实施网页API ValidatingAntiForgeryToken属性与MVC 4 RC问题 [英] Problems implementing ValidatingAntiForgeryToken attribute for Web API with MVC 4 RC
问题描述
我在做基于JSON的AJAX请求,并与MVC控制器一直很感激菲尔哈克他的 preventing CSRF与AJAX 和约翰·Driessen的的的更新的防XSRF为MVC 4 RC 。但是,正如我过渡API为核心控制器的Web API,我打的问题,其中的两种方法之间的功能是明显不同的,我无法过渡的CSRF code。
I'm making JSON-based AJAX requests and, with MVC controllers have been very grateful to Phil Haack for his Preventing CSRF with AJAX and, Johan Driessen's Updated Anti-XSRF for MVC 4 RC. But, as I transition API-centric controllers to Web API, I'm hitting issues where the functionality between the two approaches is markedly different and I'm unable to transition the CSRF code.
斯科特提出最近类似的的问题这是的answered~~V 。达林的解决方案涉及实施授权过滤器调用AntiForgery.Validate。不幸的是,code不适合我(见下段)和工作 - 诚实 - 对我来说太先进
ScottS raised a similar question recently which was answered by Darin Dimitrov. Darin's solution involves implementing an authorization filter which calls AntiForgery.Validate. Unfortunately, this code does not work for me (see next paragraph) and - honestly - is too advanced for me.
据我了解,菲尔的解决方案,克服了使在没有表单元素的JSON请求时,MVC防伪问题;表单元素被假定/由AntiForgery.Validate方法的预期。我的认为的,这可能是为什么我在与达林的解决方案的问题了。我收到HttpAntiForgeryException所需的防伪型窗体域__RequestVerificationToken'不是present。我确信,令牌被发布(虽然每菲尔哈克的解决方案的标头)。这里的客户端调用的快照:
As I understand it, Phil's solution overcomes the problem with MVC AntiForgery when making JSON requests in the absence of a form element; the form element is assumed/expected by the AntiForgery.Validate method. I believe that this may be why I'm having problems with Darin's solution too. I receive an HttpAntiForgeryException "The required anti-forgery form field '__RequestVerificationToken' is not present". I am certain that the token is being POSTed (albeit in the header per Phil Haack's solution). Here's a snapshot of the client's call:
$token = $('input[name=""__RequestVerificationToken""]').val();
$.ajax({
url:/api/states",
type: "POST",
dataType: "json",
contentType: "application/json: charset=utf-8",
headers: { __RequestVerificationToken: $token }
}).done(function (json) {
...
});
我试过一个黑客通过一起捣碎约翰与达林的解决方案,并能够得到的东西的工作,但我引进HttpContext.Current,这个不确定是否适当/安全的,为什么我不能使用所提供的HttpActionContext。
I tried a hack by mashing together Johan's solution with Darin's and was able to get things working but am introducing HttpContext.Current, unsure whether this is appropriate/secure and why I can't use the provided HttpActionContext.
下面是我的不雅混搭..变化是2号线在try块:
Here's my inelegant mash-up.. the change is the 2 lines in the try block:
public Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync(HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation)
{
try
{
var cookie = HttpContext.Current.Request.Cookies[AntiForgeryConfig.CookieName];
AntiForgery.Validate(cookie != null ? cookie.Value : null, HttpContext.Current.Request.Headers["__RequestVerificationToken"]);
}
catch
{
actionContext.Response = new HttpResponseMessage
{
StatusCode = HttpStatusCode.Forbidden,
RequestMessage = actionContext.ControllerContext.Request
};
return FromResult(actionContext.Response);
}
return continuation();
}
我的问题是:
- 我在想,达林的解决方案假定一个表单元素的存在是否正确?
- 什么是混搭达林与约翰的MVC 4 RC code网页API过滤器优雅的方式?
在此先感谢!
推荐答案
您可以尝试从标题写着:
You could try reading from the headers:
var headers = actionContext.Request.Headers;
var cookie = headers
.GetCookies()
.Select(c => c[AntiForgeryConfig.CookieName])
.FirstOrDefault();
var rvt = headers.GetValues("__RequestVerificationToken").FirstOrDefault();
AntiForgery.Validate(cookie != null ? cookie.Value : null, rvt);
请注意:的getCookies 是存在于类的Htt prequestHeadersExtensions 这是一部分的扩展方法 System.Net.Http.Formatting.dll 。它会在最有可能存在C:\\ Program Files文件(x86)的\\微软ASP.NET \\ ASP.NET MVC 4 \\组件\\ System.Net.Http.Formatting.dll
Note: GetCookies is an extension method that exists in the class HttpRequestHeadersExtensions which is part of System.Net.Http.Formatting.dll. It will most likely exist in C:\Program Files (x86)\Microsoft ASP.NET\ASP.NET MVC 4\Assemblies\System.Net.Http.Formatting.dll
这篇关于实施网页API ValidatingAntiForgeryToken属性与MVC 4 RC问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
