Asp.Net WebApi上的自定义授权属性

时间:2012-04-30 05:44:32

标签: c# asp.net-web-api restful-authentication

如果使用ASP.Net Web Api授权用户,如何返回值?我尝试覆盖授权属性上的OnAuthorize,但方法类型是'void',所以我不能返回任何值,或者我应该在标题上附加我想要的值作为响应头?

这是我想要实现的目标:

  1. 用户传递api密钥和共享密钥
  2. 当用户授权时,自定义属性将返回用户的ID和名称
  3. Id将用于传递Rest Methods作为参数

1 个答案:

答案 0 :(得分:4)

此代码示例可能会对您有所帮助。

public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
    base.OnAuthorization(actionContext);
    IManageUsers manageUser = new ManageUsers();
    //get authentication token from header + email
    string authenticationToken = string.Empty;
    string email = string.Empty;
    if (actionContext.Request.Headers.GetValues("email") != null && (!string.IsNullOrEmpty(Convert.ToString(actionContext.Request.Headers.GetValues("email").FirstOrDefault()))))
    {
        if (actionContext.Request.Headers.GetValues("authenticationToken") != null && (!string.IsNullOrEmpty(Convert.ToString(actionContext.Request.Headers.GetValues("authenticationToken").FirstOrDefault()))))
        {
            authenticationToken = Convert.ToString(actionContext.Request.Headers.GetValues("authenticationToken").FirstOrDefault());
            email = Convert.ToString(actionContext.Request.Headers.GetValues("email").FirstOrDefault());
            //check if user is activated 
            User user = manageUser.GetByEmail(email);
            if (user != null)
            {
                //if user is not authentication
                if (user.AuthenticationStatus != AuthenticationStatus.Authenticated)
                {
                    HttpContext.Current.Response.AddHeader("AuthenticationStatus", "NotAuthenticated");
                    actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
                    return;
                }

                //user is authentication, now check authorization
                string authenticationTokenPersistant = user.AuthorizationToken;
                //if length is not equal to the saved token
                var authenticationTokenEncrypted = manageUser.EncryptAuthenticationTokenAes(authenticationTokenPersistant, user.Key, user.IV);
                if (authenticationToken != authenticationTokenEncrypted)
                {
                    HttpContext.Current.Response.AddHeader("Email", email);
                    HttpContext.Current.Response.AddHeader("authenticationToken", authenticationToken);
                    HttpContext.Current.Response.AddHeader("AuthenticationStatus", "NotAuthorized");
                    actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
                    HttpContext.Current.Response.AddHeader("ErrorMessage", "Invalid token");
                    return;
                }

                HttpContext.Current.Response.AddHeader("Email", email);
                HttpContext.Current.Response.AddHeader("authenticationToken", authenticationToken);
                HttpContext.Current.Response.AddHeader("AuthenticationStatus", "Authorized");
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.OK);
            }
            else
            {
                actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
                HttpContext.Current.Response.AddHeader("ErrorMessage", "Email does not exist");
                return;
            }
        }
        else
        {
            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
            HttpContext.Current.Response.AddHeader("ErrorMessage", "Please provide authentication token");
            return;
        }
    }
    else
    {
        actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.PreconditionFailed);
        HttpContext.Current.Response.AddHeader("ErrorMessage", "Please provide email address");
        return;
    }
}