[C#]Webapi在筛选器中对Get与Post请求方式的接口验证方式

之前一直写Get方式的接口,最近在写个推的群推接口和头像上传接口时需要用Post方式进行请求。由于用Get请求进行接口的权限验证是通过拦截url中的token参数,在通过token参数去数据库中获得权限列表。但Post请求如果是参数放在请求体中那就不能用这种方式了。而且有的开发者post方式验证直接放在请求方法中验证,而不是放在filter类中。
一、拦截url中token方式的权限验证

//url获取token var content = actionContext.Request.Properties[ConfigParas.MS_HttpContext] as HttpContextBase; var getToken = content.Request.QueryString[ConfigParas.Token]; //如果登录不用验证 if (actionContext.ActionDescriptor.ActionName == "Login") { base.IsAuthorized(actionContext); return; }

如果是get方式或者public Task ImgUpload([FromUri]string token)这种方式的post方式请求是可以拦截到Url,继而可以获得token进行验证.验证方式
if (!string.IsNullOrEmpty(getToken)) { //进行token校验 if (!string.IsNullOrEmpty(getToken)) { //解密用户ticket,并校验用户名密码是否匹配 var routes = new RouteCollection(); RouteConfig.RegisterRoutes(routes); RouteData routeData = https://www.it610.com/article/routes.GetRouteData(content); //取出区域的控制器Action,id string controller = actionContext.ActionDescriptor.ControllerDescriptor.ControllerName; string action = actionContext.ActionDescriptor.ActionName; //URL路径 string filePath = HttpContext.Current.Request.FilePath; if (LoginUserManage.ValidateTicket(getToken) && ValiddatePermission(getToken, controller, action, filePath)) { //已经登录,有权限,且没有单机登录限制 base.IsAuthorized(actionContext); } else { HandleUnauthorizedRequest(actionContext); } } //如果取不到身份验证信息,并且不允许匿名访问,则返回未验证401 else { var attributes = actionContext.ActionDescriptor.GetCustomAttributes().OfType(); bool isAnonymous = attributes.Any(a => a is AllowAnonymousAttribute); if (isAnonymous) base.OnAuthorization(actionContext); else HandleUnauthorizedRequest(actionContext); } }

上图:拦截的token及获得的权限列表,请求参数放在url的post方式以同样的拦截方式

[C#]Webapi在筛选器中对Get与Post请求方式的接口验证方式
文章图片
gg.png
![4LTAKB{8]P]8TRHL(R%S406.png]( http://upload-images.jianshu.io/upload_images/2087602-e78e92ab1dd6eb16.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
获取Post请求体中token对接口进行权限验证
if (content.Request.HttpMethod == "POST") { base.OnAuthorization(actionContext); //获取请求消息提数据 Stream stream = actionContext.Request.Content.ReadAsStreamAsync().Result; Encoding encoding = Encoding.UTF8; stream.Position = 0; string responseDatahttps://www.it610.com/article/= ""; using (StreamReader reader = new StreamReader(stream, encoding)) { responseData = https://www.it610.com/article/reader.ReadToEnd().ToString(); } //反序列化进行处理 var serialize = new JavaScriptSerializer(); var obj = serialize.Deserialize【[C#]Webapi在筛选器中对Get与Post请求方式的接口验证方式】(responseData); var psotToken = obj.token; //进行token校验 if (!string.IsNullOrEmpty(psotToken)) { //解密用户ticket,并校验用户名密码是否匹配 //读取请求上下文中的Controller,Action,Id var routes = new RouteCollection(); RouteConfig.RegisterRoutes(routes); RouteData routeData = https://www.it610.com/article/routes.GetRouteData(content); //取出区域的控制器Action,id string controller = actionContext.ActionDescriptor.ControllerDescriptor.ControllerName; string action = actionContext.ActionDescriptor.ActionName; //URL路径 string filePath = HttpContext.Current.Request.FilePath; if (LoginUserManage.ValidateTicket(psotToken) && ValiddatePermission(psotToken, controller, action, filePath)) //if (LoginUserManage.ValidateTicket(token) && ValiddatePermission(token, controller, action, filePath)) { //已经登录,有权限,且没有单机登录限制 base.IsAuthorized(actionContext); } else { HandleUnauthorizedRequest(actionContext); } } //如果取不到身份验证信息,并且不允许匿名访问,则返回未验证401 else { var attributes = actionContext.ActionDescriptor.GetCustomAttributes().OfType(); bool isAnonymous = attributes.Any(a => a is AllowAnonymousAttribute); if (isAnonymous) base.OnAuthorization(actionContext); else HandleUnauthorizedRequest(actionContext); } }

上图:
[C#]Webapi在筛选器中对Get与Post请求方式的接口验证方式
文章图片
rr.png

    推荐阅读