Asp.net web api ASP.NET WebAPI(消息处理程序)-为什么授权属性允许所有请求?
我创建了关于ASP.NET WebAPI的示例,并使用消息处理程序设置主体。在控制器类中,我为某些方法设置了authorize属性,但允许所有请求???有人能帮我吗? 非常感谢 AuthenticationHandler类Asp.net web api ASP.NET WebAPI(消息处理程序)-为什么授权属性允许所有请求?,asp.net-web-api,Asp.net Web Api,我创建了关于ASP.NET WebAPI的示例,并使用消息处理程序设置主体。在控制器类中,我为某些方法设置了authorize属性,但允许所有请求???有人能帮我吗? 非常感谢 AuthenticationHandler类 public class AuthenticationHandler : DelegatingHandler { private readonly IUserRepository _userRepository; public Authent
public class AuthenticationHandler : DelegatingHandler
{
private readonly IUserRepository _userRepository;
public AuthenticationHandler(IUserRepository userRepository)
{
_userRepository = userRepository;
}
protected override System.Threading.Tasks.Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, System.Threading.CancellationToken cancellationToken)
{
var accessToken = request.Headers.GetCookies("Authorization-Token");
if (accessToken.Count == 0)
//requests have no token always go here and doesn't set principal!!!!
return base.SendAsync(request, cancellationToken);
var tokenValue = accessToken[0]["Authorization-Token"].Value;
try
{
var token = RSAClass.Decrypt(tokenValue);
if (token == null)
return base.SendAsync(request, cancellationToken);
var user = _userRepository.GetUserData(token);
var identity = new GenericIdentity(user.Username, "Basic");
if (user.Roles != null)
{
var principal = new GenericPrincipal(identity, user.Roles.Split(',').Reverse().ToArray());
Thread.CurrentPrincipal = principal;
}
}
catch (Exception e) {
return System.Threading.Tasks.Task<HttpResponseMessage>.Factory.StartNew(
() => request.CreateResponse(HttpStatusCode.Unauthorized));
}
return base.SendAsync(request, cancellationToken);
}
}
公共类AuthenticationHandler:DelegatingHandler
{
专用只读IUserRepository\u userRepository;
公共AuthenticationHandler(IUserRepository userRepository)
{
_userRepository=userRepository;
}
受保护的重写System.Threading.Tasks.Task SendAsync(HttpRequestMessage请求,System.Threading.CancellationToken CancellationToken)
{
var accessToken=request.Headers.GetCookies(“授权令牌”);
if(accessToken.Count==0)
//没有令牌的请求总是转到这里,并且不设置主体!!!!
返回base.sendaync(请求、取消令牌);
var tokenValue=accessToken[0][“授权令牌”]。值;
尝试
{
var token=RSAClass.Decrypt(tokenValue);
if(标记==null)
返回base.sendaync(请求、取消令牌);
var user=\u userRepository.GetUserData(令牌);
var identity=新的GenericEntity(user.Username,“Basic”);
if(user.Roles!=null)
{
var principal=新的GenericPrincipal(标识、用户、角色、拆分(')、').Reverse().ToArray());
Thread.CurrentPrincipal=主体;
}
}
捕获(例外e){
返回System.Threading.Tasks.Task.Factory.StartNew(
()=>request.CreateResponse(HttpStatusCode.Unauthorized));
}
返回base.sendaync(请求、取消令牌);
}
}
//when i try send anonymous request, it always allows to get data???
// Why authorize attribute not working
[Authorize(Roles = "Administrators")]
public HttpResponseMessage GetAll() {
var customers = repository.GetAll();
var customersDto = new List<CustomerDto>();
if (customers == null)
{
var response = Request.CreateResponse(HttpStatusCode.NotFound, "Customer not found");
throw new HttpResponseException(response);
}
else
{
foreach (var cust in customers)
{
customersDto.Add(mapper.Map<Customer, CustomerDto>(cust));
}
return Request.CreateResponse<List<CustomerDto>>(
HttpStatusCode.OK,
customersDto);
}
}
//当我尝试发送匿名请求时,它总是允许获取数据???
//为什么授权属性不起作用
[授权(角色=“管理员”)]
公共HttpResponseMessageGetAll(){
var customers=repository.GetAll();
var customersDto=新列表();
如果(客户==null)
{
var response=Request.CreateResponse(HttpStatusCode.NotFound,“未找到客户”);
抛出新的HttpResponseException(响应);
}
其他的
{
foreach(客户中的var客户)
{
customersDto.Add(mapper.Map(cust));
}
return Request.CreateResponse(
HttpStatusCode.OK,
客户(DTO);
}
}
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
config.MessageHandlers.Add(new AuthenticationHandler());
config.Routes.MapHttpRoute(name: "DefaultApi",...);
}
}
enter code here
您是否考虑过在处理程序中设置断点并单步执行代码?除非您已经覆盖了
AuthorizeAttribute