Asp.Net WebApi 上的自定义授权属性

Posted

技术标签:

【中文标题】Asp.Net WebApi 上的自定义授权属性【英文标题】:Custom Authorization Attribute on Asp.Net WebApi 【发布时间】:2012-05-09 21:01:58 【问题描述】:

当用户使用 ASP.Net Web Api 获得授权时,如何返回值?我尝试在 Authorize 属性上覆盖 OnAuthorize,但方法类型为“void”,因此我无法返回任何值,还是应该将我想要的值附加到标头上作为响应标头?

这是我想要实现的目标:

    用户传递 api 密钥和共享密钥 当用户被授权时,自定义属性会返回用户的Id和Name ID 将用于作为参数传递 Rest 方法

【问题讨论】:

【参考方案1】:

此代码示例可能会对您有所帮助。

public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)

    base.OnAuthorization(actionContext);
    IManageUsers manageUser = new ManageUsers();
    //get authentication token from header + email
    string authenticationToken = string.Empty;
    string email = string.Empty;
    if (actionContext.Request.Headers.GetValues("email") != null && (!string.IsNullOrEmpty(Convert.ToString(actionContext.Request.Headers.GetValues("email").FirstOrDefault()))))
    
        if (actionContext.Request.Headers.GetValues("authenticationToken") != null && (!string.IsNullOrEmpty(Convert.ToString(actionContext.Request.Headers.GetValues("authenticationToken").FirstOrDefault()))))
        
            authenticationToken = Convert.ToString(actionContext.Request.Headers.GetValues("authenticationToken").FirstOrDefault());
            email = Convert.ToString(actionContext.Request.Headers.GetValues("email").FirstOrDefault());
            //check if user is activated 
            User user = manageUser.GetByEmail(email);
            if (user != null)
            
                //if user is not authentication
                if (user.AuthenticationStatus != AuthenticationStatus.Authenticated)
                
                    HttpContext.Current.Response.AddHeader("AuthenticationStatus", "NotAuthenticated");
                    actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
                    return;
                

                //user is authentication, now check authorization
                string authenticationTokenPersistant = user.AuthorizationToken;
                //if length is not equal to the saved token
                var authenticationTokenEncrypted = manageUser.EncryptAuthenticationTokenAes(authenticationTokenPersistant, user.Key, user.IV);
                if (authenticationToken != authenticationTokenEncrypted)
                
                    HttpContext.Current.Response.AddHeader("Email", email);
                    HttpContext.Current.Response.AddHeader("authenticationToken", authenticationToken);
                    HttpContext.Current.Response.AddHeader("AuthenticationStatus", "NotAuthorized");
                    actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
                    HttpContext.Current.Response.AddHeader("ErrorMessage", "Invalid token");
                    return;
                

                HttpContext.Current.Response.AddHeader("Email", email);
                HttpContext.Current.Response.AddHeader("authenticationToken", authenticationToken);
                HttpContext.Current.Response.AddHeader("AuthenticationStatus", "Authorized");
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.OK);
            
            else
            
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
                HttpContext.Current.Response.AddHeader("ErrorMessage", "Email does not exist");
                return;
            
        
        else
        
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
            HttpContext.Current.Response.AddHeader("ErrorMessage", "Please provide authentication token");
            return;
        
    
    else
    
        actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
        HttpContext.Current.Response.AddHeader("ErrorMessage", "Please provide email address");
        return;
    

【讨论】:

以上是关于Asp.Net WebApi 上的自定义授权属性的主要内容,如果未能解决你的问题,请参考以下文章

如何创建不依赖于 ASP.NET Core 声明的自定义 Authorize 属性?

带有权限代码的 ASP.NET MVC 4 自定义授权属性(无角色)

ASP.NET 中 401.2 的自定义错误

Asp.Net Core WebApi:授权属性错误 403

asp.net MVC3 上的自定义错误页面

如何在 ASP.Net MVC 5 视图中获取 ApplicationUser 的自定义属性值?