C# webapi 权限验证

2023-06-11 01:49•mysql•阅读 995

    /// <summary>
    /// 自定义此特性用于接口的身份验证
    /// </summary>
    public class RequestAuthorizeAttribute : AuthorizeAttribute
    {
        static readonly ILog log = LogManager.GetLogger(typeof(RequestAuthorizeAttribute));
        //重写基类的验证方式，加入我们自定义的Ticket验证
        public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
        {
            //从http请求的头里面获取身份验证信息，验证是否是请求发起方的ticket
            var authorization = actionContext.Request.Headers.Authorization;
            if ((authorization != null))
            {
                //解密用户ticket,并校验用户名密码是否匹配
                var encryptTicket = authorization.Scheme;
                log.Debug("Authorization:" + encryptTicket);
                if (ValidateTicket(encryptTicket))
                {
                    base.IsAuthorized(actionContext);
                }
                else
                {
                    HandleUnauthorizedRequest(actionContext);
                }
            }
            //如果取不到身份验证信息，并且不允许匿名访问，则返回未验证401
            else
            {
                var attributes = actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().OfType<AllowAnonymousAttribute>();
                bool isAnonymous = attributes.Any(a => a is AllowAnonymousAttribute);
                if (isAnonymous) base.OnAuthorization(actionContext);
                else HandleUnauthorizedRequest(actionContext);
            }
        }

        protected override void HandleUnauthorizedRequest(HttpActionContext actioncontext)
        {
            base.HandleUnauthorizedRequest(actioncontext);

            var response = actioncontext.Response = actioncontext.Response ?? new HttpResponseMessage();
            response.StatusCode = HttpStatusCode.Forbidden;
            var content = new
            {
                code = -1,
                success = false,
                errs = new[] { "服务端拒绝访问：你没有权限，或者掉线了" }
            };
            response.Content = new StringContent(Json.Encode(content), Encoding.UTF8, "application/json");
        }

        //校验用户名密码（正式环境中应该是数据库校验）
        private bool ValidateTicket(string encryptTicket)
        {
            if (encryptTicket.ToLower() == Config.Authorization.ToLower())
            {
                return true;
            }
            else
            {
                return false;
            }
            //解密Ticket
            var strTicket = FormsAuthentication.Decrypt(encryptTicket).UserData;

            //从Ticket里面获取用户名和密码
            var index = strTicket.IndexOf("&");
            string strUser = strTicket.Substring(0, index);
            string strPwd = strTicket.Substring(index + 1);

            if (strUser == "admin" && strPwd == "123456")
            {
                return true;
            }
            else
            {
                return false;
            }
        }
    }

方法或者控制器加上属性

    [RequestAuthorize]

来源 https://www.cnblogs.com/hnsongbiao/p/9376076.html

C# webapi 权限验证

相关推荐

C#进阶系列——WebApi 接口参数不再困惑：传参详解 C#进阶系列——WebApi 接口参数不再困惑：传参详解

IIS身份验证和文件操作权限，二、匿名身份验证

ASP.NET MVC WebApi接口授权验证

asp.net Forms身份验证和基于角色的权限访问，转

ASP.NET Core - 选项系统之选项验证

RoR: Ruby On Rails 的 Web Service 2 使用before_invocation进行验证调用权限

ASP.NET MVC View 和 Web API 的基本权限验证

开始一个简单的ASP.NET Web API 2 ，C#