我应该用个IAuthorizationFilter，如果我想创建ASP.NET MVC4的ApiKey限制资源？ [英] Should I be using an IAuthorizationFilter if I wish to create an ApiKey restricted resource with ASP.NET MVC4?

问题描述

我有我想通过一个简单的查询字符串参数来限制一些简单的路线。如果密钥是不正确或不提供，那么我想抛出一个 NotAuthorizedException 。

在这种情况下，我不能只是尚未

-

请不要建议我用的WebAPI或当量。

所以我不知道我是否应该实施的个IAuthorizationFilter 或实施的 IActionFilter 甚至是别的东西

我的code逻辑？

• 检查查询字符串的关键。


• 检查我的RavenDb（库）中与该键/值的用户。

如果他们失败了任何的检查，然后扔 NotAuthorizedException 。

我假设那么我会装点我的操作方法与此过滤器。我也假设我会需要我的仓库传递到这个操作方法也？

有什么建议吗？

解决方案

  

所以我不知道我是否应该实现一个个IAuthorizationFilter或
  实现一个IActionFilter甚至是别的东西。

您应该实现一个个IAuthorizationFilter ：

 公共类MyAuthorizeAttribute：FilterAttribute，个IAuthorizationFilter
{
    公共无效OnAuthorization（AuthorizationContext filterContext）
    {
        VAR键= filterContext.HttpContext.Request.QueryString [PARAM_NAME];
        如果（！的IsValid（键））
        {
            //未经授权！
            filterContext.Result =新HttpUnauthorizedResult（）;
        }
    }    私人BOOL的IsValid（字符串键）
    {
        //你知道这里做什么=＆GT;走打你RavenDb
        //并进行必要的检查
        抛出新NotImplementedException（）;
    }
}
 

如果你想使用依赖注入到您的自定义操作过滤器，你可以看看的<一个href=\"http://odeto$c$c.com/blogs/scott/archive/2011/01/20/injectable-configurable-action-filters.aspx\"><$c$c>following文章 中，你可以实现一个自定义过滤器供应商（ IFilterProvider ）。你可以有，你可以在控制器的操作使用，然后有这样的自定义过滤器提供一个标记属性，只要看看动作是否是装饰与此标记属性和应用自定义过滤器的授权

例如：

 公共类MyAuthorizeAttribute：属性
{}
 

和您的授权过滤器将只执行个IAuthorizationFilter ，它不会是一个 FilterAttribute ：

 公共类MyAuthorizationFilter：个IAuthorizationFilter
{
    私人只读ISomeRepository库;
    公共类MyAuthorizationFilter（ISomeRepository库）
    {
        this.repository =库;
    }    公共无效OnAuthorization（AuthorizationContext filterContext）
    {
        VAR键= filterContext.HttpContext.Request.QueryString [PARAM_NAME];
        如果（！的IsValid（键））
        {
            //未经授权！
            filterContext.Result =新HttpUnauthorizedResult（）;
        }
    }    私人BOOL的IsValid（字符串键）
    {
        //你知道这里做什么=＆GT;走打你RavenDb
        //并进行必要的检查
        抛出新NotImplementedException（）;
    }
}
 

，然后你将拥有自定义过滤器供应商：

 公共类MyFilterProvider：IFilterProvider
{
    公共IEnumerable的＆LT;滤光器＆gt; GetFilters（ControllerContext controllerContext，ActionDescriptor actionDescriptor）
    {
        如果（actionDescriptor.GetCustomAttributes（typeof运算（MyAuthorizeAttribute），TRUE）。任何（））
        {
            VAR过滤= DependencyResolver.Current.GetService＆LT; MyAuthorizationFilter＆GT;（）;
            产量返回新的过滤器（过滤器，FilterScope.Global）;
        }        产生中断;
    }
}
 

将在注册

您的Application_Start ：

  FilterProviders.Providers.Add（新MyFilterProvider（））;
 

I have a few simple routes which I wish to restrict via a simple querystring param. If the key is incorrect or not provided, then I wish to throw a NotAuthorizedException.

Please don't suggest I use WebApi or the equiv - I can't just yet in this scenario.

So i'm not sure if I should be implementing an IAuthorizationFilter or implementing an IActionFilter or even something else.

My code logic?

• Check querystring for key.
• Check my RavenDb (repository) for a user with that key/value.

If they fail any of those checks, then throw the NotAuthorizedException.

I'm assuming I would then decorate a my action method with this filter. I'm also assuming i would need to pass in my repository into this action method also?

Any suggestions please?

解决方案

So i'm not sure if I should be implementing an IAuthorizationFilter or implementing an IActionFilter or even something else.

You should be implementing an IAuthorizationFilter:

public class MyAuthorizeAttribute: FilterAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationContext filterContext)
    {
        var key = filterContext.HttpContext.Request.QueryString["param_name"];
        if (!IsValid(key))
        {
            // Unauthorized!
            filterContext.Result = new HttpUnauthorizedResult();
        }
    }

    private bool IsValid(string key)
    {
        // You know what to do here => go hit your RavenDb
        // and perform the necessary checks
        throw new NotImplementedException();
    }
}

And if you wanted to use dependency injection into your custom action filter you could take a look at the following article in which you could implement a custom filter provider (IFilterProvider). You could have a marked attribute which you may use on controller actions and then have this custom filter provider simply look whether the action is decorated with this marker attribute and apply the custom authorization filter.

For example:

public class MyAuthorizeAttribute: Attribute
{

}

and your authorization filter will only implement the IAuthorizationFilter, it won't be a FilterAttribute:

public class MyAuthorizationFilter: IAuthorizationFilter
{
    private readonly ISomeRepository repository;
    public class MyAuthorizationFilter(ISomeRepository repository)
    {
        this.repository = repository;
    }

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        var key = filterContext.HttpContext.Request.QueryString["param_name"];
        if (!IsValid(key))
        {
            // Unauthorized!
            filterContext.Result = new HttpUnauthorizedResult();
        }
    }

    private bool IsValid(string key)
    {
        // You know what to do here => go hit your RavenDb
        // and perform the necessary checks
        throw new NotImplementedException();
    }
}

and then you will have the custom filter provider:

public class MyFilterProvider : IFilterProvider
{
    public IEnumerable<Filter> GetFilters(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
    {
        if (actionDescriptor.GetCustomAttributes(typeof(MyAuthorizeAttribute), true).Any())
        {
            var filter = DependencyResolver.Current.GetService<MyAuthorizationFilter>();
            yield return new Filter(filter, FilterScope.Global);
        }

        yield break;
    }
}

that will be registered in your Application_Start:

FilterProviders.Providers.Add(new MyFilterProvider());

这篇关于我应该用个IAuthorizationFilter，如果我想创建ASP.NET MVC4的ApiKey限制资源？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！