自定义的WebAPI授权属性不工作 [英] WebApi Custom Authorize Attribute not working

问题描述

我需要保护我的Web API与一个或多个特定用户从Active Directory，在web.config我有以下的code：

 ＆LT; configSections＆GT;
    ＆lt;节名称=的EntityFrameworkTYPE =System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection，的EntityFramework，版本6.0.0.0 =文化=中性公钥= b77a5c561934e089requirePermission =FALSE/＆GT;    ＆lt;节名称=用户TYPE =System.Configuration.NameValueFileSectionHandler，系统，版本= 1.0.3300.0，文化=中性公钥= b77a5c561934e089/＆GT;  ＆LT; / configSections＆GT;
  ＆LT;＆用户GT;
    ＆LT;添加键=用户VALUE =域\\登录名/＆GT;
  ＆LT; /用户＆GT;
  ＆LT;＆的System.Web GT;
    ＆LT;身份验证模式=窗口/＆GT;
    ＆LT;编译调试=真targetFramework =4.5/＆GT;
    ＆LT;的httpRuntime targetFramework =4.5/＆GT;
  ＆LT; /system.web>
 

然后，我有一个自定义的授权属性，它读取上面的web.config中部分用户。

 公共类MyAuthorizeAttribute：AuthorizeAttribute
    {        公共MyAuthorizeAttribute（PARAMS字符串[] userKeys）
        {
            清单＆LT;串GT;用户=新的List＆LT;串GT;（userKeys.Length）;
            VAR ALLUSERS =（NameValueCollection中）ConfigurationManager.GetSection（用户）;
            的foreach（在userKeys VAR USERKEY）
            {
                users.Add（ALLUSERS [USERKEY]）;
            }            this.Users =的string.join（，，用户）;
        }        保护覆盖布尔AuthorizeCore（HttpContextBase的HttpContext）
        {
            布尔isAuthorized = base.AuthorizeCore（HttpContext的）;
            布尔isRequestHeaderOk = FALSE;
            返回isAuthorized＆放大器;＆安培; isRequestHeaderOk;
        }
    }
 

问题是，在授权的核心是永远不会在调试器击中，在浏览器中JSON总是甚至表示，如果我把一个硬codeD假，断点从不打那里。

然后我装饰我的控制器与自定义属性授权

  [MyAuthorize（用户）]
        [responseTyp的（typeof运算（tblCargo））]
        公共IHttpActionResult GettblCargosByActivo（）
        {
            VAR查询从C在db.tblCargos =
                        排序依据c.strCargo
                        选择C;            // VAR的结果= Newtonsoft.Json.JsonConvert.SerializeObject（查询）;
            //返回结果;            返回OK（查询）;
        }
 

和在IIS中，唯一的启用方法是Windows身份验证

当我浏览到该网站从另一台计算机，然后我得到了验证窗口，但上面显示的authoze方法不会被击中。

这是一个很好的职位，使我朝着正确的方向（我相信）
<一href=\"http://stackoverflow.com/questions/26464848/custom-authorization-in-asp-net-webapi-what-a-mess\">Custom在授权的WebAPI Asp.net - ？什么乱七八糟的

解决方案

1. 您应该使用 AuthorizeAttribute 在 System.Web.Http 而不是的System.Web .Mvc


2. 实施 IsAuthorized 代替。

---

 保护覆盖布尔IsAuthorized（HttpActionContext ActionContext中）
    {
        布尔isAuthorized = base.IsAuthorized（ActionContext中）;
        布尔isRequestHeaderOk = FALSE;
        返回isAuthorized＆放大器;＆安培; isRequestHeaderOk;
    }
 

I need to protect my web api with one or more specific users from the active directory, in the web.config I have the following code:

<configSections> 
    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />

    <section name="users" type="System.Configuration.NameValueFileSectionHandler,System, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />

  </configSections> 
  <users> 
    <add key="user" value="domain\loginname" /> 
  </users> 
  <system.web> 
    <authentication mode="Windows" /> 
    <compilation debug="true" targetFramework="4.5" /> 
    <httpRuntime targetFramework="4.5" /> 
  </system.web>

Then I have a custom authorize attribute which reads the user from the web.config section shown above.

public class MyAuthorizeAttribute : AuthorizeAttribute
    {

        public MyAuthorizeAttribute(params string[] userKeys)
        {
            List<string> users = new List<string>(userKeys.Length); 
            var allUsers = (NameValueCollection)ConfigurationManager.GetSection("users");
            foreach (var userKey in userKeys)
            {
                users.Add(allUsers[userKey]);
            }

            this.Users = string.Join(",", users);
        }

        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            bool isAuthorized = base.AuthorizeCore(httpContext);
            bool isRequestHeaderOk = false;
            return isAuthorized && isRequestHeaderOk;
        }
    }

The problem is that the Authorize Core is never hit in the debugger, the JSON in the browser is always shown even if I put a hardcoded false , the breakpoint is never hit there.

Then I decorate my controllers with the custom authorize attribute

[MyAuthorize("user")]
        [ResponseType(typeof(tblCargo))]
        public IHttpActionResult GettblCargosByActivo()
        {
            var query = from c in db.tblCargos
                        orderby c.strCargo
                        select c;

            //var result = Newtonsoft.Json.JsonConvert.SerializeObject(query);
            //return result;

            return Ok(query);
        }

And in IIS, the only enabled method is Windows Authentication

when I browse to the site from another computer, then I get the authentication window, but the authoze method shown above is never hit.

THis is a nice post that lead me to the right direction (I believe) Custom Authorization in Asp.net WebApi - what a mess?

解决方案

1. You should use AuthorizeAttribute in System.Web.Http instead of System.Web.Mvc
2. Implement IsAuthorized instead.

---

protected override bool IsAuthorized(HttpActionContext actionContext)
    {
        bool isAuthorized = base.IsAuthorized(actionContext);
        bool isRequestHeaderOk = false;
        return isAuthorized && isRequestHeaderOk;
    }

这篇关于自定义的WebAPI授权属性不工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！