public override void OnActionExecuting(HttpActionContext actionContext)
{
if (!actionContext.Request.Headers
.Any(header => header.Key == "AuthorizationHeader"))
{
if (this.IsAnonymousAllowed(actionContext) == false)
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, "Un Autherized");
}
}
else
{
string token = actionContext.Request.Headers
.Where(header => header.Key == "AuthorizationHeader")
.First().Value.First();
if (this.IsAnonymousAllowed(actionContext) == true)
{
return;
}
string passPhrase = System.Configuration.ConfigurationSettings.AppSettings["PassPhrase"];
string ticket_string = Crypto.Decrypt(token, passPhrase);
TicketData ticket = JsonConvert.DeserializeObject<TicketData>(ticket_string);
if (ticket == null || ticket.Expiration < DateTime.Now)
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized, "UnAuthorized");
}
else
{
OurIdentity identity = (OurIdentity)ticket.TokenData.OurIdentity;
System.Threading.Thread.CurrentPrincipal = new OurPrincipal
{
OurIdentity = identity,
};
}
}
}
答案 0 :(得分:0)
您在本地存储中保存用户名和密码是对的。将它保存在客户端的任何地方都是不好的。
通常生成令牌并将其放入cookie中。该令牌对应于服务器上的记录,在会话日志或数据库中。
我强烈建议您使用现有方法,例如OAUTH Bearer tokens in this tutorial。
答案 1 :(得分:0)
据我所知,如果你要存储一个哈希(可能带有一个用于额外保护的盐),那么存储凭证并不是很糟糕。无论如何,这些都必须存储在某一天的某个地方。