.NET Core API中的自定义授权筛选器 [英] Custom Authorization Filter in .NET Core API

问题描述

我想在使用核心api访问任何数据之前授权用户，因此我尝试使用JWT身份验证。
我在使用api登录用户时成功生成了令牌，并将该令牌保存在会话中的客户端，现在，每当用户想要使用api访问任何数据时，我都会将该标头中的令牌发送给api，并且我想使用自定义授权过滤器验证JWT令牌。我已经创建了自定义授权过滤器并将其应用到我的GetMenu api上，并且能够成功验证该令牌，但是在授权过滤器中进行令牌验证后，它没有在我的GetMenu api上命中它。

I want to authorize users before accessing any data using my core api, so I tried is using JWT authentication. I have successfully generated token while signing in user using api and saved that token on client side in session, now whenever user wants to access any data using api, I'll send that token in header to api and I want to validate that JWT token using custom authorization filter. I have created custom authorization filter and applied it on my GetMenu api and I'm able to validate that token successfully but after token validation in authorization filter it is not hitting it on my GetMenu api.

这是我的AccountController代码：

[Filters.Authorization]
[AllowAnonymous]
[HttpPost]
[Route("GetMenu")]
public IActionResult GetMenu(string clientid, int rolecode, string repcode)
{
    //further process
}

这是我的过滤器。授权代码：

public class Authorization: AuthorizeAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationFilterContext filterContext)
    {
        if (!ValidateToken(filterContext.HttpContext.Request.Headers["token"]))
        {
            filterContext.Result = new UnauthorizedResult();
        }
    }
}

我在OnAuthorization方法上有断点并在GetMenu api上。
我正在通过邮递员调用我的GetMenu api进行测试，它已成功在Filters.OnAuthorization方法中命中它。授权并验证了我的JWT令牌，并在邮递员中显示了状态代码：200，但在成功验证令牌后，它将GetMenu api用于进一步的数据处理，但没有成功。
可能是什么问题？我想念什么？请帮忙。

I have breakpoints on OnAuthorization method and on GetMenu api. I'm calling my GetMenu api through postman to test, it is successfully hitting it on OnAuthorization method in Filters.Authorization and validating my JWT Token and displays Status Code: 200 in postman but after successful token validation it should hit on GetMenu api for further data processing but it is not hitting. What can be the issue? what am i missing? please help.

推荐答案

如果请求为，则不应设置 filterContext.Result 成功授权。

You should not set the filterContext.Result if the request is successfully authorize.

//
// Summary:
//     A context for authorization filters i.e. Microsoft.AspNetCore.Mvc.Filters.IAuthorizationFilter
//     and Microsoft.AspNetCore.Mvc.Filters.IAsyncAuthorizationFilter implementations.
public class AuthorizationFilterContext : FilterContext
{
    //
    // Summary:
    //     Gets or sets the result of the request. Setting Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext.Result
    //     to a non-null value inside an authorization filter will short-circuit the remainder
    //     of the filter pipeline.
    public virtual IActionResult Result { get; set; }
}

您只需要设置 Result 失败时。

You only need to set Result when it's failed.

public class Authorization: AuthorizeAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationFilterContext filterContext)
    {
        if (!ValidateToken(filterContext.HttpContext.Request.Headers["token"]))
        {
            filterContext.Result = new UnauthorizedResult();
        }
    }
}

这篇关于.NET Core API中的自定义授权筛选器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！