/// 失败或者不存在返回json参数
/// </summary>
/// <param name="filterContext"></param>
protected virtual void ProcessUnauthenticatedRequest(System.Web.Http.Controllers.HttpActionContext filterContext)
{
AuthState state = (AuthState)filterContext.ActionArguments["AuthState"];
string parameter = string.Format("realm=\"{0}\"", filterContext.Request.RequestUri.DnsSafeHost);
AuthenticationHeaderValue challenge = new AuthenticationHeaderValue(BasicAuthenticationScheme, parameter);
if (state == AuthState.Invalid)
{
var rp = filterContext.Request.CreateResponse<ErrorResult>(HttpStatusCode.OK,
new ErrorResult { Code = CodeEnum.Token已过期, Message = CodeEnum.Token已过期.ToString() });
rp.Headers.Add(WwwAuthenticationHeaderName, challenge.ToString());
filterContext.Response = rp;
}
if (state == AuthState.Failure)
{
var rp = filterContext.Request.CreateResponse<ErrorResult>(HttpStatusCode.OK,
new ErrorResult { Code = CodeEnum.Token不存在, Message = CodeEnum.Token不存在.ToString() });
rp.Headers.Add(WwwAuthenticationHeaderName, challenge.ToString());
filterContext.Response = rp;
}
}
}
/// <summary>
/// 返回参数枚举
/// </summary>
public enum AuthState : int
{
Success = 0,
Failure = 1,
Invalid = 2
}
}
0 0
- ASP.NET MVC ,WebAPI 自定义Basic授权方式
- ASP.NET MVC WebAPI请求
- ASP.NET WEBAPI 的身份验证和授权
- ASP.NET MVC WEBAPI第一次接触
- ASP.NET MVC学习系列-WebAPI请求
- ASP.NET MVC的WebApi使用
- 配置Asp.Net MVC WebAPI可跨域方法
- Asp.Net MVC webAPI Token based authentication
- asp.net mvc 的webApi (一)自己手动创建
- ASP.NET MVC学习系列(二)-WebAPI请求
- 给ASP.NET MVC及WebApi添加路由优先级
- ASP.NET MVC学习系列(二)-WebAPI请求
- 在ASP.NET MVC中使用WebApi注册路由注意事项
- ASP.NET Core MVC-WebAPi如何构建路由?
- ASP.NET Core MVC-WebAPi如何构建路由?
- ASP.NET Core MVC-WebAPi如何构建路由?
- ASP.NET Core MVC-WebAPi如何构建路由?
- ASP.NET Core MVC/WebAPi 模型绑定探索
- vc static扩大,缩小效果
- 匈牙利命名规则
- #available标注进行多版本兼容性支持
- java.lang.NoClassDefFoundError:org/bouncycastle/jce/provider/BouncyCastleProvider
- JsonToMap and getMapFromStrToMap
- ASP.NET MVC ,WebAPI 自定义Basic授权方式
- Bootstrap3 左边距
- [实践]微信公众平台开发方法汇总(php)
- #JQurey 插件模型探讨 持续更行中#
- Android手机装不上软件的问题解决
- Unity3D中自带事件函数的执行顺序
- 班牛 - 企业级移动知识库
- 善用instruments来检验你的app
- 天道
