HttpWebRequest检查允许的域
[英]HttpWebRequest check for allowed domain
问题描述
I have a question regarding the allowing the user to connecto only allowed domain name. 
我有一个关于允许用户仅连接允许的域名的问题。
So what i have in mind is: i have a list of domaina names, like *.domain1.com; 所以我想到的是:我有一个域名列表,例如* .domain1.com; *.domain2.com etc ... * .domain2.com等...
Then somwhere in the code I have to check if the request or response is really from that kind of domain, if it is not, i should throw a message. 然后在代码中的某个地方,我必须检查请求或响应是否确实来自该类型的域,如果不是,则应该抛出一条消息。
Here i have the code which i have at this moment: 这是我现在拥有的代码:
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("url");
using (WebResponse response = request.GetResponse())
{
using (Stream stream = response.GetResponseStream())
{
if (stream == null)
{
return null;
}
return stream;
}
}
Any idea? 任何想法?
2 个解决方案
解决方案1
1 已采纳 2013-03-08 08:45:05
Use the ResponseUri property: 使用ResponseUri属性:
HashSet<String> allowedDomains = new HashSet<String>()
{
"domain1.com",
"domain2.com"
};
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("url");
using (WebResponse response = request.GetResponse())
{
if (!allowedDomains.Contains(response.ResponseUri.Host))
{
throw new IllegalDomainException();
}
using (Stream stream = response.GetResponseStream())
{
if (stream == null)
{
return null;
}
return stream;
}
}
You might want modify the comparisson: for example, iterate backwards over the result of request.ResponseUri.Host.Split(".") comparing each part in turn with the equivalent from the allowedDomains value, and you might want to think about where the check is done: do you want redirection to be permitted? 您可能想要修改比较:例如,向后遍历request.ResponseUri.Host.Split(".")结果,依次比较每个部分与allowedDomains值中的等效部分,您可能想考虑检查完成:是否要允许重定向? If so, create a Uri object from the user input, and check the Host property of that. 如果是这样,请从用户输入中创建一个Uri对象,然后检查该对象的Host属性。
解决方案2
0 2013-03-08 08:43:02
Usually this is acquired using the UrlReferer HTTP header, but this header isn't mandatory: it can be set or not. 通常,它是使用UrlReferer HTTP标头获取的,但是此标头不是必需的:可以设置还是不设置。 It depends on the HTTP server. 它取决于HTTP服务器。
The whole header may be accessed using the HttpWebResponse.Headers property: 可以使用HttpWebResponse.Headers属性访问整个标头:
((HttpWebResponse)response).Headers["Referer"]
Honestly, I would like to suggest you that the best solution is to use an application key (an arbitrary identifier). 老实说,我想向您建议最好的解决方案是使用应用程序密钥 (任意标识符)。 For example a Guid (it may work for very simple cases). 例如Guid (它可能适用于非常简单的情况)。
In the Web server you can define default headers (if your Web sites are developed using ASP.NET, you can do it in the web.config ) so any request coming from the whole server will contain your arbitrary HTTP header with the appkey . 在Web服务器中,您可以定义默认标头(如果您的网站是使用ASP.NET开发的,则可以在web.config中进行设置 ),这样来自整个服务器的任何请求都将包含带有appkey的任意HTTP标头。
That is, you can define an arbitrary header that may identify the HTTP responses coming from your Web sites. 也就是说,您可以定义一个任意标头,以标识来自您的网站的HTTP响应。 For example: MySite_AppKey . 例如: MySite_AppKey 。 Using this approach you should verify that any HTTP response contains the whole MySite_AppKey and check if the whole appkey is permitted in some white list . 使用这种方法,你应该确认任何HTTP响应包含整个MySite_AppKey并检查整个的AppKey在一些白名单允许的。
Sample pseudo-code: 样本伪代码:
if(AppAuthorizationManager.IsAuthorized(response.Headers["MySite_AppKey]))
{
// Do stuff for the authorized request
}
Note that I'm describing a very simple implementation . 请注意,我描述的是一个非常简单的实现 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.