堆栈内存溢出
  简体   繁体   English

加密Web API请求正文内容并在服务器上解密

[英]Encrypt a web api request body content and decrypt on server

 原文  2017-01-17 17:50:53       c#/ encryption/ asp.net-web-api

问题描述

I am looking to create a simple security solution for which web API body content is not simply displayed to all whom wishes to see via intercepting the request with Fiddler or something. 我正在寻找一种简单的安全解决方案,该Web解决方案的Web API正文内容不会简单地显示给希望通过Fiddler或其他工具拦截请求的所有人。 I am restricted in that I cannot use a SSL. 我受到限制,因为我不能使用SSL。 I have already implemented a HMAC type of authentication and am wanting to take it a step further by creating a encrytpion of the body content on the client and sending that request to server were the server will then decrypt the body and forward to action as expected but decrypted. 我已经实现了HMAC类型的身份验证,并希望通过在客户端上创建主体内容的加密并将该请求发送到服务器来使它进一步前进,否则服务器随后将解密主体并按预期进行操作,但是解密。 I used a filter for the server side HMAC and a delagatingHandler on the client. 我为服务器端HMAC和客户端上的delagatingHandler使用了过滤器。

I am not very familiar with working with http requests and do not fully understand how I might intercept all body content then encrypt it and put it back into the httpcontent. 我对使用HTTP请求不是很熟悉,并且不完全了解如何截取所有正文内容,然后将其加密并放回httpcontent中。

Any ideas or help would be greatly appreciated. 任何想法或帮助将不胜感激。

1 个解决方案

解决方案1
 4  2017-01-17 18:57:18

In order to decrypt data before Model Mapping occurs in WEB API you can Hijack the AuthorizeAttribute because ActionFilterAttribute occurs after model mapping. 为了在WEB API中发生模型映射之前解密数据,您可以劫持AuthorizeAttribute,因为ActionFilterAttribute 模型映射之后发生。

I know that the AuthorizeAttribute is meant for another reason , but hijacking it worked perfectly for me (I wanted to decompress zip content). 我知道AuthorizeAttribute是出于另一个原因,但是劫持它对我来说非常有效(我想解压缩zip内容)。 

    public class DecryptAttribute : AuthorizeAttribute
    {
      public override void OnAuthorization(HttpActionContext actionContext)
      {
              actionContext.Request.Content =  DecryptContect(actionContext.Request.Content);
      }
    }

Then Decorate all your WebAPI controllers with this attribute. 然后使用此属性装饰所有WebAPI控制器。

In order to compress and embed to body i used a Delegating Handler 为了压缩并嵌入到主体,我使用了委托处理程序 

    public class EncryptHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        return base.SendAsync(request, cancellationToken).ContinueWith<HttpResponseMessage>((responseToCompleteTask) =>
        {
            HttpResponseMessage response = responseToCompleteTask.Result;
                response.Content = new EncryptContent(response.Content);

            return response;
        },
        TaskContinuationOptions.OnlyOnRanToCompletion);
    }
}

Then just register it 然后只需注册 

GlobalConfiguration.Configuration.MessageHandlers.Add(new EncryptHandler());

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 加密和解密xml文件内容 - encrypt and decrypt xml file content 从服务器加密,在客户端解密(但不在客户端加密)? - Encrypt from server, decrypt on client (but not encrypt on client)? 在.Net 4中加密SQL Server / Decrypt - Encrypt in SQL Server / Decrypt in .Net 4 Web Api 中的 Post 请求中的请求正文为空 - Request Body is null in Post request in Web Api 如何使用Content-Type:multipart / form-data通过Web API请求主体参数访问? - How request body parameter access by Web API using Content-Type: multipart/form-data? .net 6 web api - 请求正文中的错误“Content-Type”属性 - 返回 400 状态而不是 500 - .net 6 web api - bad "Content-Type" property in request body - return 400 status instead of 500 Web API请求内容为空 - Web API request content empty 如何加密/解密以存储敏感数据(ASP.NET Web API项目) - How to encrypt/decrypt for storage of sensitive data (ASP.NET Web API project) 通过 Web API 代码加密/解密字符串并将加密值存储在 SQL 数据库中? - Encrypt/Decrypt a string via web API code and store encrypted value in SQL database? 加密/解密webservice / WCF消息请求 - encrypt/decrypt webservice/WCF message request
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM