C# Web.Api上的基本令牌身份验证和授权
所以我有一个调用WebApi方法的MVC应用程序 我在MVC应用程序上的授权是这样完成的C# Web.Api上的基本令牌身份验证和授权,c#,asp.net-mvc,authentication,asp.net-web-api,authorization,C#,Asp.net Mvc,Authentication,Asp.net Web Api,Authorization,所以我有一个调用WebApi方法的MVC应用程序 我在MVC应用程序上的授权是这样完成的 public class CustomAuthorizeAttribute : AuthorizeAttribute { private RolesEnum _role; public CustomAuthorizeAttribute() { _role = RolesEnum.User; } public C
public class CustomAuthorizeAttribute : AuthorizeAttribute {
private RolesEnum _role;
public CustomAuthorizeAttribute() {
_role = RolesEnum.User;
}
public CustomAuthorizeAttribute(RolesEnum role) {
_role = role;
}
protected override bool AuthorizeCore(HttpContextBase httpContext) {
User currentUser = (User)httpContext.Session["CurrentUser"];
if (currentUser == null) {
return false;
}
if (currentUser.Role == RolesEnum.User && _role == RolesEnum.Admin) {
return false;
}
return true;
}
public User LogIn(User acc) {
try {
HttpClient client = new HttpClient();
client.BaseAddress = new Uri(BASE_URL);
client.DefaultRequestHeaders.Accept.Add(
new MediaTypeWithQualityHeaderValue("application/json"));
HttpResponseMessage response = client.PostAsJsonAsync("api/Account/Login", acc).Result;
if (response.IsSuccessStatusCode) {
return response.Content.ReadAsAsync<User>().Result;
} else {
return null;
}
} catch {
return null;
}
}
[Route("api/Account/Login")]
[HttpPost]
public IHttpActionResult Login(User userModel) {
User user = db.Users.Where(p => p.Username == userModel.Username && p.Password == userModel.Password).FirstOrDefault();
if (user != null) {
return Ok(user);
} else {
throw new HttpResponseException(HttpStatusCode.Unauthorized);
}
}
身份验证通过调用WebApi方法完成
[HttpPost]
public ActionResult Login(string username, string password)
{
User acc = new User();
acc.Username = username;
acc.Password = password;
acc = accBL.Login(acc);
if (acc != null) {
Session.Add("CurrentUser", acc);
return RedirectToAction("Index", "Project", null);
} else {
return View();
}
}
登录方法如下所示
public class CustomAuthorizeAttribute : AuthorizeAttribute {
private RolesEnum _role;
public CustomAuthorizeAttribute() {
_role = RolesEnum.User;
}
public CustomAuthorizeAttribute(RolesEnum role) {
_role = role;
}
protected override bool AuthorizeCore(HttpContextBase httpContext) {
User currentUser = (User)httpContext.Session["CurrentUser"];
if (currentUser == null) {
return false;
}
if (currentUser.Role == RolesEnum.User && _role == RolesEnum.Admin) {
return false;
}
return true;
}
public User LogIn(User acc) {
try {
HttpClient client = new HttpClient();
client.BaseAddress = new Uri(BASE_URL);
client.DefaultRequestHeaders.Accept.Add(
new MediaTypeWithQualityHeaderValue("application/json"));
HttpResponseMessage response = client.PostAsJsonAsync("api/Account/Login", acc).Result;
if (response.IsSuccessStatusCode) {
return response.Content.ReadAsAsync<User>().Result;
} else {
return null;
}
} catch {
return null;
}
}
[Route("api/Account/Login")]
[HttpPost]
public IHttpActionResult Login(User userModel) {
User user = db.Users.Where(p => p.Username == userModel.Username && p.Password == userModel.Password).FirstOrDefault();
if (user != null) {
return Ok(user);
} else {
throw new HttpResponseException(HttpStatusCode.Unauthorized);
}
}
如何在MVC应用程序和WebApi服务之间建立连接。我的授权和身份验证在MVC部件上工作,但是可以在没有任何授权/身份验证的情况下调用我的WebApi服务。如何根据我的示例保护我的WebApi?我已经用MVC和WebApi工作了大约3周,很多事情对我来说都不是很清楚
我是否应该在公共IHttpActionResult登录(User userModel)中创建一个GUID,并在每次调用方法时检查它?如何将此GUID传递给MVC应用程序,以及如何将其从MVC传递给WebApi 您可以做的是在WebAPI
Login()
方法中创建某种类型的令牌(例如JWT),并返回Ok()
响应(到MVC应用程序)。调用API端点的用户必须将此令牌发回(例如,在自定义“令牌”头中)。您可以在API端点中使用的自定义WebAPI授权属性中验证令牌
例如
登录端点
[Route("api/Account/Login")]
[HttpPost]
public object Login(User userModel) {
User user = ...;
string token = CreateTokenForUser(user);
if (user != null) {
// return user and token back
return new {User = user, Token = token};
} else {
throw new HttpResponseException(HttpStatusCode.Unauthorized);
}
}
自定义身份验证筛选器
public class UserAuthAttribute : ActionFilterAttribute, IAuthenticationFilter
{
public async Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
{
string token = null;
IEnumerable<string> tokenHeader;
if (context.Request.Headers.TryGetValues("Token", out tokenHeader))
token = tokenHeader.FirstOrDefault();
if (token != null && IsTokenValid(token)
{
// user has been authenticated i.e. send us a token we sent back earlier
}
else
{
// set ErrorResult - this will result in sending a 401 Unauthorized
context.ErrorResult = new AuthenticationFailureResult(Invalid token", context.Request);
}
}
}
我会在几分钟内测试它!谢谢你的回答!我已经接受了答案,我把你发布的一些东西拿了下来,做了一些修改。非常感谢。很高兴听到你找到了解决办法!我发布的想法来自一个已经在运行的更大的项目……是的,我改变了它,我使用标题(而不是内容)将令牌从api发送到客户端,并将UserModel传递到内容中。