问题
The [RESTAuthorization] is being ignored and instead jump into the code to Get all the Country without checking for the Rest Authorization filter.
Here is the code for RESTAuthorization
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using MyWebsite.Repository;
namespace MyWebsite.API.Attributes
{
public class RESTAuthorizeAttribute : AuthorizeAttribute
{
private ISecurityRepository _repository;
public RESTAuthorizeAttribute()
: this(new SecurityRepository())
{
}
public RESTAuthorizeAttribute(ISecurityRepository repository)
{
_repository = repository;
}
private const string _securityToken = "token";
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (Authorize(filterContext))
{
return;
}
HandleUnauthorizedRequest(filterContext);
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
base.HandleUnauthorizedRequest(filterContext);
}
private bool Authorize(AuthorizationContext actionContext)
{
try
{
HttpRequestBase request = actionContext.RequestContext.HttpContext.Request;
string token = request.Params[_securityToken];
string ip = _repository.GetIP(request);
return _repository.IsTokenValid(token, ip, request.UserAgent);
}
catch (Exception)
{
return false;
}
}
}
}
Here's the code for get all country. The RestAuthorize is being ignore
[RESTAuthorize]
[HttpGet]
public IEnumerable<dtoCountry> GetAllCountry()
{
try
{
return _repository.GetAllCountry().ToList();
}
catch (UnauthorizedAccessException)
{
throw new HttpResponseException(HttpStatusCode.Unauthorized);
}
catch (Exception)
{
throw new HttpResponseException(HttpStatusCode.InternalServerError);
}
}
回答1:
Assuming that you implement the System.Web.Http.AuthorizeAttribute, you need to implement the method:
protected override bool IsAuthorized(HttpActionContext actionContext)
{
}
I believe that calling OnAuthorization is not necessary (but you can keep it if you need it), so your code example would look like this:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Http;
using System.Web.Http.Controllers;
namespace MyWebsite.API.Attributes
{
public class RESTAuthorizeAttribute : AuthorizeAttribute
{
private ISecurityRepository _repository;
public RESTAuthorizeAttribute()
: this(new SecurityRepository())
{
}
public RESTAuthorizeAttribute(ISecurityRepository repository)
{
_repository = repository;
}
private const string _securityToken = "token";
// This function actually decides whether this request will be accepted or not
protected override bool IsAuthorized(HttpActionContext actionContext)
{
//TODO Return true or false, whether you need to accept this request or not
}
}
}
回答2:
public class Authorizetest: System.Web.Http.AuthorizeAttribute
{
private const string _securityToken = "token";
public override void OnAuthorization(HttpActionContext actionContext)
{
if(Authorize(actionContext))
{
return;
}
HandleUnauthorizedRequest(actionContext);
}
protected override void HandleUnauthorizedRequest(HttpActionContextactionContext)
{
base.HandleUnauthorizedRequest(actionContext);
}
private bool Authorize(HttpActionContext actionContext)
{
try
{
var context = new HttpContextWrapper(HttpContext.Current);
HttpRequestBase request = context.Request;
string token = request.Params[_securityToken];
bool xyz = ValidatingTokens.IsTokenValid(token,
CommonManager.GetIP(request), request.UserAgent);
return xyz;
}
catch (Exception)
{
return false;
}
}
}
来源:https://stackoverflow.com/questions/37371667/asp-net-mvc-custom-filters-restauthorize-is-ignored