身份验证适用于web api [英] Authentication For web api

查看:90
本文介绍了身份验证适用于web api的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

当我提供所需的凭证(电子邮件和密码)时,它的工作部分工作正常。如果我给出错误的电子邮件,其显示404错误意味着它的罚款。如果我给错了密码也接受意味着它没有显示任何错误。 />


我的代码如下,请帮助我: -





使用系统;

使用System.Collections.Generic;

使用System.Data;

使用System.Data.Entity;

使用System.Data.Entity.Infrastructure;

使用System.Linq;

使用System.Net;

使用System.Net。 Http;

使用System.Web.Http;

使用System.Web.Http.Description;

使用WebApplication5.Models;

使用System.Security.Cryptography;

使用System.Text;



命名空间WebApplication5.Controllers

{

公共类UsersController:ApiController

{

私人ChatDatabaseEntities1 db = new Cha tDatabaseEntities1();



// GET:api / Users

public IQueryable< user> GetUsers()

{

返回db.Users;

}

SymmetricAlgorithm desobj = Rijndael.Create() ;

字符串密钥;





// GET:api / Users / 5

[ResponseType(typeof(User))]

public IHttpActionResult GetUser(string Email,string password)

{

User user = db.Users.Find(Email);

if(user == null)

{

return NotFound();

}

string temp = Decrypt(user.Password,user.PasswordSalt);

if(password == temp)

{

//返回Ok(user.Email);

}





返回Ok(user.Email);

}











// PUT:api / Users / 5

[ResponseType(typeof(void))]

public IHttpActionResult PutUser(string id,User user)

{

if(!ModelState.IsValid)

{

返回BadRequest(ModelState);

}



if(id!= user.Email)

{

返回BadRequest();

}



db.Entry(用户).State = EntityState.Modified;



尝试

{

db.SaveChanges();

}

catch(DbUpdateConcurrencyException)

{

if(!UserExists(id))

{

返回NotFound();

}

其他

{

throw;

}

}



返回StatusCode(HttpStatusCode.NoContent);

}



// POST:api /用户

[ResponseType(typeof(User))]

public IHttpActionResult PostUser(用户用户)

{

if(!ModelState.IsValid)

{

返回BadRequest(ModelState);

}

string temp_password =加密(text,Key());

用户。密码= temp_password;

user.PasswordSalt = Key();

user.UserType =user;



db.Users.Add(user);



try

{

db.SaveChanges() ;

}

catch(DbUpdateException)

{

if(UserExists(user.Email))

{

return Conflict();

}

其他

{

抛出;

}

}



返回CreatedAtRoute(DefaultApi,新{id = user.Email},用户);

}



// DELETE:api / Users / 5

[ResponseType(typeof(User))]

public IHttpActionResult DeleteUser(string id)

{

用户user = db.Users.Find(id);

if(user == null)

{

返回NotFound();

}



db.Users.Remove(用户);

db.SaveChanges();



返回Ok(用户);

}



protected override void Dispose(bool disposing)

{

if(disposing)

{

db.Dispose();

}

base.Dispose(disposing);

}



private bool UserExists(字符串ID)

{

返回db.Users.Count(e => e.Email == id)> 0;

}





public static string Encrypt(string strToEncrypt,string strKey)

{

试试

{

TripleDESCryptoServiceProvider objDESCrypto =

new TripleDESCryptoServiceProvider();

MD5CryptoServiceProvider objHashMD5 = new MD5CryptoServiceProvider();

byte [] byteHash,byteBuff;

string strTempKey = strKey;

byteHash = objHashMD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(strTempKey));

objHashMD5 = null;

objDESCrypto.Key = byteHash;

objDESCrypto .Mode = CipherMode.ECB; // CBC,CFB

byteBuff = ASCIIEncoding.ASCII.GetBytes(strToEncrypt);

返回Convert.ToBase64String(objDESCrypto.CreateEncryptor()。

TransformFinalBlock(byteBuff,0,byteBuff.Length));

}

catch(exception ex)

{

返回输入错误。+ ex.Message;

}

}







私人密钥Key()

{

{

随机随机=新随机( );

key =+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9) + random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next( 0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+ random.Next(0,9)+跑dom.Next(0,9);



返回键;

}

}

public static string Decrypt(string strEncrypted,string strKey)

{

try

{

TripleDESCryptoServiceProvider objDESCrypto =

new TripleDESCryptoServiceProvider();

MD5CryptoServiceProvider objHashMD5 = new MD5CryptoServiceProvider();

byte [] byteHash,byteBuff;

string strTempKey = strKey;

byteHash = objHashMD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(strTempKey));

objHashMD5 = null;

objDESCrypto.Key = byteHash;

objDESCrypto.Mode = CipherMode.ECB; // CBC,CFB

byteBuff = Convert.FromBase64String(strEncrypted);

string strDecrypted = ASCIIEncoding.ASCII.GetString

(objDESCrypto.CreateDecryptor ()。TransformFinalBlock

(byteBuff,0,byteBuff.Length));

objDESCrypto = null;

返回strDecrypted;

}

catch(例外情况)

{

返回输入错误。+ ex.Message;

}

}

}

}

Partially its work whenever i give required credential(Email and password) it works fine.if i give wrong email its show 404 error means its fine.if i give wrong password also its accepting means it not show any error.

