如何MVC4测试AntiForgeryToken与骨干网单页的应用 [英] How to test AntiForgeryToken in MVC4 with backbone Single Page Application

问题描述

我有问题获得微软的MVC的 [ValidateAntiForgeryToken] 使用木偶和放一个单页应用（SPA）的书面工作;骨干。这个问题似乎是该MVC [ValidateAntiForgeryToken] 办法看不到我们发送的JSON的一部分令牌。我们认为这是因为令牌必须是在答复的形式一部分，但MrOggy85说，这是不是一个问题（见下面他的回答）。

I am having problems getting Microsoft's MVC's [ValidateAntiForgeryToken] to work with a Single Page Application (SPA) written using Marionette & Backbone. The problem seems to be that the MVC [ValidateAntiForgeryToken] method fails to see the token we send as part of the JSON. We thought it was because the token had to be in the Forms part of the reply but MrOggy85 says that isn't a problem (see his answer below).

在code是在我的API控制器，​​使用 AttributeRouting ，我们假设是造成问题的原因。一个典型的操作是这样的：

The code is in my api controllers, which use AttributeRouting, which we assume is causing the problem. A typical action looks like this:

    // POST api/vizschemes/
    [POST("")]
    [Authorize(Roles = "...some role...")]
    [ValidateAntiForgeryToken]
    public ActionResult Add(CreateUpdateSmVizSchemeDto dto,  ICreateSmVizScheme service)
    {
       ... code to update the VizScheme and return json
    }

有没有其他解决这个？大量的谷歌搜索变成了注释的是帖子 ASP.NET MVC提供了内置的防伪标记，通过防伪类和[ValidateAntiForgeryToken]属性的支持。目前，这个功能不内置的Web API。不过，（KnockoutJS）模板包括自定义实现的Web API。的。这表明，他们自己写的，这是我能做到的。

Has anyone else overcome this? A lot of googling turned up the comment in is post "ASP.NET MVC provides built-in support for anti-forgery tokens, through the AntiForgery class and the [ValidateAntiForgeryToken] attribute. Currently, this functionality is not built into Web API. However, the (KnockoutJS) template includes a custom implementation for Web API.". This suggests that they write their own, which I can do.

有没有其他人遇到这个，如果是的话你是怎么解决的呢？我失去了一些东西很明显还是应该我只是写我自己的ValidateAntiForgeryToken方法？您的意见将AP preciated。

Has anyone else hit this, and if so how did you solve it? Am I missing something obvious or should I just write my own ValidateAntiForgeryToken method? Your input would be appreciated.

在它大量的详细信息提供@ MrOggy85伟大的计算器链接。请参阅<一href="http://stackoverflow.com/questions/2906754/how-can-i-supply-an-antiforgerytoken-when-posting-json-data-using-ajax">How我可以提供一个AntiForgeryToken发布使用$阿贾克斯？ JSON数据时。我打算写我自己的防伪检验和会后，当我这样做。

GREAT stackoverflow link provided by @MrOggy85 with lots more information in it. See How can i supply an AntiForgeryToken when posting JSON data using $.ajax? . I plan to write my own AntiForgery test and will post when I have done.

推荐答案

在使用助手 @ Html.AntiForgeryToken（）的认为这是真正的HTML结果

When you use the helper @Html.AntiForgeryToken() in a view this is the actual HTML result:

<input name="__RequestVerificationToken" type="hidden" 
value="{ long cryptic code }">

此输入字段通常是在你的＆LT;形式GT; k-元，这意味着它会被附加到请求，如果您提交的表单

This input field is normally inside your <form>-element which means it will be attached to the request if you submit that form.

在此输入字段的表单以外，或者如果你没有提交表单时，会出现问题。不要怕，有办法解决这一点。属性 [ValidateAntiForgeryToken] 告诉服务器寻找与名称的关键：__RequestVerificationToken。让我们给服务器它想要的东西！

The problem occurs when this input field is outside of your form or if you are not submitting a form. Have no fear, there is a solution for this. The attribute [ValidateAntiForgeryToken] tells the server to look for a key with the name: "__RequestVerificationToken". Let's give the server what it wants!

首先，获得该值！

VAR antiforgeytoken = $（'输入[名称= __ RequestVerificationToken]）VAL（）;

第二，它连接到您的AJAX请求（我使用jQuery）

Second, attach it to your AJAX-request (I use jQuery)

$.ajax({
  url: 'something/something',
  type: 'POST',
  contentType: 'application/x-www-form-urlencoded; charset=UTF-8', // Default
  data: { 'somekey': 'someval', 
          '__RequestVerificationToken', antiforgeytoken }
});

现在你的服务器是幸福的，你太！

Now your server is happy, and you are too!

更新：
在内容类型的是因为MVC活页夹如何验证请求重要。如果你想使用另一种内容类型此解决方案<一href="http://stackoverflow.com/questions/2906754/how-can-i-supply-an-antiforgerytoken-when-posting-json-data-using-ajax">How我可以提供一个AntiForgeryToken发布使用$阿贾克斯JSON数据时？提出分开防伪标记，并在两个不同的参数POSTDATA。

Update:
The content type is important because of how the MVC Binder validates the request. If you want to use another content type this solution How can i supply an AntiForgeryToken when posting JSON data using $.ajax? proposes to separate the antiforgery token and the postdata in two different parameters.

这篇关于如何MVC4测试AntiForgeryToken与骨干网单页的应用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！