我有一个使用基本身份验证的ASP MVC3 restful服务.搜索堆栈溢出后,我创建了以下代码.
- public class BasicAuthentication : ActionFilterAttribute
- {
- public override void OnActionExecuting(ActionExecutingContext filterContext)
- {
- var req = filterContext.HttpContext.Request;
- if (String.IsNullOrEmpty(req.Headers["Authorization"]))
- {
- filterContext.Result = new HttpNotFoundResult();
- }
- else
- {
- var credentials = System.Text.ASCIIEncoding.ASCII
- .GetString(Convert.FromBase64String(req.Headers["Authorization"].Substring(6)))
- .Split(':');
- var user = new { Name = credentials[0],Password = credentials[1] };
- if(!(user.Name == "username" && user.Password == "passwords"))
- {
- filterContext.Result = new HttpNotFoundResult();
- }
- }
- }
- }
1)ActionFilterAttribute是最好的方法吗?
2)设置filterContext.Result是否正确拒绝访问控制器方法?
3)我有什么问题吗?
谢谢.
-缺口
解决方法
1)ActionFilterAttribute是最好的方法吗?
我想是这样.此方法反映了内置Authorize属性的实现.
我想是这样.此方法反映了内置Authorize属性的实现.
2)设置filterContext.Result是否正确拒绝访问控制器方法?
是.多数民众赞成在那里. (1)
3)我有什么问题吗?
>您假设Authorization标头的内容位于
格式正确,编码正确.
>您认为该请求是用于基本身份验证而不是任何请求
其他认证方案.
>我更愿意使用HttpUnauthorizedResult()发送一个http
通过HttpNotFoundResult()发生401错误而不是http 404错误.
下面是我的代码实现(我肯定也有它的问题).
- public override void OnActionExecuting(ActionExecutingContext filterContext)
- {
- try
- {
- if (String.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"]))
- {
- filterContext.Result = new HttpUnauthorizedResult();
- }
- else
- {
- if (filterContext.HttpContext.Request.Headers["Authorization"].StartsWith("Basic ",StringComparison.InvariantCultureIgnoreCase))
- {
- string[] credentials = ASCIIEncoding.ASCII.GetString(Convert.FromBase64String(filterContext.HttpContext.Request.Headers["Authorization"].Substring(6))).Split(':');
- if (credentials.Length == 2)
- {
- if (String.IsNullOrEmpty(credentials[0]))
- {
- filterContext.Result = new HttpUnauthorizedResult();
- }
- else if (!(credentials[0] == "username" && credentials[1] == "passwords"))
- {
- filterContext.Result = new HttpUnauthorizedResult();
- }
- }
- else
- {
- filterContext.Result = new HttpUnauthorizedResult();
- }
- }
- else
- {
- filterContext.Result = new HttpUnauthorizedResult();
- }
- }
- base.OnActionExecuting(filterContext);
- }
- catch
- {
- filterContext.Result = new HttpUnauthorizedResult();
- }
- }
笔记
>我没有包含用户名和密码的非法字符检查.
>我无法解决如何实现异常处理的问题,所以我简单易行.
参考