jmo*_*era 10 asp.net-mvc-4 knockout.js single-page-application durandal hottowel
我正在尝试设置注册和登录Hot Towel SPA应用程序.我已经基于asp.net单页面应用程序模板创建了SimpleMembershipFilters和ValidateHttpAntiForgeryTokenAttribute .
你怎么得到的
@Html.AntiForgeryToken()
代码以Durandal SPA模式工作.
目前我有一个register.html
<section>
<h2 data-bind="text: title"></h2>
<label>Firstname:</label><input data-bind="value: firstName" type="text" />
<label>Lastname:</label><input data-bind="value: lastName" type="text" />
<label>Email:</label><input data-bind="value: emailAddress" type="text" />
<label>Company:</label><input data-bind="value: company" type="text" />
<br />
<label>Password:</label><input data-bind="value: password1" type="password" />
<label>Re-Enter Password:</label><input data-bind="value: password2" type="password" />
<input type="button" value="Register" data-bind="click: registerUser" class="btn" />
</section>
register.js:
define(['services/logger'], function (logger) {
var vm = {
activate: activate,
title: 'Register',
firstName: ko.observable(),
lastName: ko.observable(),
emailAddress: ko.observable(),
company: ko.observable(),
password1: ko.observable(),
password2: ko.observable(),
registerUser: function () {
var d = {
'FirstName': vm.firstName,
'LastName': vm.lastName,
'EmailAddress': vm.emailAddress,
'Company': vm.company,
'Password': vm.password1,
'ConfirmPassword': vm.password2
};
$.ajax({
url: 'Account/JsonRegister',
type: "POST",
data: d ,
success: function (result) {
},
error: function (result) {
}
});
},
};
return vm;
//#region Internal Methods
function activate() {
logger.log('Login Screen Activated', null, 'login', true);
return true;
}
//#endregion
});
在$ ajax调用中如何传递AntiForgeryToken?另外我如何创建令牌?
我会阅读这篇关于如何使用javascript使用防伪令牌的文章.本文是为WebApi编写的,但如果您愿意,它可以很容易地应用于MVC控制器.
简短的回答是这样的:在你的cshtml视图中:
<script>
@functions{
public string TokenHeaderValue()
{
string cookieToken, formToken;
AntiForgery.GetTokens(null, out cookieToken, out formToken);
return cookieToken + ":" + formToken;
}
}
$.ajax("api/values", {
type: "post",
contentType: "application/json",
data: { }, // JSON data goes here
dataType: "json",
headers: {
'RequestVerificationToken': '@TokenHeaderValue()'
}
});
</script>
然后在你的asp.net控制器中你需要像这样验证令牌:
void ValidateRequestHeader(HttpRequestMessage request)
{
string cookieToken = "";
string formToken = "";
IEnumerable<string> tokenHeaders;
if (request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders))
{
string[] tokens = tokenHeaders.First().Split(':');
if (tokens.Length == 2)
{
cookieToken = tokens[0].Trim();
formToken = tokens[1].Trim();
}
}
AntiForgery.Validate(cookieToken, formToken);
}
您希望在标头中传递它的原因是因为如果您在请求的查询字符串或正文中的ajax调用中将其作为参数数据参数传递.那么你将很难获得所有不同场景的防伪令牌.因为您必须反序列化主体然后找到令牌.在标题中它非常一致且易于检索.
****编辑光线**
以下是动作过滤器的示例,您可以使用该过滤器来定义web api方法以验证是否提供了antiforgerytoken.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Helpers;
using System.Web.Http.Filters;
using System.Net.Http;
using System.Net;
using System.Threading.Tasks;
using System.Web.Http.Controllers;
using System.Threading;
namespace PAWS.Web.Classes.Filters
{
public class ValidateJsonAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
{
public Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync(HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation)
{
if (actionContext == null)
{
throw new ArgumentNullException("HttpActionContext");
}
if (actionContext.Request.Method != HttpMethod.Get)
{
return ValidateAntiForgeryToken(actionContext, cancellationToken, continuation);
}
return continuation();
}
private Task<HttpResponseMessage> FromResult(HttpResponseMessage result)
{
var source = new TaskCompletionSource<HttpResponseMessage>();
source.SetResult(result);
return source.Task;
}
private Task<HttpResponseMessage> ValidateAntiForgeryToken(HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation)
{
try
{
string cookieToken = "";
string formToken = "";
IEnumerable<string> tokenHeaders;
if (actionContext.Request.Headers.TryGetValues("RequestVerificationToken", out tokenHeaders))
{
string[] tokens = tokenHeaders.First().Split(':');
if (tokens.Length == 2)
{
cookieToken = tokens[0].Trim();
formToken = tokens[1].Trim();
}
}
AntiForgery.Validate(cookieToken, formToken);
}
catch (System.Web.Mvc.HttpAntiForgeryException ex)
{
actionContext.Response = new HttpResponseMessage
{
StatusCode = HttpStatusCode.Forbidden,
RequestMessage = actionContext.ControllerContext.Request
};
return FromResult(actionContext.Response);
}
return continuation();
}
}
}
| 归档时间: |
|
| 查看次数: |
10467 次 |
| 最近记录: |