在自定义授权MVC4的Web API访问后或得到的参数 [英] Accessing post or get parameters in custom authorization MVC4 Web Api

问题描述

是否有可能通过HttpActionContext对象来访问POST或GET参数？

Is it possible to access post or get parameters via the HttpActionContext object?

我有一组传感器loggs数据到Web服务器，它提供了REST API的。我想通过让引入某种认证/授权的传感器包括其硬件ID中​​的数据，然后使在数据库中查找，以查看是否标识存在与否。由于该API提供了许多的Web API的操作方法我将理想喜欢用一个自定义的授权属性

I have a set of sensors that loggs data to a web server that provides a REST api. I would like to introduce some sort of authentication/authorization by letting the sensors include their hardware id in the data and then make a lookup in a database to see if the id exists or not. Since the API provides many web api action methods I would ideally like to use a custom authorization attribute

public class ApiAuthorizationFilter : AuthorizeAttribute
{
    protected override bool IsAuthorized(HttpActionContext actionContext)
    {
        return false;
    }
}

我如何可以访问后/从ActionContext中获取数据？

How can I access the post/get data from the actionContext?

编辑： POST的例子

Example of POST

POST /Api/api/ActionMethod/ HTTP/1.1\r\n
Content-Type: application/json\r\n
Host: localhost\r\n
Accept: */*\r\n
Content-Length:52\r\n
\r\n
{"Id": '121a222bc', "Time": '2012-02-02 12:00:00'}\r\n

有一个愉快的一天！

Have a nice day!

推荐答案

由于其性质AuthoriseAttribute看起来是所谓的流水线模型粘合剂和参数绑定运行之前。您还遇到问题，当您访问Request.Content并从中读取......这只能是<一个href="http://blogs.msdn.com/b/jmstall/archive/2012/04/16/how-webapi-does-parameter-binding.aspx">done一旦的，如果你想尝试它在您的身份验证属性，你可以打破mediaTypeFormater ...

Due to its nature the AuthoriseAttribute looks like it is called in the pipeline before the model binders and parameter bindings have run. You also run into issues when you access the Request.Content and read from it... this can only be done once and if you are going to try it in your auth attribute you may break the mediaTypeFormater...

在的WebAPI，请求主体（一个HttpContent）可以是只读的，无限的，非缓冲的，非rewindable的流

in WebAPI, the request body (an HttpContent) may be a read-only, infinite, non-buffered, non-rewindable stream.

更新 有指定的执行上下文的不同的方式... <一href="http://msdn.microsoft.com/en-us/library/system.web.http.filters.filterscope(v=vs.108).aspx">http://msdn.microsoft.com/en-us/library/system.web.http.filters.filterscope(v=vs.108).aspx.该AuthoriseAttribute是全球，因此被击中为时尚早访问操作的信息。

Update There are different ways of specifying the execution context... http://msdn.microsoft.com/en-us/library/system.web.http.filters.filterscope(v=vs.108).aspx. The AuthoriseAttribute is "Global" and therefore it is hit too early to access the action information.

由于您希望获得的模型和参数，你可以稍微改变你的方法，并使用OnActionExecuting过滤器（动作过滤器范围），而不是和一个401或403根据您的验证抛出。

Given you want access to the model and parameters you can change your approach slightly and use an OnActionExecuting filter ("Action" filter scope) instead and throw a 401 or 403 based on your validation.

这个过滤器在执行过程后来被称为，因此您可以完全访问绑定数据。

This filter is called later in the execution process and you therefore have full access to the bound data.

下面很简单的例子：

public class ApiAuthorizationFilter : ActionFilterAttribute
{
    public override void OnActionExecuting(HttpActionContext actionContext)
    {
        Foo model = (Foo)actionContext.ActionArguments["model"];
        string param1 = (string)actionContext.ActionArguments["param1"];
        int param2 = (int)actionContext.ActionArguments["param2"];

        if (model.Id != "1")
            throw new HttpResponseException(System.Net.HttpStatusCode.Forbidden);

        base.OnActionExecuting(actionContext);
    }
}

例如控制器：

Example controller:

public class Foo
{
    public string Id { get; set; }
    public DateTime Time { get; set; }
}

public class FoosController : ApiController
{
    // PUT api/foos/5
    [ApiAuthorizationFilter]
    public Foo Put(int id, Foo model, [FromUri]string param1 = null, int? param2 = null)
    {
        return model;
    }
}

什么其他的答案在说....他们是对的就可以了，如果你能访问所有你需要的网址，在获得通过的要求的东西;但是，我认为模型和请求内容应该被单独留：

What the other answers were saying.... they are right you can, if you can access all you need on the URL, get at stuff via the request; however, I think the model and the request content should be left alone:

var queryStringCollection = HttpUtility.ParseQueryString(actionContext.Request.RequestUri.Query);

    //example for param1
    string param1 = queryStringCollection["param1"];
    //example for param2
    int param2 = int.Parse(queryStringCollection["param2"]);
    //Example of getting the ID from the URL
    var id = actionContext.Request.RequestUri.Segments.LastOrDefault();

这篇关于在自定义授权MVC4的Web API访问后或得到的参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！