Headers disappearing when using HttpSelfHostServer

左心房为你撑大大i 提交于 2019-12-13 04:12:04

问题


I'm in the process of migrating a rather extensive REST service from WCF to ASP.NET WebAPI. We are using the Authorization header to send tokens from client to the server, and I implemented a DelegateHandler with code that responds with a 401 as soon as it sees there is no valid Authorization header. A simplification of the code can be seen here:

public class AuthenticationHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        if (request == null) throw new ArgumentNullException("request");
        return !IsClientAuthorized(request)
            ? Task<HttpResponseMessage>.Factory.StartNew(() => new HttpResponseMessage(HttpStatusCode.Unauthorized))
            : base.SendAsync(request, cancellationToken);
    }

    private bool IsClientAuthorized(HttpRequestMessage request)
    {
        return request != null && !string.IsNullOrEmpty(request.Headers.Authorization.ToString());
    }
}

It works fine when hosted in IIS, but for integration tests I am using HttpSelfHostServer, and here the Authorization header is not present on the HttpRequestMessage, even though I can see it was sent on the Fiddler trace.

I tried to make a really simple WebAPI application using self hosting to verify that the problem is consistent, but unfortunately it works as expected there. So it must be related to my code somehow, but I am completely blank to what is causing it.

Has anyone else seen this behavior, or does anyone have suggestions for how to trace where in the WebAPI stack it goes wrong?


回答1:


The problem turned out to be caused by the format of the Authorization header being sent. We would expect the Authorization header to look something like this:

Authorization: 42w4hGtmB7blLOXjcsx8AIbBEhxNpQpj3VNnf89vvjAkJEoX9S+JtmkYZcth+B9y/8Cc3tm1XDOFxGTqN1Hi2Q==

This worked fine under WCF, but it is not formatted according to the HTTP standard, which expects a scheme and a value. For example:

Authorization: XAPI 42w4hGtmB7blLOXjcsx8AIbBEhxNpQpj3VNnf89vvjAkJEoX9S+JtmkYZcth+B9y/8Cc3tm1XDOFxGTqN1Hi2Q==

My guess is that with only the value in the header, Web API would regard this as the scheme, and only certain characters are allowed in here. When I added XAPI as the scheme and used the same value everything worked fine, and the Authorization header was available to my code on HttpRequestMessage.Headers.Authorization.

However I think it is a bug in Web API, that the request is allowed to proceed and the header is just ignored, if it had an invalid format. I would expect it to respond with a 400 Bad Request if a header was invalid according to specification.



来源:https://stackoverflow.com/questions/9772810/headers-disappearing-when-using-httpselfhostserver

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!