如何使的WebAPI的行动只能从我的应用程序访问？ [英] How to make WebAPI actions accessible only from my app?

问题描述

一个常见用例的WebAPI将必须通过MVC控制器，其中包含的JavaScript，然后打你的API访问数据呈现的外壳意见。

A common use case for WebAPI would be to have shell views rendered by MVC controllers, which contain javascript that then hit your API to access data.

但是，假设你有一些昂贵的API操作，你不希望别人远程访问这些端点 - 你只需要你的MVC的意见，您的应用程序交付，来访问它们。你怎么能去保护他们？

But let's say you have some expensive API operations and you don't want people remotely accessing those endpoints -- you only want your MVC views, delivered by your application, to access them. How could you go about protecting them?

在这种情况下， Request.IsLocal 不起作用，因为JavaScript是从客户端在其计算机上的浏览器调用它。即使没有工作，你需要挖掘才能获得真正的HttpContext ，以便找到这个属性 - 和解决方案将不会自托管的WebAPI工作

In this case Request.IsLocal doesn't work, because javascript is invoking it from the client's browser on their machine. Even if it did work, you need to dig to get the real HttpContext in order to find this property -- and that solution wouldn't work in self-hosted WebAPI.

对于需要有效的的IPrincipal ，您可以用 [授权] 属性保护他们的API端点。可是你知道，你希望你的应用能够访问匿名用户的API端点？

For API endpoints that require a valid IPrincipal, you could protect them with the [Authorize] attribute. But what about API endpoints that you want your app to be able to access for anonymous users?

我已经尝试了解决方案，将分别张贴作为一个答案，因为我不知道这是否是最好的（甚至是好）的办法。

I have tried a solution and will post it separately as an answer, because I'm not sure if it's the best (or even a good) approach.

推荐答案

你去唠叨关于之前你尝试过什么，这里是什么我都试过了。有用。只是不知道是否有更好的办法。

Before you go harping about "what have you tried", here is what I have tried. It works. Just not sure if there is a better way.

1. 创建一个MVC行为过滤器，并在的Application_Start 将其添加为全局筛选器。

1. Create an MVC action filter and add it as a global filter during Application_Start.

创建一个HTTP（的WebAPI）动作过滤器并使用它应该拒绝远程请求的操作。

Create an Http (WebAPI) action filter and use it on actions that should reject remote requests.

全球MVC过滤器是这样的：

The global MVC filter does this:

1. 会在请求一个特定的cookie。如果cookie是存在的，它的价值被解密。解密的值应该是重新presentation一个字符串的DateTime ，所以使用 DateTime.TryParse 来得到它出。如果该值被正确解析到的DateTime ，而的DateTime 是不到一天老了，停在这里做没有别的。

1. Looks for a specific cookie in the request. If the cookie is there, its value is decrypted. The decrypted value should be a string representation of a DateTime, so use DateTime.TryParse to get it out. If the value is correctly parsed to a DateTime, and that DateTime is less than a day old, STOP HERE and do nothing else.

如果cookie不存在，或者无法解密/解析，或者是超过一天老，写一个新的cookie到浏览器。使用电流 DateTime.UtcNow.ToString（）作为值，加密，并将其与仅Http =假写

If the cookie is not there, or cannot be decrypted / parsed, or is older than a day, write a new cookie to the browser. Use the current DateTime.UtcNow.ToString() as the value, encrypt it, and write it with HttpOnly = false.

本的WebAPI过滤器是这样的：

The WebAPI filter does this:

1. 会在请求一个特定的cookie。如果cookie是存在的，解密它的价值，并尝试分析它作为一个的DateTime 。

如果该值是一个有效的的DateTime 键，不到2天，停在这里做没有别的。

If the value is a valid DateTime and is less than 2 days old, STOP HERE and do nothing else.

否则，抛出一个403禁止例外。

Otherwise, throw a 403 Forbidden exception.

一对夫妇约我目前执行本笔记。首先，我使用AES加密的共享秘密和盐。共享机密存储为 appSetting 在web.config中。对于盐，我启用了匿名鉴定和使用 Request.AnonymousID 作为盐。我不完全喜欢的盐，因为它的小技巧就得到在一个控制器的WebAPI，但不是不可能的，只要它不是自托管。

A couple of notes about my current implementation of this. First of all, I use AES encryption with a shared secret and a salt. The shared secret is stored as an appSetting in web.config. For the salt, I enabled anonymous identification and used Request.AnonymousID as the salt. I'm not entirely fond of the salt because it's tricker to get at in a WebAPI controller, but not impossible as long as it is not self-hosted.

这篇关于如何使的WebAPI的行动只能从我的应用程序访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！