解密授权令牌后,Web API授权不起作用通过RSA私钥并更改或添加授权头处理程序

时间:2015-05-19 08:21:46

标签: encryption asp.net-web-api rsa

消息处理程序:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Net.Http;
using System.Net;
using System.Threading.Tasks;
using System.Threading;
using WebAPI.RSA;
using System.Net.Http.Headers;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.AspNet.Identity.EntityFramework;

namespace WebAPI.Handler
 {
   public class TokenInspector : DelegatingHandler
   {
      RSAClass RSAObject = new RSAClass();
      string token;


      protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
      {
        string HEADER_NAME = "X-Token";

         HttpRequestMessage Header = new HttpRequestMessage();


        if (request.Headers.Contains(HEADER_NAME))
        {

            string encryptedToken = request.Headers.GetValues(HEADER_NAME).First();
            try
            {
                token = RSAObject.DecryptByPrivKey(encryptedToken);
/* Here I decrypt Authorization token by RSA private key. And this token
is encrypted by client end by corresponding public key */

                request.Headers.Remove(HEADER_NAME);
                request.Headers.Add("Authorization", token);

/*Here I remove temporary header(X-Token) from HttpRequestMessage request
message and Add Authorization header */


            }
            catch (Exception ex)
            {
                HttpResponseMessage reply = request.CreateErrorResponse(HttpStatusCode.Unauthorized, "Invalid token. Outer Check");
                return Task.FromResult(reply);
            }
        }
        else
        {
            HttpResponseMessage reply = request.CreateErrorResponse(HttpStatusCode.Unauthorized, "Request is missing authorization token.Outer Check");
            return Task.FromResult(reply);
        }


      var response = base.SendAsync(request, cancellationToken);

/*Here Modified HttpRequestMessage "request" is send to inner handler 
for Authorization by plain text bearer token of Authorization Header" */

        return response;

/* But Get Unauthorized response. Problems occur only when I change or Add
Authorization header at request message but no problem shown when I add accept, content-type etc. headers. I think inner handler "base.SendAsync(request, cancellationToken)" gets Authorization related header information from IIS or Server Module?" */


      }
   }
}

我的Web API配置文件:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web.Http;
using System.Net.Http.Headers;
using System.Net.Http.Formatting;
using Newtonsoft.Json.Serialization;
using WebAPI.Handler;
using System.Web.Http.Dispatcher;

namespace WebAPI
{
  public static class WebApiConfig
  {
    public static void Register(HttpConfiguration config)
    {
       // Create and instance of TokenInspector setting the default  inner handler
        TokenInspector tokenInspector = new TokenInspector() {  InnerHandler = new HttpControllerDispatcher(config) };



        // Web API routes
   //  config.MapHttpAttributeRoutes();

        config.Routes.MapHttpRoute(
         name: "Tokens",
         routeTemplate: "api/tokens",
        defaults: new { controller = "tokens" }
         );

        config.Routes.MapHttpRoute(
            name: "DefaultApi",
            routeTemplate: "api/{controller}/{id}",
            defaults: new { id = RouteParameter.Optional },
            constraints: null,
            handler: tokenInspector
        );

        config.Formatters.JsonFormatter.SupportedMediaTypes.Add(new MediaTypeHeaderValue("text/html"));

        var jsonFormatter = config.Formatters.OfType<JsonMediaTypeFormatter>().First();
        jsonFormatter.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();





       }
    }
 }

我的网络Api控制器:

 using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Net;
 using System.Net.Http;
 using System.Web.Http;

 namespace WebAPI.Controllers
{
  [RoutePrefix("api/Orders")]
 public class OrdersController : ApiController
  {
    public OrdersController()
    {
        //string _access_token=
    }

    [Authorize(Roles = "admin")]
    [Route("")]
    public IHttpActionResult Post()
    {
        return Ok(Order.CreateOrders());
    }


   [Authorize(Roles = "user")]
    [Route("")]
    public IHttpActionResult Get()
    {
        return Ok(Order.CreateOrders());
    }



  }

#region Helpers

public class Order
{
    public int OrderID { get; set; }
    public string CustomerName { get; set; }
    public string ShipperCity { get; set; }
    public Boolean IsShipped { get; set; }

    public static List<Order> CreateOrders()
    {
        List<Order> OrderList = new List<Order> 
        {
            new Order {OrderID = 10248, CustomerName = "Taiseer Joudeh", ShipperCity = "Amman", IsShipped = true },
            new Order {OrderID = 10249, CustomerName = "Ahmad Hasan", ShipperCity = "Dubai", IsShipped = false},`enter code here`
            new Order {OrderID = 10250,CustomerName = "Tamer Yaser", ShipperCity = "Jeddah", IsShipped = false },
            new Order {OrderID = 10251,CustomerName = "Lina Majed", ShipperCity = "Abu Dhabi", IsShipped = false},
            new Order {OrderID = 10252,CustomerName = "Yasmeen Rami", ShipperCity = "Kuwait", IsShipped = true}
        };

        return OrderList;
      }
  }

 #endregion

}

0 个答案:

没有答案
相关问题
最新问题