默认情况下,如何在ASP.NET MVC 4中防范CSRF? [英] How to protect against CSRF by default in ASP.NET MVC 4?
问题描述
是否有一种方法可以确保ASP.NET MVC 4表单在默认情况下不受CSRF保护?
Is there a way to ensure ASP.NET MVC 4 forms are protected against CSRF by default?
例如,是否有一种方法可以自动自动将AntiForgeryToken应用于视图和控制器操作中的所有表单?
For instance, is there a way to have AntiForgeryToken automatically applied to all forms in both views and controller actions?
此问题的背景:推荐答案
To add to osoviejo's excellent answer, the instructions below, from my recent blog post on CSRF, put his work together with the information in Phil's blog in one comprehensive answer. ASP.NET/MVC为此提供了一种机制:您可以将其添加到全局 ASP.NET/MVC provides a mechanism for this: you can add to to a collection of filters on the global 首先,我们需要实现一个IFilterProvider.在下面,您可以找到Phil Haack的条件过滤器提供商类.首先将此类添加到您的项目中. First, we need to implement an IFilterProvider. Below, you can find Phil Haack's Conditional Filter Provider class. Begin by adding this class to your project. 然后,将代码添加到Application_Start中,以将新的 Then, add code to Application_Start that adds a new 如果实现上述两段代码,则您的MVC应用程序应要求AntiForgeryToken用于每个POST到站点.您可以在Phil Haack的 CSRF示例网站中试用-一旦受保护, CSRF攻击将抛出 If you implement the two pieces of code above, your MVC application should require the AntiForgeryToken for every POST to the site. You can try it out on Phil Haack's CSRF example web site - once protected, the CSRF attack will throw 这篇关于默认情况下,如何在ASP.NET MVC 4中防范CSRF?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!FilterProviders对象上的过滤器集合中.这样,您就可以针对某些控制器而不是其他控制器,添加所需的安全功能.FilterProviders object. This allows you to target some controllers and not others, adding the needed security feature.public class ConditionalFilterProvider : IFilterProvider
{
private readonly
IEnumerable<Func<ControllerContext, ActionDescriptor, object>> _conditions;
public ConditionalFilterProvider(
IEnumerable<Func<ControllerContext, ActionDescriptor, object>> conditions)
{
_conditions = conditions;
}
public IEnumerable<Filter> GetFilters(
ControllerContext controllerContext,
ActionDescriptor actionDescriptor)
{
return from condition in _conditions
select condition(controllerContext, actionDescriptor) into filter
where filter != null
select new Filter(filter, FilterScope.Global, null);
}
}
ConditionalFilterProvider添加到全局FilterProviders集合中,以确保所有POST控制器方法都需要AntiForgeryToken.ConditionalFilterProvider to the global FilterProviders collection that ensures that all POST controller methods will require the AntiForgeryToken.IEnumerable<Func<ControllerContext, ActionDescriptor, object>> conditions =
new Func<ControllerContext, ActionDescriptor, object>[] {
// Ensure all POST actions are automatically
// decorated with the ValidateAntiForgeryTokenAttribute.
( c, a ) => string.Equals( c.HttpContext.Request.HttpMethod, "POST",
StringComparison.OrdinalIgnoreCase ) ?
new ValidateAntiForgeryTokenAttribute() : null
};
var provider = new ConditionalFilterProvider(conditions);
// This line adds the filter we created above
FilterProviders.Providers.Add(provider);
System.Web.Mvc.HttpAntiForgeryException,而无需添加[ValidateAntiForgeryToken]批注.这排除了许多与健忘的程序员"相关的漏洞.System.Web.Mvc.HttpAntiForgeryException without having to add the [ValidateAntiForgeryToken] annotation. This rules out a whole host of "forgetful programmer" related vulnerabilities.
