WebAPI可以在响应之前更改输出吗？

Question

I'm building a WebAPI for an external mobile company ( all I do is exposing services).

Right now , our DB uses non-encrypted values for columns like :

• ObjectID
• PolicyID
• etc..

But now , when we expose it , and I need to encrypt values. ( only server can decrypt values , the mobile company doesn't care about the actual values).

I don't want to start digest every Stored Procedure response manually and replace values with encrypted ones. ( don't forget that our internal server does not uses encrypted values - it uses data regularly).

OK Here's a live example :

I have this controller code :

[HttpGet]
[ActionName("test2")]
public HttpResponseMessage test2(int id)
{
   var Data = GetDataFromSource_1();
            // or from GetDataFromSource_2(); 
   return Request.CreateResponse(HttpStatusCode.OK, Data);
}

Where GetDataFromSource_1 is via dynamic list (just to simulate a source)

public IEnumerable GetDataFromSource_1()
{
    List<dynamic> lst = new List<dynamic>();
    lst.Add(new
    {
        objId = 1,
        myOtherColumn = 5
    });
    lst.Add(new
    {
        objId = 2,
        myOtherColumn = 8
    });
    return lst;
}

And

GetDataFromSource_2 is via DataTable ( just to simulate another source)

public DataTable GetDataFromSource_2()
{
    DataTable dt = new DataTable("myTable");
    dt.Columns.Add("objId", typeof(int));
    dt.Columns.Add("myOtherColumn", typeof(int));
    DataRow row = dt.NewRow();
    row["objId"] = 1;
    row["myOtherColumn"] = 5;
    dt.Rows.Add(row);
    row = dt.NewRow();
    row["objId"] = 2;
    row["myOtherColumn"] = 8;
    dt.Rows.Add(row);
    return dt;
}

Both yields this json response:

{"Result":{"Success":true,"Message":""},"Data":[{"objId":1,"myOtherColumn":5},{"objId":2,"myOtherColumn":8}]}

Question

How (and where) can I scan the content of the response ( which is going to be sent) and replace for every column in ( and only for them) :

• ObjectID
• PolicyID
• etc..

to an encrypted value ?

For example :

I Would like the output to be :

{
    "Result": {
        "Success": true,
        "Message": ""
    },
    "Data": [{
        "objId": "XXX_the_encrypted_valueXXX",
        "myOtherColumn": 5
    }, {
        "objId": "XXX_the_encrypted_valueXXX":  ,
        "myOtherColumn": 8
    }]
}

(where "XXX_the_encrypted_valueXXX" is an encrypted value of the old value.)

NB it's assumable that I have Utils.Encrypt(string st) method.

Also , we dont have entities so i can not decorate an entity . I need to plugin when the json is created

Answer 1

I think you should decorate the encrypted properties with an Attribute :

[JsonEncryptValue]
public Guid ObjectID {get;set;}

And then add a JsonConverter that will handle only properties that have a JsonEncryptValue attribute on them. You can re-write their value easily.

And then all you need to do is add your JsonConverter to the JsonSerializer in the WebApiConfig.cs file:

    JsonMediaTypeFormatter jsonFormatter = GlobalConfiguration.Configuration.Formatters.JsonFormatter;
    JsonSerializerSettings jSettings = new Newtonsoft.Json.JsonSerializerSettings()
    {
        Formatting = Formatting.Indented,
        DateTimeZoneHandling = DateTimeZoneHandling.Utc
    };

    jSettings.Converters.Add(new EncryptionJsonConverter());
    jsonFormatter.SerializerSettings = jSettings;

Answer 2

What you can do is create a custom DelegatingHandler by deriving it and supplying your own implementation and register it your config.MessageHandlers .

So we need a handler and a recursive method which iterates the entire JSON. We'll use the answer provided in Searching for a specific JToken by name in a JObject hierarchy :

private static void FindTokens(JToken containerToken, string name, List<JToken> matches)
{
    if (containerToken.Type == JTokenType.Object)
    {
        foreach (JProperty child in containerToken.Children<JProperty>())
        {
            if (child.Name == name)
            {
                matches.Add(child.Value);
            }
            FindTokens(child.Value, name, matches);
        }
    }
    else if (containerToken.Type == JTokenType.Array)
    {
        foreach (JToken child in containerToken.Children())
        {
            FindTokens(child, name, matches);
        }
    }
}

And the complete handler will look as following:

public class JsonEncrypterHandler : DelegatingHandler
{
    protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        var response = await base.SendAsync(request, cancellationToken);
        var returnedJson = await response.Content.ReadAsStringAsync();

        JObject jObj = JObject.Parse(returnedJson);

        List<JToken> objIdTokens = new List<JToken>();
        List<JToken> policyIdTokens = new List<JToken>();

        FindTokens(jObj, "objid", objIdTokens);
        FindTokens(jObj, "policyid", policyIdTokens);

        foreach (JValue objId in objIdTokens)
        {
            objId.Value = Utils.Encrypt(objIdValue);
        }

        foreach (JValue policyId in policyIdTokens)
        {
            policyId.Value = Utils.Encrypt(policyIdTokens);
        }

        response.Content = JsonConvert.SerializeObject(jObj);
        return response;
    }
}

Answer 3

I think you have to create customer attribute. Decorate all your action or controller with that attribute.

In that on you have to read result and deserialize back to Json object or .net object.

Following link will help you on that.

http://damienbod.wordpress.com/2014/01/04/web-api-2-using-actionfilterattribute-overrideactionfiltersattribute-and-ioc-injection/