访问查询字符串在自定义AuthorizeAttribute [英] Accessing QueryString in a custom AuthorizeAttribute
问题描述
我使用的Web API并在调用者传递,我在查询字符串发给他们一个暗号已经建立了简单的认证和授权机制。因此,他们提出类似的要求:
I am using Web API and have setup a simple authentication and authorization mechanism where the caller passes a token that I have issued to them in the query string. So they submit a request like:
https://mysite.com/api/Ping?token=[issued-token]
我有一个这样的ApiAuthorizeAttribute:
I have an ApiAuthorizeAttribute like this:
public class ApiAuthorizeAttribute : System.Web.Http.AuthorizeAttribute
{
public ApiPermission Permission { get; set; }
public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
switch (Permission)
{
case ApiPermission.None:
return;
case ApiPermission.Write:
case ApiPermission.Read:
string query = actionContext.Request.RequestUri.Query;
var nvc = System.Web.HttpUtility.ParseQueryString(query);
string token = nvc["token"];
// (my code to map the token to an Authorization for the request)
ApiAuthorization auth = ApiToken.GetAuthorization(token);
if (auth != null && auth.HasPermission(Permission))
return;
HandleUnauthorizedRequest(actionContext);
return;
default:
throw new ArgumentException("Unexpected Permission");
}
}
}
然后我可以装点我的API这样。注意:这只是一个例子,一个真正的调用将读取的帐户信息(账户标识符的令牌中被加密的),并将其返回
Then I can decorate my APIs like this. Note: this is just an example, a real call would read data from their account (an account identifier is encrypted within their token) and return it.
/// <summary>
/// Ping service that requires a Token with Read permission
/// Returns "Success!"
/// </summary>
[ApiAuthorize(Permission = ApiPermission.Read)]
[HttpGet]
public string Ping()
{
return "Success!";
}
正如您可能注意到,我无法从任何地方HttpActionContext参数访问查询字符串,并必须建立它自己。这似乎是他们明确移除此Request对象的查询字符串。我不希望添加令牌它的每一个API方法,以获得它的路由数据。
As you might note, I could not access the QueryString anywhere from HttpActionContext parameter and had to build it myself. It seems like they explicitly removed QueryString from this Request object. I don’t want to add "token" it to each and every API method in order to get it in the Route Data.
所以我的问题是:
- 是查询字符串中的某处,我只是缺少呢?如果没有,任何想法,为什么微软不同意这种Request对象包括它? (即也许这是一个糟糕的事是什么?)
- 有没有更好的方式来处理得到令牌的AuthorizeAttribute(同样,而不将其添加到每个调用)?
顺便说一句,我知道有其他的(可能更好)选项的授权,如基本身份验证和OAuth,我也不想在这里讨论这个话题。
BTW, I realize there are other (probably better) options for authorization such as Basic Authentication and OAuth, and I do not want to debate that topic here.
推荐答案
虽然亚当·塔尔的答案是完全有效的,你真的不希望使用从系统的任何网络API新的世界秩序。网络命名空间;事实上,你甚至不想引用它。唉,你可以从GetQueryNameValuePairs()扩展方法查询字符串。这将让你砍的System.Web船锚松动,仍然可以得到你所需要的。
While Adam Tal's answer is perfectly valid, in the Web API new world order you really do not want to use anything from the System.Web namespace; in fact you don't even want to reference it. Alas you can get to the querystring from the GetQueryNameValuePairs() extension method. That will let you cut System.Web boat anchor loose and still get to what you need.
var queryString = actionContext.Request
.GetQueryNameValuePairs()
.ToDictionary(x => x.Key, x => x.Value);
这篇关于访问查询字符串在自定义AuthorizeAttribute的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
