有没有办法要求WebApi使用SSL?属性?
我在System.Web.Http下没有看到适用的属性,类似于我们对MVC的RequireHttps属性。我只是试图避免在有内置解决方案的情况下滚动我自己的属性/消息处理程序。
答案 0 :(得分:51)
public class RequireHttpsAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext actionContext)
{
if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Forbidden);
}
}
}
答案 1 :(得分:45)
您可以使用WebAPIContrib项目中的RequireHttpsHandler。基本上,它只是检查传入的请求URI方案:
if (request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
// Forbidden (or do a redirect)...
}
另外,Carlos Figueira在他的MSDN博客上有another implementation。
答案 2 :(得分:20)
令人费解的是,ASP.NET Web API中没有与ASP.NET MVC RequireHttps属性等效的内容。但是,您可以根据MVC中的RequireHttps轻松创建一个。
using System;
using System.Net.Http;
using System.Web.Http.Controllers;
using System.Web.Http.Filters;
...
public class RequireHttpsAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
if (actionContext == null)
{
throw new ArgumentNullException("actionContext");
}
if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
HandleNonHttpsRequest(actionContext);
}
else
{
base.OnAuthorization(actionContext);
}
}
protected virtual void HandleNonHttpsRequest(HttpActionContext actionContext)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
actionContext.Response.ReasonPhrase = "SSL Required";
}
}
剩下要做的就是争论有多少冗余代码。
答案 3 :(得分:2)
您可以使用以下过滤器类来强制您的操作方法使用SSL,这将处理您的请求,无论是GET方法还是任何其他动词,如果它是一个get方法,它将重定向浏览器(使用位置标头)到新的URI。 否则,将显示一条消息以使用https
下面的代码显示您必须在从AuthorizationFilterAttribute继承后重写OnAuthorization方法。
string _HtmlBody = string.Empty;
UriBuilder httpsNewUri;
var _Request = actionContext.Request;
if (_Request.RequestUri.Scheme != Uri.UriSchemeHttps )
{
_HtmlBody = "<p>Https is required</p>";
if (_Request.Method.Method == "GET"){
actionContext.Response = _Request.CreateResponse(HttpStatusCode.Found);
actionContext.Response.Content = new StringContent(_HtmlBody, Encoding.UTF8, "text/html");
httpsNewUri = new UriBuilder(_Request.RequestUri);
httpsNewUri.Scheme = Uri.UriSchemeHttps;
httpsNewUri.Port = 443;
//To ask a web browser to load a different web page with the same URI but different scheme and port
actionContext.Response.Headers.Location = httpsNewUri.Uri;
}else{
actionContext.Response = _Request.CreateResponse(HttpStatusCode.NotFound);
actionContext.Response.Content = new StringContent(_HtmlBody, Encoding.UTF8, "text/html");
}
}
答案 4 :(得分:1)
您可以使用以下代码; (基于http的请求时,(自动重定向到https)重定向到https。
要在visual studio中进行检查,您需要在visual studio中启用ssl。这可以使用enable ssl属性为true来完成。
curl localhost在这样的注册方法中使用它
public class RequireHttpsAttribute: AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
if(actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
// constructing the https url
var uriBuilder = new UriBuilder(actionContext.Request.RequestUri)
{
Scheme = Uri.UriSchemeHttps,
Port = 44353 // port used in visual studio for this
};
actionContext.Response.Headers.Location = uriBuilder.Uri;
}
}
}
答案 5 :(得分:1)
public class RequireHttpsAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext context)
{
if (context.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
context.Response = new HttpResponseMessage(HttpStatusCode.UpgradeRequired);
context.Response.Headers.Add("Upgrade", "TLS/1.1, HTTP/1.1");
context.Response.Headers.Add("Connection", "Upgrade");
context.Response.Headers.Remove("Content-Type");
context.Response.Headers.Add("Content-Type", "text/html");
context.Response.Content = new StringContent("<html><head></head><body><h1>Http protocol is not valid for this service call.</h1><h3>Please use the secure protocol https.</h3></body></html>");
}
else base.OnAuthorization(context);
}
}
以下是规范:RFC 2817