Asp.Net WebApi 上的自定义授权属性
Posted
技术标签:
【中文标题】Asp.Net WebApi 上的自定义授权属性【英文标题】:Custom Authorization Attribute on Asp.Net WebApi 【发布时间】:2012-05-09 21:01:58 【问题描述】:当用户使用 ASP.Net Web Api 获得授权时,如何返回值?我尝试在 Authorize 属性上覆盖 OnAuthorize,但方法类型为“void”,因此我无法返回任何值,还是应该将我想要的值附加到标头上作为响应标头?
这是我想要实现的目标:
-
用户传递 api 密钥和共享密钥
当用户被授权时,自定义属性会返回用户的Id和Name
ID 将用于作为参数传递 Rest 方法
【问题讨论】:
【参考方案1】:此代码示例可能会对您有所帮助。
public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
base.OnAuthorization(actionContext);
IManageUsers manageUser = new ManageUsers();
//get authentication token from header + email
string authenticationToken = string.Empty;
string email = string.Empty;
if (actionContext.Request.Headers.GetValues("email") != null && (!string.IsNullOrEmpty(Convert.ToString(actionContext.Request.Headers.GetValues("email").FirstOrDefault()))))
if (actionContext.Request.Headers.GetValues("authenticationToken") != null && (!string.IsNullOrEmpty(Convert.ToString(actionContext.Request.Headers.GetValues("authenticationToken").FirstOrDefault()))))
authenticationToken = Convert.ToString(actionContext.Request.Headers.GetValues("authenticationToken").FirstOrDefault());
email = Convert.ToString(actionContext.Request.Headers.GetValues("email").FirstOrDefault());
//check if user is activated
User user = manageUser.GetByEmail(email);
if (user != null)
//if user is not authentication
if (user.AuthenticationStatus != AuthenticationStatus.Authenticated)
HttpContext.Current.Response.AddHeader("AuthenticationStatus", "NotAuthenticated");
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
return;
//user is authentication, now check authorization
string authenticationTokenPersistant = user.AuthorizationToken;
//if length is not equal to the saved token
var authenticationTokenEncrypted = manageUser.EncryptAuthenticationTokenAes(authenticationTokenPersistant, user.Key, user.IV);
if (authenticationToken != authenticationTokenEncrypted)
HttpContext.Current.Response.AddHeader("Email", email);
HttpContext.Current.Response.AddHeader("authenticationToken", authenticationToken);
HttpContext.Current.Response.AddHeader("AuthenticationStatus", "NotAuthorized");
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
HttpContext.Current.Response.AddHeader("ErrorMessage", "Invalid token");
return;
HttpContext.Current.Response.AddHeader("Email", email);
HttpContext.Current.Response.AddHeader("authenticationToken", authenticationToken);
HttpContext.Current.Response.AddHeader("AuthenticationStatus", "Authorized");
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.OK);
else
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
HttpContext.Current.Response.AddHeader("ErrorMessage", "Email does not exist");
return;
else
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
HttpContext.Current.Response.AddHeader("ErrorMessage", "Please provide authentication token");
return;
else
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
HttpContext.Current.Response.AddHeader("ErrorMessage", "Please provide email address");
return;
【讨论】:
以上是关于Asp.Net WebApi 上的自定义授权属性的主要内容,如果未能解决你的问题,请参考以下文章
如何创建不依赖于 ASP.NET Core 声明的自定义 Authorize 属性?
带有权限代码的 ASP.NET MVC 4 自定义授权属性(无角色)