ValidateAntiForgeryToken盐值运行时加载 [英] runtime loading of ValidateAntiForgeryToken Salt value

问题描述

使用在 [ValidateAntiForgeryToken] 指令中的盐参数考虑一个ASP.NET MVC应用程序。

Consider an ASP.NET MVC application using the Salt parameter in the [ValidateAntiForgeryToken] directive.

该方案是这样的应用程序将得到众多客户使用。这是不是非常希望有盐在编译时已知。

The scenario is such that the app will be used by many customers. It's not terribly desirable to have the Salt known at compile time.

目前的策略是定位在web.config中的盐值。

The current strategy is to locate the Salt value in the web.config.

[ValidateAntiForgeryToken(Salt = Config.AppSalt)]
//Config.AppSalt is a static property that reads the web.config.

这导致编译时异常提示盐必须在编译时常量。

This leads to a compile-time exception suggesting that the Salt must be a const at compile time.

这是属性参数必须是一个常量前pression，属性参数类型的typeof前pression或数组创建前pression

An attribute argument must be a constant expression, typeof expression or array creation expression of an attribute parameter type

我如何修改应用程序，以允许盐运行时加载，使应用程序不必重新咸鱼和重新编译为每个客户？

How can I modify the application to allow for a runtime loading of the Salt so that the app doesn't have to be re-salted and recompiled for each customer?

认为盐不会频繁地改变，如果有的话，从而去除无效形式的可能性

Consider that the Salt won't change frequently, if at all, thereby removing the possibility of invalidating form

推荐答案

我不得不为不同的客户不同的盐的要求。在这种情况下，我用涤新的解决方案在运​​行时注入的盐。

I had the requirement to have different salts for different customers. In this case, I used Dixin's solution for injecting the salt at runtime.

<一个href=\"http://weblogs.asp.net/dixin/archive/2010/05/22/anti-forgery-request-recipes-for-asp-net-mvc-and-ajax.aspx\">Anti伪造请求食谱ASP.NET MVC和AJAX 的在标题为在运行时指定非恒盐

装饰你的控制器，提供一个新的属性：

Decorate your Controllers with a new attribute:

[ValidateAntiForgeryTokenWrapper(HttpVerbs.Post)]
public class ProductController : Controller
{     
    // Only HTTP POST requests are validated.
}

此新的属性被定义为：

public class ValidateAntiForgeryTokenWrapperAttribute : FilterAttribute, IAuthorizationFilter
{
    public ValidateAntiForgeryTokenWrapperAttribute(HttpVerbs verbs)
    {
        this._verbs = new AcceptVerbsAttribute(verbs);
        this._validator = new ValidateAntiForgeryTokenAttribute()
            {
                //load from web.config or anywhere else
                Salt = Configurations.AntiForgeryTokenSalt
            };
    }

    // Other members.
}

这篇关于ValidateAntiForgeryToken盐值运行时加载的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！