之前一直写Get方式的接口,最近在写个推的群推接口和头像上传接口时需要用Post方式进行请求。由于用Get请求进行接口的权限验证是通过拦截url中的token参数,在通过token参数去数据库中获得权限列表。但Post请求如果是参数放在请求体中那就不能用这种方式了。而且有的开发者post方式验证直接放在请求方法中验证,而不是放在filter类中。
一、拦截url中token方式的权限验证
//url获取token
var content = actionContext.Request.Properties[ConfigParas.MS_HttpContext] as HttpContextBase;
var getToken = content.Request.QueryString[ConfigParas.Token];
//如果登录不用验证
if (actionContext.ActionDescriptor.ActionName == "Login")
{
base.IsAuthorized(actionContext);
return;
}
如果是get方式或者public Task<Hashtable> ImgUpload([FromUri]string token)这种方式的post方式请求是可以拦截到Url,继而可以获得token进行验证.验证方式
if (!string.IsNullOrEmpty(getToken))
{
//进行token校验
if (!string.IsNullOrEmpty(getToken))
{
//解密用户ticket,并校验用户名密码是否匹配
var routes = new RouteCollection();
RouteConfig.RegisterRoutes(routes);
RouteData routeData = routes.GetRouteData(content);
//取出区域的控制器Action,id
string controller = actionContext.ActionDescriptor.ControllerDescriptor.ControllerName;
string action = actionContext.ActionDescriptor.ActionName;
//URL路径
string filePath = HttpContext.Current.Request.FilePath;
if (LoginUserManage.ValidateTicket(getToken) && ValiddatePermission(getToken, controller, action, filePath))
{
//已经登录,有权限,且没有单机登录限制
base.IsAuthorized(actionContext);
}
else
{
HandleUnauthorizedRequest(actionContext);
}
}
//如果取不到身份验证信息,并且不允许匿名访问,则返回未验证401
else
{
var attributes = actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().OfType<AllowAnonymousAttribute>();
bool isAnonymous = attributes.Any(a => a is AllowAnonymousAttribute);
if (isAnonymous) base.OnAuthorization(actionContext);
else HandleUnauthorizedRequest(actionContext);
}
}
上图:拦截的token及获得的权限列表,请求参数放在url的post方式以同样的拦截方式
gg.png
![4LTAKB{8]P]8TRHL(R%S406.png](http://upload-images.jianshu.io/upload_images/2087602-e78e92ab1dd6eb16.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
获取Post请求体中token对接口进行权限验证
if (content.Request.HttpMethod == "POST")
{
base.OnAuthorization(actionContext);
//获取请求消息提数据
Stream stream = actionContext.Request.Content.ReadAsStreamAsync().Result;
Encoding encoding = Encoding.UTF8;
stream.Position = 0;
string responseData = "";
using (StreamReader reader = new StreamReader(stream, encoding))
{
responseData = reader.ReadToEnd().ToString();
}
//反序列化进行处理
var serialize = new JavaScriptSerializer();
var obj = serialize.Deserialize<PushBody>(responseData);
var psotToken = obj.token;
//进行token校验
if (!string.IsNullOrEmpty(psotToken))
{
//解密用户ticket,并校验用户名密码是否匹配
//读取请求上下文中的Controller,Action,Id
var routes = new RouteCollection();
RouteConfig.RegisterRoutes(routes);
RouteData routeData = routes.GetRouteData(content);
//取出区域的控制器Action,id
string controller = actionContext.ActionDescriptor.ControllerDescriptor.ControllerName;
string action = actionContext.ActionDescriptor.ActionName;
//URL路径
string filePath = HttpContext.Current.Request.FilePath;
if (LoginUserManage.ValidateTicket(psotToken) && ValiddatePermission(psotToken, controller, action, filePath)) //if (LoginUserManage.ValidateTicket(token) && ValiddatePermission(token, controller, action, filePath))
{
//已经登录,有权限,且没有单机登录限制
base.IsAuthorized(actionContext);
}
else
{
HandleUnauthorizedRequest(actionContext);
}
}
//如果取不到身份验证信息,并且不允许匿名访问,则返回未验证401
else
{
var attributes = actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().OfType<AllowAnonymousAttribute>();
bool isAnonymous = attributes.Any(a => a is AllowAnonymousAttribute);
if (isAnonymous) base.OnAuthorization(actionContext);
else HandleUnauthorizedRequest(actionContext);
}
}
上图:
rr.png
