如何在 Web API 授权属性中获取请求 cookie？

Posted 2023-03-10

【中文标题】如何在 Web API 授权属性中获取请求 cookie？

【英文标题】：How to get request cookies in Web API authorization attribute?

【发布时间】：2016-11-22 02:34:42

【问题描述】：

在 .NET 中有两个 AuthorizeAttribute 类。一个在System.Web.Http命名空间中定义：

namespace System.Web.Http

    // Summary:
    //     Specifies the authorization filter that verifies the request's System.Security.Principal.IPrincipal.
    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
    public class AuthorizeAttribute : AuthorizationFilterAttribute
    
        // Summary:
        //     Initializes a new instance of the System.Web.Http.AuthorizeAttribute class.
        public AuthorizeAttribute();

        // Summary:
        //     Gets or sets the authorized roles.
        //
        // Returns:
        //     The roles string.
        public string Roles  get; set; 
        //
        // Summary:
        //     Gets a unique identifier for this attribute.
        //
        // Returns:
        //     A unique identifier for this attribute.
        public override object TypeId  get; 
        //
        // Summary:
        //     Gets or sets the authorized users.
        //
        // Returns:
        //     The users string.
        public string Users  get; set; 

        // Summary:
        //     Processes requests that fail authorization.
        //
        // Parameters:
        //   actionContext:
        //     The context.
        protected virtual void HandleUnauthorizedRequest(HttpActionContext actionContext);
        //
        // Summary:
        //     Indicates whether the specified control is authorized.
        //
        // Parameters:
        //   actionContext:
        //     The context.
        //
        // Returns:
        //     true if the control is authorized; otherwise, false.
        protected virtual bool IsAuthorized(HttpActionContext actionContext);
        //
        // Summary:
        //     Calls when an action is being authorized.
        //
        // Parameters:
        //   actionContext:
        //     The context.
        //
        // Exceptions:
        //   System.ArgumentNullException:
        //     The context parameter is null.
        public override void OnAuthorization(HttpActionContext actionContext);
    

另一个定义在System.Web.Mvc命名空间：

namespace System.Web.Mvc

    // Summary:
    //     Specifies that access to a controller or action method is restricted to users
    //     who meet the authorization requirement.
    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
    public class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter
    
        // Summary:
        //     Initializes a new instance of the System.Web.Mvc.AuthorizeAttribute class.
        public AuthorizeAttribute();

        // Summary:
        //     Gets or sets the user roles that are authorized to access the controller
        //     or action method.
        //
        // Returns:
        //     The user roles that are authorized to access the controller or action method.
        public string Roles  get; set; 
        //
        // Summary:
        //     Gets the unique identifier for this attribute.
        //
        // Returns:
        //     The unique identifier for this attribute.
        public override object TypeId  get; 
        //
        // Summary:
        //     Gets or sets the users that are authorized to access the controller or action
        //     method.
        //
        // Returns:
        //     The users that are authorized to access the controller or action method.
        public string Users  get; set; 

        // Summary:
        //     When overridden, provides an entry point for custom authorization checks.
        //
        // Parameters:
        //   httpContext:
        //     The HTTP context, which encapsulates all HTTP-specific information about
        //     an individual HTTP request.
        //
        // Returns:
        //     true if the user is authorized; otherwise, false.
        //
        // Exceptions:
        //   System.ArgumentNullException:
        //     The httpContext parameter is null.
        protected virtual bool AuthorizeCore(HttpContextBase httpContext);
        //
        // Summary:
        //     Processes HTTP requests that fail authorization.
        //
        // Parameters:
        //   filterContext:
        //     Encapsulates the information for using System.Web.Mvc.AuthorizeAttribute.
        //     The filterContext object contains the controller, HTTP context, request context,
        //     action result, and route data.
        protected virtual void HandleUnauthorizedRequest(AuthorizationContext filterContext);
        //
        // Summary:
        //     Called when a process requests authorization.
        //
        // Parameters:
        //   filterContext:
        //     The filter context, which encapsulates information for using System.Web.Mvc.AuthorizeAttribute.
        //
        // Exceptions:
        //   System.ArgumentNullException:
        //     The filterContext parameter is null.
        public virtual void OnAuthorization(AuthorizationContext filterContext);
        //
        // Summary:
        //     Called when the caching module requests authorization.
        //
        // Parameters:
        //   httpContext:
        //     The HTTP context, which encapsulates all HTTP-specific information about
        //     an individual HTTP request.
        //
        // Returns:
        //     A reference to the validation status.
        //
        // Exceptions:
        //   System.ArgumentNullException:
        //     The httpContext parameter is null.
        protected virtual HttpValidationStatus OnCacheAuthorization(HttpContextBase httpContext);
    

这两者之间的主要区别是：

System.Web.Http版本可以被Web API使用 System.Web.Mvc版本可供ASP.NET MVC使用 Http版本在Mvc版本使用AuthorizationContext类型时，在OnAuthorization方法中使用HttpActionContext参数类型。

我想在AuthorizeAttribute 的Http 版本中访问请求cookie。在Mvc 版本中实现如下：

public class Foo : AuthorizeAttribute

     public override void OnAuthorization(AuthorizationContext filterContext) 
     
          HttpCookie cookie = filterContext.HttpContext.Request.Cookies.Get("Bar");    
     

有谁知道我如何对HttpActionContext 做同样的事情？有可能吗？如果不可能 - 为什么会这样？

【参考方案1】：

public class Foo : AuthorizeAttribute


    public override void OnAuthorization(HttpActionContext actionContext)
    
        var cookie = actionContext.Request.Headers.GetCookies("Bar").FirstOrDefault();
    

【讨论】：

不完全是，但足够接近；）。

@Ryan 据我所知，这一切都是关于在没有任何参数的情况下执行 GetCookies 方法的调试器结果。应该有一些数组，并且比较容易弄清楚如何获取cookie。

@Ryan - 我认为缺少的部分是：例如，如果您的 cookie 有一个 username=myUserName，那么您需要在 Prasanjit 写的内容之后添加一行 - string username = cookie.Cookies.Where(c => c.Name == "username").FirstOrDefault().Value; 以提取 myUserName

var cookie = actionContext.Request.Headers.GetCookies("Bar").FirstOrDefault()?["Bar"];

【参考方案2】：

string sessionId = "";

CookieHeaderValue cookie = Request.Headers.GetCookies("bar").FirstOrDefault();
if (cookie != null)

    sessionId = cookie["bar"].Value;

【讨论】：

您需要两次指定“Bar”的原因是什么？

首先检查是否存在所需的cookie本身。第二个代码有助于检索值以进行进一步处理。

【参考方案3】：

GetCookies 返回 cookieS 的集合，那么您将需要获取所需的 cookie。

public class Foo : AuthorizeAttribute


      public override void OnAuthorization(HttpActionContext actionContext)
      
           var cookies = actionContext.Request.Headers.GetCookies("Bar").FirstOrDefault();

           var cookie = cookies["Bar"];
      

【讨论】：

您需要两次指定“Bar”的原因是什么？