那些遇到过的问题

用于基本身份验证的asp mvc 3 ActionFilter

Nik*_*hil 5 basic-authentication asp.net-mvc-3

我有一个使用基本身份验证的ASP MVC3 restful服务.搜索堆栈溢出后,我创建了以下代码.

public class BasicAuthentication : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var req = filterContext.HttpContext.Request;
        if (String.IsNullOrEmpty(req.Headers["Authorization"]))
        {
            filterContext.Result = new HttpNotFoundResult();
        }
        else
        {
            var credentials = System.Text.ASCIIEncoding.ASCII
                        .GetString(Convert.FromBase64String(req.Headers["Authorization"].Substring(6)))
                        .Split(':');
            var user = new { Name = credentials[0], Password = credentials[1] };
            if(!(user.Name == "username" && user.Password == "passwords"))
            {
                filterContext.Result = new HttpNotFoundResult();
            }
        }
    }
}
Run Code Online (Sandbox Code Playgroud)

1)ActionFilterAttribute是最好的方法吗?

2)设置filterContext.Result是否正确拒绝访问控制器方法?

3)有什么我做错了吗?

谢谢.

-缺口

Adr*_*man 12

1)这是ActionFilterAttribute最好的方法吗?
我认同.此方法反映了内置Authorize属性的实现.

2)是否设置filterContext.Result了拒绝访问控制器方法的正确方法?
是.多数民众赞成在那里.(1)

3)有什么我做错了吗?

  • 您假定Authorization标头的内容格式正确并且编码正确.
  • 您假设该请求是用于基本身份验证而不是任何其他身份验证方案.
  • 我宁愿用来HttpUnauthorizedResult()发送http 401错误而不是http 404错误HttpNotFoundResult().

下面是我的代码实现(我肯定也有它的问题).

    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        try
        {
            if (String.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"]))
            {
                filterContext.Result = new HttpUnauthorizedResult();
            }
            else
            {
                if (filterContext.HttpContext.Request.Headers["Authorization"].StartsWith("Basic ", StringComparison.InvariantCultureIgnoreCase))
                {
                    string[] credentials = ASCIIEncoding.ASCII.GetString(Convert.FromBase64String(filterContext.HttpContext.Request.Headers["Authorization"].Substring(6))).Split(':');

                    if (credentials.Length == 2)
                    {
                        if (String.IsNullOrEmpty(credentials[0]))
                        {
                            filterContext.Result = new HttpUnauthorizedResult();
                        }
                        else if (!(credentials[0] == "username" && credentials[1] == "passwords"))
                        {
                            filterContext.Result = new HttpUnauthorizedResult();
                        }
                    }
                    else
                    {
                        filterContext.Result = new HttpUnauthorizedResult();
                    }
                }
                else
                {
                    filterContext.Result = new HttpUnauthorizedResult();
                }
            }

            base.OnActionExecuting(filterContext);
        }
        catch
        {
            filterContext.Result = new HttpUnauthorizedResult();
        }
    }
Run Code Online (Sandbox Code Playgroud)

笔记

  • 我没有包含用户名和密码的非法字符检查.
  • 我无法解决如何实现异常处理的问题,所以我简单易行.

参考

(1)http://msdn.microsoft.com/en-us/magazine/gg232768.aspx

小智 8

Adrian的重构版本

public class BasicAuthenticationAttribute : ActionFilterAttribute
{
    private static readonly string AuthorizationHeader = "Authorization";
    private static readonly string BasicHeader = "Basic ";
    private static readonly string Username = "username";
    private static readonly string Password = "password";
    private static readonly char[] Separator = ":".ToCharArray();

    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        try
        {
            if (!Authenticated(filterContext.HttpContext.Request))
                filterContext.Result = new HttpUnauthorizedResult();

            base.OnActionExecuting(filterContext);
        }
        catch
        {
            filterContext.Result = new HttpUnauthorizedResult();
        }
    }

    private bool Authenticated(HttpRequestBase httpRequestBase)
    {
        bool authenticated = false;

        if (String.IsNullOrEmpty(httpRequestBase.Headers[AuthorizationHeader]) == false &&
            httpRequestBase.Headers[AuthorizationHeader].StartsWith(BasicHeader, StringComparison.InvariantCultureIgnoreCase))
        {
            string[] credentials = Encoding.ASCII.GetString(Convert.FromBase64String(
                httpRequestBase.Headers[AuthorizationHeader].Substring(BasicHeader.Length))).Split(Separator);

            if (credentials.Length == 2 && credentials[0] == Username && credentials[1] == Password)
            {
                authenticated = true;
            }
        }

        return authenticated;
    }
}
Run Code Online (Sandbox Code Playgroud)

归档时间:

查看次数:

9067 次

最近记录:

11 年,4 月 前
相关归档
默认情况下如何设置CheckBox在ASP.Net MVC中检查 46
如何查看有错误的元素的jQuery验证列表 23
将泛型模型的子类传递给剃刀视图 12
编辑器模板/显示模板如何识别分配给它们的任何属性? 7
JQuery Ajax和ASP.NET MVC3导致null参数 6
ASP.NET MVC 3一对多表单 5
MVC @ Html.TextBoxFor(model => model.SomeNotNullableType)插入默认值 5
在Apache2中可以有两个密码文件吗? 5
安装MVC4 beta似乎打破了MVC3应用程序 2
asp.net mvc 4 webapi优于传统的asp.net mvc 3 ajax调用 1
难疑归档
如何在本地和远程删除Git分支? 16311
代理服务器和反向代理服务器之间的区别 1726
'real','user'和'sys'在time(1)的输出中意味着什么? 1622
我如何递归grep? 1619
计算C#中的相对时间 1461
如何一次删除所有Git stashes? 1280
performSelector可能导致泄漏,因为其选择器未知 1251
"this"关键字如何运作? 1243
angular.service vs angular.factory 1061
如何进行HTTP POST Web请求 1033