My code is given below please help me:-


using System;
using System.Collections.Generic;
using System.Data;
using System.Data.Entity;
using System.Data.Entity.Infrastructure;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using System.Web.Http.Description;
using WebApplication5.Models;
using System.Security.Cryptography;
using System.Text;

namespace WebApplication5.Controllers
{
public class UsersController : ApiController
{
private ChatDatabaseEntities1 db = new ChatDatabaseEntities1();

// GET: api/Users
public IQueryable<user> GetUsers()
{
return db.Users;
}
SymmetricAlgorithm desobj = Rijndael.Create();
string key;


// GET: api/Users/5
[ResponseType(typeof(User))]
public IHttpActionResult GetUser(string Email, string password)
{
User user = db.Users.Find(Email);
if (user == null)
{
return NotFound();
}
string temp =Decrypt(user.Password, user.PasswordSalt);
if (password == temp)
{
// return Ok(user.Email);
}


return Ok(user.Email);
}





// PUT: api/Users/5
[ResponseType(typeof(void))]
public IHttpActionResult PutUser(string id, User user)
{
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}

if (id != user.Email)
{
return BadRequest();
}

db.Entry(user).State = EntityState.Modified;

try
{
db.SaveChanges();
}
catch (DbUpdateConcurrencyException)
{
if (!UserExists(id))
{
return NotFound();
}
else
{
throw;
}
}

return StatusCode(HttpStatusCode.NoContent);
}

// POST: api/Users
[ResponseType(typeof(User))]
public IHttpActionResult PostUser(User user)
{
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
string temp_password = Encrypt("text", Key());
user.Password = temp_password;
user.PasswordSalt = Key();
user.UserType = "user";

db.Users.Add(user);

try
{
db.SaveChanges();
}
catch (DbUpdateException)
{
if (UserExists(user.Email))
{
return Conflict();
}
else
{
throw;
}
}

return CreatedAtRoute("DefaultApi", new { id = user.Email }, user);
}

// DELETE: api/Users/5
[ResponseType(typeof(User))]
public IHttpActionResult DeleteUser(string id)
{
User user = db.Users.Find(id);
if (user == null)
{
return NotFound();
}

db.Users.Remove(user);
db.SaveChanges();

return Ok(user);
}

protected override void Dispose(bool disposing)
{
if (disposing)
{
db.Dispose();
}
base.Dispose(disposing);
}

private bool UserExists(string id)
{
return db.Users.Count(e => e.Email == id) > 0;
}


public static string Encrypt(string strToEncrypt, string strKey)
{
try
{
TripleDESCryptoServiceProvider objDESCrypto =
new TripleDESCryptoServiceProvider();
MD5CryptoServiceProvider objHashMD5 = new MD5CryptoServiceProvider();
byte[] byteHash, byteBuff;
string strTempKey = strKey;
byteHash = objHashMD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(strTempKey));
objHashMD5 = null;
objDESCrypto.Key = byteHash;
objDESCrypto.Mode = CipherMode.ECB; //CBC, CFB
byteBuff = ASCIIEncoding.ASCII.GetBytes(strToEncrypt);
return Convert.ToBase64String(objDESCrypto.CreateEncryptor().
TransformFinalBlock(byteBuff, 0, byteBuff.Length));
}
catch (Exception ex)
{
return "Wrong Input. " + ex.Message;
}
}



private string Key()
{
{
Random random = new Random();
key = "" + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9) + random.Next(0, 9);

return key;
}
}
public static string Decrypt(string strEncrypted, string strKey)
{
try
{
TripleDESCryptoServiceProvider objDESCrypto =
new TripleDESCryptoServiceProvider();
MD5CryptoServiceProvider objHashMD5 = new MD5CryptoServiceProvider();
byte[] byteHash, byteBuff;
string strTempKey = strKey;
byteHash = objHashMD5.ComputeHash(ASCIIEncoding.ASCII.GetBytes(strTempKey));
objHashMD5 = null;
objDESCrypto.Key = byteHash;
objDESCrypto.Mode = CipherMode.ECB; //CBC, CFB
byteBuff = Convert.FromBase64String(strEncrypted);
string strDecrypted = ASCIIEncoding.ASCII.GetString
(objDESCrypto.CreateDecryptor().TransformFinalBlock
(byteBuff, 0, byteBuff.Length));
objDESCrypto = null;
return strDecrypted;
}
catch (Exception ex)
{
return "Wrong Input. " + ex.Message;
}
}
}
}

推荐答案

第一个也是最明显的问题是你忽略了密码测试:

The first and most obvious problem is that you're ignoring the password test:
string temp =Decrypt(user.Password, user.PasswordSalt);
if (password == temp)
{
    // return Ok(user.Email);
}

return Ok(user.Email);



无论密码是否匹配,您都会返回确定。尝试将其更改为:


Whether or not the password matches, you return Ok. Try changing it to:

string temp = Decrypt(user.Password, user.PasswordSalt);
if (password != temp)
{
    return NotFound();
}

return Ok(user.Email);





现在,更有趣的问题是:您似乎使用可逆加密存储密码。这是一个非常糟糕的主意。您应该只存储用户密码的盐渍哈希,使用每条记录的唯一盐,并使用多轮安全哈希算法。



安全密码验证简单解释 [ ^ ]

Salted Password Hashing - 正确行事 [ ^ ]


这篇关于身份验证适用于web api的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