根据权限从端点的WebAPI系列化语境 [英] Contextual serialization from WebApi endpoint based on permissions

问题描述

我使用Asp.Net的Web API。我希望能够根据连接的客户端的访问权限，过滤掉对响应对象的某些字段。

I am using the Asp.Net Web Api. I would like to be able to filter out certain fields on the response objects based on the connected clients access rights.

例如：

class Foo
{
    [AccessFilter("Uberlord")]
    string Wibble { get; set; }

    string Wobble { get; set; }
}

在返回数据的归档维布勒只应返回在当前用户的上下文能够满足Uberlord的价值。

When returning data the filed Wibble should only be returned if the current users context can satisfy the value of "Uberlord".

有三种途径，我探索，但我还没有得到一个有效的解决方案：

There are three avenues that I am exploring but I have not got a working solution:

1. 自定义的WebAPI MediaTypeFormatter。


2. 自定义json.net IContractResolver。


3. 某种形式的AOP包装为控制器，操纵响应对象

我的这些问题是：

• 自定义格式不觉得这样做合适的位置，但可能是唯一的选择。


• 自定义JSON序列将不能访问当前上下文，所以我将不得不工作了这一点。


• 与前两个选项，你就需要为每个响应格式，JSON，XML，一些自定义的格式等具体实现这意味着，如果支持的另一种反应类型，然后自定义格式/串行器需要prevent敏感数据的泄漏。


• 的AOP控制器的包装将需要大量的反思。

这是额外的奖金将剥离出使用相同的机制的入站请求对象从所述字段的值。

An additional bonus would be to strip out values from the fields on an inbound request object using the same mechanism.

我错过了一个明显的钩？这已被其他方式解决？

Have I missed an obvious hook? Has this been solved by another way?

推荐答案

它实际上是简单得多，比我第一个念头。我没有意识到的是， DelegatingHandler 的可用于操纵的响应以及在网页API管线。

It was actually a lot simpler than I first thought. What I did not realise is that the DelegatingHandler can be used to manipulate the response as well as the request in the Web Api Pipeline.

委托处理程序是在消息管道的扩展点，允许您在将其传递给管道的其余部分之前按摩请求。在它的方式响应消息的人都必须通过委派处理程序一样，所以任何回应，也被监控/过滤/在这个扩展点进行更新。

Delegating Handler

Delegating handlers are an extensibility point in the message pipeline allowing you to massage the Request before passing it on to the rest of the pipeline. The response message on its way back has to pass through the Delegating Handler as well, so any response can also be monitored/filtered/updated at this extensibility point.

委托处理程序，如果需要，可以绕过管道的其余部分也与回送和HTTP响应本身。

Delegating Handlers if required, can bypass the rest of the pipeline too and send back and Http Response themselves.

下面是一个DelegatingHandler其可以操纵响应对象或完全代替它的一个示例性实现。

Example

Here is an example implementation of a DelegatingHandler that can either manipulate the response object or replace it altogether.

public class ResponseDataFilterHandler : DelegatingHandler
{
    protected override System.Threading.Tasks.Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        return base.SendAsync(request, cancellationToken)
            .ContinueWith(task =>
            {
                var response = task.Result;

                //Manipulate content here
                var content = response.Content as ObjectContent;
                if (content != null && content.Value != null)
                {
                    ((SomeObject)content.Value).SomeProperty = null;
                }

                //Or replace the content
                response.Content = new ObjectContent(typeof(object), new object(), new JsonMediaTypeFormatter());

                return response;
            });
    }
}

这篇关于根据权限从端点的WebAPI系列化语境的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！