在SPA应用程序中正确使用ASP.NET 5中的AntiForgery令牌?
[英]Correct usage of AntiForgery token in ASP.NET 5 in SPA application?
问题描述
In previous version of ASP.NET during SPA application the idea of AntiForgey token was following: 
在SPA应用程序的早期版本的ASP.NET中,AntiForgey令牌的想法如下:
- add
@Html.AntiForgeryToken();add @Html.AntiForgeryToken();on the page在页面上 - add
__RequestVerificationTokento the request将__RequestVerificationToken添加到请求中 - ovverride AuthorizeAttribute as
ValidateJsonAntiForgeryTokenAttribute.ovverride AuthorizeAttribute as ValidateJsonAntiForgeryTokenAttribute。
I don't really understand the authorization requirements (is there some good information source?) in ASP.NET 5 but looks like new behavior should be like this: 我不太了解ASP.NET 5中的授权要求(是否有一些好的信息源?)但看起来新行为应该是这样的:
- add
asp-anti-forgerytaghelper添加asp-anti-forgerytaghelper - add
__RequestVerificationTokento the request将__RequestVerificationToken添加到请求中 - here should be the new requirement. 这应该是新的要求。
The question is: how to write this new authorization requirement and remove standard one? 问题是:如何编写这个新的授权要求并删除标准要求? Could someone give some advice or point me on some example? 有人可以提供一些建议或指点我的一些例子吗? Thanks 谢谢
2 个解决方案
解决方案1
1 2015-12-16 17:38:41
With MVC6, if you use something like this: 使用MVC6,如果你使用这样的东西:
<form asp-controller="Account"
asp-action="Login">
</form>
You will automatically get : 你会自动得到:
<form action="/Account/Login" method="post">
<input name="__RequestVerificationToken" type="hidden" value="....">
</form>
asp-antiforgery would only be used if you want to deactivate that behavior. 只有在您想要停用该行为时才会使用asp-antiforgery 。
As for the validation itself, it was added when you did app.AddMvc(...) in your ConfigureServices and Configure method. 至于验证本身,它是在您的ConfigureServices和Configure方法中执行app.AddMvc(...)时添加的。
In fact there's a bunch of stuff that is being added and if you are curious, you can check out the code ! 事实上,有很多东西正在添加,如果你很好奇,你可以查看代码 !
If you really to generate this from an Action using ajax then you could have a controller that depends on IHtmlGenerator and generate your token that way. 如果你真的要使用ajax从Action生成这个,那么你可以拥有一个依赖于IHtmlGenerator的控制器并以这种方式生成你的令牌。
解决方案2
0 2016-12-04 18:58:50
In AspNetCore 1.1.0.0 (Maybe also in earlier versions) with a SPA scenario this is actually quite easy: 在具有SPA场景的AspNetCore 1.1.0.0(也许在早期版本中)中,这实际上非常简单:
Make sure you deliver your index page from a .cshtml view and just add 确保从.cshtml视图中提供索引页面并添加
@Html.AntiForgeryToken()
If you are using jquery you can then read this token and make sure it is sent with all future non-get requests inside a http-header 如果您正在使用jquery,那么您可以读取此令牌并确保它与http-header中的所有未来非获取请求一起发送
$(document).ajaxSend(function(e, xhr, options) {
if (options.type.toUpperCase() != "GET") {
xhr.setRequestHeader("RequestVerificationToken", $("input[name='__RequestVerificationToken']").val());
}
});
Inside your controller method, just add 在你的控制器方法里面,只需添加
[HttpPost]
[ValidateAntiForgeryToken]
public string TestAntiForgery()
{
return "success";
}
If you want/must use a differen header you can change it like this in configureServices: 如果你想/必须使用不同的头,你可以在configureServices中更改它:
services.Configure<AntiforgeryOptions>((options) =>
{
// Configure a different header here
options.HeaderName = "otherHeaderName";
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.