Asp.net 如何使用WebClient发送在授权标头中包含令牌的Post请求
我正在努力构建两个asp.net mvc web应用程序之间的安全集成;和ERP系统,该系统调用网络扫描应用程序。因此,目前在接收器应用程序(网络扫描应用程序)上,我有以下操作方法,只能由ERP系统执行:-Asp.net 如何使用WebClient发送在授权标头中包含令牌的Post请求,asp.net,asp.net-mvc,asp.net-mvc-5,authorization,webclient,Asp.net,Asp.net Mvc,Asp.net Mvc 5,Authorization,Webclient,我正在努力构建两个asp.net mvc web应用程序之间的安全集成;和ERP系统,该系统调用网络扫描应用程序。因此,目前在接收器应用程序(网络扫描应用程序)上,我有以下操作方法,只能由ERP系统执行:- public async Task<ActionResult> ScanServer(string tokenfrom, string FQDN) //only the ERP system should be able to call this
public async Task<ActionResult> ScanServer(string tokenfrom, string FQDN) //only the ERP system should be able to call this
{
string Token = System.Web.Configuration.WebConfigurationManager.AppSettings["Token"];//get the token from the web.config, this should be encrypted
if (tokenfrom != Token ) // check if the request is authorized by checking comparing the 2 tokens.
{
return new HttpStatusCodeResult(403, "request failed");
//code goes here..
}
public async Task ScanServer(string-tokenfrom,string-FQDN)//应该只有ERP系统能够调用它
{
string Token=System.Web.Configuration.WebConfigurationManager.AppSettings[“Token”];//从Web.config获取令牌,应该对其进行加密
if(tokenfrom!=Token)//通过比较两个令牌来检查请求是否被授权。
{
返回新的HttpStatusCodeResult(403,“请求失败”);
//代码在这里。。
}
在调用方系统(ERP系统)上,我有以下操作方法调用上述操作方法
[HttpPost]
[CheckUserPermissions(Action = "", Model = "Admin")]//check if the user is defined as an admin inside my custom authorization system
public async Task<ActionResult> Scan()
{
try
{
string currentURL = System.Web.Configuration.WebConfigurationManager.AppSettings["scanningURL"];
string token = System.Web.Configuration.WebConfigurationManager.AppSettings["Token"];
using (WebClient wc = new WebClient())
{
string url = currentURL + "home/scanserver?tokenfromtms=" + token + "&FQDN=allscan" ;
var json = await wc.DownloadStringTaskAsync(url);
TempData["messagePartial"] = string.Format("Scan has been completed. Scan reported generated");
}
}
[HttpPost]
[CheckUserPermissions(Action=”“,Model=“Admin”)]//检查该用户是否定义为我的自定义授权系统中的管理员
公共异步任务扫描()
{
尝试
{
字符串currentURL=System.Web.Configuration.WebConfigurationManager.AppSettings[“scanningURL”];
string token=System.Web.Configuration.WebConfigurationManager.AppSettings[“token”];
使用(WebClient wc=new WebClient())
{
字符串url=currentURL+“home/scanserver?tokenfromtms=“+token+”&FQDN=allscan”;
var json=wait wc.downloadstringtaskancy(url);
TempData[“messagePartial”]=string.Format(“扫描已完成。已生成扫描报告”);
}
}
如上面代码所示,我正在发送一个安全令牌,它存储在两个应用程序的web.config文件中。通过这种方式,我可以确保(或这是我的意图)网络扫描应用程序收到的任何请求都来自ERP系统(因为他们只知道令牌)
但根据我的搜索和阅读,我意识到上述方法可能不是100%安全的,原因如下:-
谢谢这是一个基本身份验证的示例
var creds = string.Format("{0}:{1}", userName, Password);
var bytes = Encoding.ASCII.GetBytes(creds);
var header = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(bytes));
var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = header;
用于检查接收器
var headers = request.Headers;
if (headers.Authorization != null && headers.Authorization.Scheme.Equals(AuthScheme))
{
var encoding = Encoding.GetEncoding("iso-8859-1");
var creds = encoding.GetString(Convert.FromBase64String(headers.Authorization.Parameter));
var parts = creds.Split(':');
var userName = parts[0].Trim();
var pwd = parts[1].Trim();
}