Asp.Net WebApi上的自定义授权属性
[英]Custom Authorization Attribute on Asp.Net WebApi
问题描述
使用ASP.Net Web Api授权用户时如何返回值? 我尝试覆盖授权属性上的OnAuthorize,但方法类型是'void',所以我不能返回任何值,或者我应该在标题上附加我想要的值作为响应头?
这是我想要达到的目标:
- 用户传递api密钥和共享密钥
- 当用户进行授权时,自定义属性将返回用户的ID和名称
- Id将用于传递Rest Methods作为参数
1 个解决方案
解决方案1
4 2012-05-20 17:32:54
此代码示例可能对您有所帮助。
public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
base.OnAuthorization(actionContext);
IManageUsers manageUser = new ManageUsers();
//get authentication token from header + email
string authenticationToken = string.Empty;
string email = string.Empty;
if (actionContext.Request.Headers.GetValues("email") != null && (!string.IsNullOrEmpty(Convert.ToString(actionContext.Request.Headers.GetValues("email").FirstOrDefault()))))
{
if (actionContext.Request.Headers.GetValues("authenticationToken") != null && (!string.IsNullOrEmpty(Convert.ToString(actionContext.Request.Headers.GetValues("authenticationToken").FirstOrDefault()))))
{
authenticationToken = Convert.ToString(actionContext.Request.Headers.GetValues("authenticationToken").FirstOrDefault());
email = Convert.ToString(actionContext.Request.Headers.GetValues("email").FirstOrDefault());
//check if user is activated
User user = manageUser.GetByEmail(email);
if (user != null)
{
//if user is not authentication
if (user.AuthenticationStatus != AuthenticationStatus.Authenticated)
{
HttpContext.Current.Response.AddHeader("AuthenticationStatus", "NotAuthenticated");
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
return;
}
//user is authentication, now check authorization
string authenticationTokenPersistant = user.AuthorizationToken;
//if length is not equal to the saved token
var authenticationTokenEncrypted = manageUser.EncryptAuthenticationTokenAes(authenticationTokenPersistant, user.Key, user.IV);
if (authenticationToken != authenticationTokenEncrypted)
{
HttpContext.Current.Response.AddHeader("Email", email);
HttpContext.Current.Response.AddHeader("authenticationToken", authenticationToken);
HttpContext.Current.Response.AddHeader("AuthenticationStatus", "NotAuthorized");
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
HttpContext.Current.Response.AddHeader("ErrorMessage", "Invalid token");
return;
}
HttpContext.Current.Response.AddHeader("Email", email);
HttpContext.Current.Response.AddHeader("authenticationToken", authenticationToken);
HttpContext.Current.Response.AddHeader("AuthenticationStatus", "Authorized");
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.OK);
}
else
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
HttpContext.Current.Response.AddHeader("ErrorMessage", "Email does not exist");
return;
}
}
else
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
HttpContext.Current.Response.AddHeader("ErrorMessage", "Please provide authentication token");
return;
}
}
else
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
HttpContext.Current.Response.AddHeader("ErrorMessage", "Please provide email address");
return;
}
}
基于资源的ASP.NET授权FormsAuthentication和WebApi
[英]Resource based ASP.NET Authorization FormsAuthentication and WebApi
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.