身份验证适用于web api [英] Authentication For web api
问题描述
当我提供所需的凭证(电子邮件和密码)时,它的工作部分工作正常。如果我给出错误的电子邮件,其显示404错误意味着它的罚款。如果我给错了密码也接受意味着它没有显示任何错误。 />
我的代码如下,请帮助我: -
使用系统;
使用System.Collections.Generic;
使用System.Data;
使用System.Data.Entity;
使用System.Data.Entity.Infrastructure;
使用System.Linq;
使用System.Net;
使用System.Net。 Http;
使用System.Web.Http;
使用System.Web.Http.Description;
使用WebApplication5.Models;
使用System.Security.Cryptography;
使用System.Text;
命名空间WebApplication5.Controllers
{
公共类UsersController:ApiController
{
私人ChatDatabaseEntities1 db = new Cha tDatabaseEntities1();
// GET:api / Users
public IQueryable< user> GetUsers()
{
返回db.Users;
}
SymmetricAlgorithm desobj = Rijndael.Create() ;
字符串密钥;
// GET:api / Users / 5
[ResponseType(typeof(User))]
public IHttpActionResult GetUser(string Email,string password)
{
User user = db.Users.Find(Email);
if(user == null)
{
return NotFound();
}
string temp = Decrypt(user.Password,user.PasswordSalt);
if(password == temp)
{
//返回Ok(user.Email);
}
返回Ok(user.Email);
}
// PUT:api / Users / 5
[ResponseType(typeof(void))]
public IHttpActionResult PutUser(string id,User user)
{
if(!ModelState.IsValid)
{
返回BadRequest(ModelState);
}
if(id!= user.Email)
{
返回BadRequest();
}
db.Entry(用户).State = EntityState.Modified;
尝试
{
db.SaveChanges();
}
catch(DbUpdateConcurrencyException)
{
if(!UserExists(id))
{
返回NotFound();
}
其他
{
throw;
}
}
返回StatusCode(HttpStatusCode.NoContent);
}
// POST:api /用户
[ResponseType(typeof(User))]
public IHttpActionResult PostUser(用户用户)
{
if(!ModelState.IsValid)
{
返回BadRequest(ModelState);
}
string temp_password =加密(text,Key());
用户。密码= temp_password;
user.PasswordSalt = Key();
user.UserType =user;
db.Users.Add(user);
try
{
db.SaveChanges() ;
}
catch(DbUpdateException)
{
if(UserExists(user.Email))
{
return Conflict();
}
其他
{
抛出;
}
}
返回CreatedAtRoute(DefaultApi,新{id = user.Email},用户);
}
// DELETE:api / Users / 5
[ResponseType(typeof(User))]
public IHttpActionResult DeleteUser(string id)
{
用户user = db.Users.Find(id);
if(user == null)
{
返回NotFound();
}
db.Users.Remove(用户);
db.SaveChanges();
返回Ok(用户);
}
protected override void Dispose(bool disposing)
{
if(disposing)
{
db.Dispose();
}
base.Dispose(disposing);
}
private bool UserExists(字符串ID)
{
返回db.Users.Count(e => e.Email == id)> 0;
}
public static string Encrypt(string strToEncrypt,string strKey)
{
试试
{
TripleDESCryptoServiceProvider objDESCrypto =
new TripleDESCryptoServiceProvider();
MD5CryptoServiceProvider objHashMD5 = new MD5CryptoServiceProvider();
byte [] byteHash,byteBuff;
string strTempKey = strKey;
byteHash = objHashMD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(strTempKey));
objHashMD5 = null;
objDESCrypto.Key = byteHash;
objDESCrypto .Mode = CipherMode.ECB; // CBC,CFB
byteBuff = ASCIIEncoding.ASCII.GetBytes(strToEncrypt);
返回Convert.ToBase64String(objDESCrypto.CreateEncryptor()。
TransformFinalBlock(byteBuff,0,byteBuff.Length));
}
catch(exception ex)
{
返回输入错误。+ ex.Message;
}
}
私人密钥Key()
{
{
随机随机=新随机( );
key =+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9) + random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next( 0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+跑dom.Next(0,9);
返回键;
}
}
public static string Decrypt(string strEncrypted,string strKey)
{
try
{
TripleDESCryptoServiceProvider objDESCrypto =
new TripleDESCryptoServiceProvider();
MD5CryptoServiceProvider objHashMD5 = new MD5CryptoServiceProvider();
byte [] byteHash,byteBuff;
string strTempKey = strKey;
byteHash = objHashMD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(strTempKey));
objHashMD5 = null;
objDESCrypto.Key = byteHash;
objDESCrypto.Mode = CipherMode.ECB; // CBC,CFB
byteBuff = Convert.FromBase64String(strEncrypted);
string strDecrypted = ASCIIEncoding.ASCII.GetString
(objDESCrypto.CreateDecryptor ()。TransformFinalBlock
(byteBuff,0,byteBuff.Length));
objDESCrypto = null;
返回strDecrypted;
}
catch(例外情况)
{
返回输入错误。+ ex.Message;
}
}
}
}
Partially its work whenever i give required credential(Email and password) it works fine.if i give wrong email its show 404 error means its fine.if i give wrong password also its accepting means it not show any error.
