自定义的WebAPI授权属性不工作 [英] WebApi Custom Authorize Attribute not working
问题描述
我需要保护我的Web API与一个或多个特定用户从Active Directory,在web.config我有以下的code:
< configSections>
<节名称=的EntityFrameworkTYPE =System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection,的EntityFramework,版本6.0.0.0 =文化=中性公钥= b77a5c561934e089requirePermission =FALSE/> <节名称=用户TYPE =System.Configuration.NameValueFileSectionHandler,系统,版本= 1.0.3300.0,文化=中性公钥= b77a5c561934e089/> < / configSections>
<&用户GT;
<添加键=用户VALUE =域\\登录名/>
< /用户>
<&的System.Web GT;
<身份验证模式=窗口/>
<编译调试=真targetFramework =4.5/>
<的httpRuntime targetFramework =4.5/>
< /system.web>
然后,我有一个自定义的授权属性,它读取上面的web.config中部分用户。
公共类MyAuthorizeAttribute:AuthorizeAttribute
{ 公共MyAuthorizeAttribute(PARAMS字符串[] userKeys)
{
清单<串GT;用户=新的List<串GT;(userKeys.Length);
VAR ALLUSERS =(NameValueCollection中)ConfigurationManager.GetSection(用户);
的foreach(在userKeys VAR USERKEY)
{
users.Add(ALLUSERS [USERKEY]);
} this.Users =的string.join(,,用户);
} 保护覆盖布尔AuthorizeCore(HttpContextBase的HttpContext)
{
布尔isAuthorized = base.AuthorizeCore(HttpContext的);
布尔isRequestHeaderOk = FALSE;
返回isAuthorized&放大器;&安培; isRequestHeaderOk;
}
}
问题是,在授权的核心是永远不会在调试器击中,在浏览器中JSON总是甚至表示,如果我把一个硬codeD假,断点从不打那里。
然后我装饰我的控制器与自定义属性授权
[MyAuthorize(用户)]
[responseTyp的(typeof运算(tblCargo))]
公共IHttpActionResult GettblCargosByActivo()
{
VAR查询从C在db.tblCargos =
排序依据c.strCargo
选择C; // VAR的结果= Newtonsoft.Json.JsonConvert.SerializeObject(查询);
//返回结果; 返回OK(查询);
}
和在IIS中,唯一的启用方法是Windows身份验证
当我浏览到该网站从另一台计算机,然后我得到了验证窗口,但上面显示的authoze方法不会被击中。
这是一个很好的职位,使我朝着正确的方向(我相信)
<一href=\"http://stackoverflow.com/questions/26464848/custom-authorization-in-asp-net-webapi-what-a-mess\">Custom在授权的WebAPI Asp.net - ?什么乱七八糟的
- 您应该使用
AuthorizeAttribute
在System.Web.Http
而不是的System.Web .Mvc
- 实施
IsAuthorized
代替。
保护覆盖布尔IsAuthorized(HttpActionContext ActionContext中)
{
布尔isAuthorized = base.IsAuthorized(ActionContext中);
布尔isRequestHeaderOk = FALSE;
返回isAuthorized&放大器;&安培; isRequestHeaderOk;
}
I need to protect my web api with one or more specific users from the active directory, in the web.config I have the following code:
<configSections>
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
<section name="users" type="System.Configuration.NameValueFileSectionHandler,System, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</configSections>
<users>
<add key="user" value="domain\loginname" />
</users>
<system.web>
<authentication mode="Windows" />
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
Then I have a custom authorize attribute which reads the user from the web.config section shown above.
public class MyAuthorizeAttribute : AuthorizeAttribute
{
public MyAuthorizeAttribute(params string[] userKeys)
{
List<string> users = new List<string>(userKeys.Length);
var allUsers = (NameValueCollection)ConfigurationManager.GetSection("users");
foreach (var userKey in userKeys)
{
users.Add(allUsers[userKey]);
}
this.Users = string.Join(",", users);
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool isAuthorized = base.AuthorizeCore(httpContext);
bool isRequestHeaderOk = false;
return isAuthorized && isRequestHeaderOk;
}
}
The problem is that the Authorize Core is never hit in the debugger, the JSON in the browser is always shown even if I put a hardcoded false , the breakpoint is never hit there.
Then I decorate my controllers with the custom authorize attribute
[MyAuthorize("user")]
[ResponseType(typeof(tblCargo))]
public IHttpActionResult GettblCargosByActivo()
{
var query = from c in db.tblCargos
orderby c.strCargo
select c;
//var result = Newtonsoft.Json.JsonConvert.SerializeObject(query);
//return result;
return Ok(query);
}
And in IIS, the only enabled method is Windows Authentication
when I browse to the site from another computer, then I get the authentication window, but the authoze method shown above is never hit.
THis is a nice post that lead me to the right direction (I believe) Custom Authorization in Asp.net WebApi - what a mess?
- You should use
AuthorizeAttribute
inSystem.Web.Http
instead ofSystem.Web.Mvc
- Implement
IsAuthorized
instead.
protected override bool IsAuthorized(HttpActionContext actionContext)
{
bool isAuthorized = base.IsAuthorized(actionContext);
bool isRequestHeaderOk = false;
return isAuthorized && isRequestHeaderOk;
}
这篇关于自定义的WebAPI授权属性不工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!