C# 如何使用web API管理web方法的安全性?
我的情景如下:C# 如何使用web API管理web方法的安全性?,c#,asp.net-web-api,authorization,token,C#,Asp.net Web Api,Authorization,Token,我的情景如下: 我已经为移动应用程序创建了WEB API 令牌调用-返回授权令牌成功&barer令牌 细节 GetCompanyDetails(intLoginId) GetCompanyCustomer(内部公司ID) 我在数据库中有如下表: 登录表: ID| Username | Password | UserType | CreatedDate 1 | Alex | P#ssword | Company | 2017-05-04 2 | Jhon | 4548@sd | Compa
我已经为移动应用程序创建了WEB API
- 令牌调用-返回授权令牌成功&barer令牌 细节
- GetCompanyDetails(intLoginId)
- GetCompanyCustomer(内部公司ID)
登录表:
ID| Username | Password | UserType | CreatedDate
1 | Alex | P#ssword | Company | 2017-05-04
2 | Jhon | 4548@sd | Company | 2017-05-10
3 | Rubby | R#$S3343| Customer | 2017-05-11
4 | Moris | M#$353 | Customer | 2017-05-11
5 | Febio | Feb@153 | Customer | 2017-05-11
ID | LoginID | CompanyName | Address | CreatedDate | Location
5 | 1 | ALEX Company| Street 1| 2017-05-04 | USA
7 | 2 | JHON INC | NJ, OPP PR market| 2017-05-10 | USA
ID | LoginID | Address | CreatedDate | Location
10 | 3 | Address 1| 2017-05-11 | USA
12 | 4 | Address 2| 2017-05-11 | USA
13 | 5 | Address 3| 2017-05-11 | USA
公司详细信息表:ID| Username | Password | UserType | CreatedDate
1 | Alex | P#ssword | Company | 2017-05-04
2 | Jhon | 4548@sd | Company | 2017-05-10
3 | Rubby | R#$S3343| Customer | 2017-05-11
4 | Moris | M#$353 | Customer | 2017-05-11
5 | Febio | Feb@153 | Customer | 2017-05-11
ID | LoginID | CompanyName | Address | CreatedDate | Location
5 | 1 | ALEX Company| Street 1| 2017-05-04 | USA
7 | 2 | JHON INC | NJ, OPP PR market| 2017-05-10 | USA
ID | LoginID | Address | CreatedDate | Location
10 | 3 | Address 1| 2017-05-11 | USA
12 | 4 | Address 2| 2017-05-11 | USA
13 | 5 | Address 3| 2017-05-11 | USA
客户详细信息表:ID| Username | Password | UserType | CreatedDate
1 | Alex | P#ssword | Company | 2017-05-04
2 | Jhon | 4548@sd | Company | 2017-05-10
3 | Rubby | R#$S3343| Customer | 2017-05-11
4 | Moris | M#$353 | Customer | 2017-05-11
5 | Febio | Feb@153 | Customer | 2017-05-11
ID | LoginID | CompanyName | Address | CreatedDate | Location
5 | 1 | ALEX Company| Street 1| 2017-05-04 | USA
7 | 2 | JHON INC | NJ, OPP PR market| 2017-05-10 | USA
ID | LoginID | Address | CreatedDate | Location
10 | 3 | Address 1| 2017-05-11 | USA
12 | 4 | Address 2| 2017-05-11 | USA
13 | 5 | Address 3| 2017-05-11 | USA
公司客户表:ID | CompanyID | CustomerID
1 | 5 | 10
1 | 5 | 12
2 | 7 | 13
一旦我授权了API,那么在我调用该方法以获得公司客户之后。
3.那次我路过这家公司是为了得到顾客
[HttpGet]
[Authorize(Roles=("Company")]
public List<Customer> CompanyCustomer(int companyId)
{
//Return the list of customer by companyId
}
[HttpGet]
[授权(角色=(“公司”)]
上市公司客户(国际公司ID)
{
//按公司ID返回客户列表
}
我的观点是如何在令牌授权时验证同一用户。
假设我请求使用
- ALEX Company’s CompanyID=5然后我称该公司为客户(5) 将退还所有客户
- 在这之后,我们应该打电话给该公司的客户(7),然后仍然返回另一家公司的所有客户。
如何通过请求的用户检测API调用方令牌
如何处理这种安全性?您正在寻找的是声明授权。您可能会找到一个使用ASP.NET标识的示例。即使您不使用ASP.NET标识,原则也是一样的。
public sealed class PrivateAttribute : Attribute, IAuthorizationFilter {
public Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync(
HttpActionContext actionContext,
CancellationToken cancellationToken,
Func<Task<HttpResponseMessage>> continuation) {
var claimsPrincipal = actionContext.RequestContext.Principal as ClaimsPrincipal;
if (actionContext.RequestContext.RouteData.Values.ContainsKey(CONSTANTS.USER_ID_KEY) && claimsPrincipal != null) {
var requestedID = actionContext.RequestContext.RouteData.Values[CONSTANTS.USER_ID_KEY];
if (claimsPrincipal.HasClaim(CONSTANTS.USER_ID_KEY, requestedID.ToString())) {
return continuation();
} else { // someone is trying to get resources of another user
return whatever fail;
}
} else { // there is no {id} paramter in the route, nothing to do
return continuation();
}
}
public bool AllowMultiple => false;
}