My code is given below please help me:-
using System;
using System.Collections.Generic;
using System.Data;
using System.Data.Entity;
using System.Data.Entity.Infrastructure;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using System.Web.Http.Description;
using WebApplication5.Models;
using System.Security.Cryptography;
using System.Text;
namespace WebApplication5.Controllers
{
public class UsersController : ApiController
{
private ChatDatabaseEntities1 db = new ChatDatabaseEntities1();
// GET: api/Users
public IQueryable<user> GetUsers()
{
return db.Users;
}
SymmetricAlgorithm desobj = Rijndael.Create();
string key;
// GET: api/Users/5
[ResponseType(typeof(User))]
public IHttpActionResult GetUser(string Email, string password)
{
User user = db.Users.Find(Email);
if (user == null)
{
return NotFound();
}
string temp =Decrypt(user.Password, user.PasswordSalt);
if (password == temp)
{
// return Ok(user.Email);
}
return Ok(user.Email);
}
// PUT: api/Users/5
[ResponseType(typeof(void))]
public IHttpActionResult PutUser(string id, User user)
{
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
if (id != user.Email)
{
return BadRequest();
}
db.Entry(user).State = EntityState.Modified;
try
{
db.SaveChanges();
}
catch (DbUpdateConcurrencyException)
{
if (!UserExists(id))
{
return NotFound();
}
else
{
throw;
}
}
return StatusCode(HttpStatusCode.NoContent);
}
// POST: api/Users
[ResponseType(typeof(User))]
public IHttpActionResult PostUser(User user)
{
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
string temp_password = Encrypt("text", Key());
user.Password = temp_password;
user.PasswordSalt = Key();
user.UserType = "user";
db.Users.Add(user);
try
{
db.SaveChanges();
}
catch (DbUpdateException)
{
if (UserExists(user.Email))
{
return Conflict();
}
else
{
throw;
}
}
return CreatedAtRoute("DefaultApi", new { id = user.Email }, user);
}
// DELETE: api/Users/5
[ResponseType(typeof(User))]
public IHttpActionResult DeleteUser(string id)
{
User user = db.Users.Find(id);
if (user == null)
{
return NotFound();
}
db.Users.Remove(user);
db.SaveChanges();
return Ok(user);
}
protected override void Dispose(bool disposing)
{
if (disposing)
{
db.Dispose();
}
base.Dispose(disposing);
}
private bool UserExists(string id)
{
return db.Users.Count(e => e.Email == id) > 0;
}
public static string Encrypt(string strToEncrypt, string strKey)
{
try
{
TripleDESCryptoServiceProvider objDESCrypto =
new TripleDESCryptoServiceProvider();
MD5CryptoServiceProvider objHashMD5 = new MD5CryptoServiceProvider();
byte[] byteHash, byteBuff;
string strTempKey = strKey;
byteHash = objHashMD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(strTempKey));
objHashMD5 = null;
objDESCrypto.Key = byteHash;
objDESCrypto.Mode = CipherMode.ECB; //CBC, CFB
byteBuff = ASCIIEncoding.ASCII.GetBytes(strToEncrypt);
return Convert.ToBase64String(objDESCrypto.CreateEncryptor().
TransformFinalBlock(byteBuff, 0, byteBuff.Length));
}
catch (Exception ex)
{
return "Wrong Input. " + ex.Message;
}
}
private string Key()
{
{
Random random = new Random();
key = "" + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9);
return key;
}
}
public static string Decrypt(string strEncrypted, string strKey)
{
try
{
TripleDESCryptoServiceProvider objDESCrypto =
new TripleDESCryptoServiceProvider();
MD5CryptoServiceProvider objHashMD5 = new MD5CryptoServiceProvider();
byte[] byteHash, byteBuff;
string strTempKey = strKey;
byteHash = objHashMD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(strTempKey));
objHashMD5 = null;
objDESCrypto.Key = byteHash;
objDESCrypto.Mode = CipherMode.ECB; //CBC, CFB
byteBuff = Convert.FromBase64String(strEncrypted);
string strDecrypted = ASCIIEncoding.ASCII.GetString
(objDESCrypto.CreateDecryptor().TransformFinalBlock
(byteBuff, 0, byteBuff.Length));
objDESCrypto = null;
return strDecrypted;
}
catch (Exception ex)
{
return "Wrong Input. " + ex.Message;
}
}
}
}
推荐答案
第一个也是最明显的问题是你忽略了密码测试:
The first and most obvious problem is that you're ignoring the password test:
string temp =Decrypt(user.Password, user.PasswordSalt);
if (password == temp)
{
// return Ok(user.Email);
}
return Ok(user.Email);
无论密码是否匹配,您都会返回确定
。尝试将其更改为:
Whether or not the password matches, you return Ok
. Try changing it to:
string temp = Decrypt(user.Password, user.PasswordSalt);
if (password != temp)
{
return NotFound();
}
return Ok(user.Email);
现在,更有趣的问题是:您似乎使用可逆加密存储密码。这是一个非常糟糕的主意。您应该只存储用户密码的盐渍哈希,使用每条记录的唯一盐,并使用多轮安全哈希算法。
安全密码验证简单解释 [ ^ ]
Salted Password Hashing - 正确行事 [ ^ ]
这篇关于身份验证适用于web api的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!