C#Web API方法返回403 Forbidden

时间:2015-06-18 14:09:44

标签: c# asp.net-web-api hmac

解决!!! - 见最后编辑。

在我的MVC应用程序中,我使用HMAC Authentication Filterign调用Web API服务。我的Get(GetMultipleItemsRequest)有效,但我的帖子没有。如果我关闭HMAC身份验证过滤,所有这些都可以正常工作。我不确定为什么POSTS不起作用,但GET确实如此。

我从我的代码中进行GET调用(这个有效):

var productsClient = new RestClient<Role>(System.Configuration.ConfigurationManager.AppSettings["WebApiUrl"],
              "xxxxxxxxxxxxxxx", true);

var getManyResult = productsClient.GetMultipleItemsRequest("api/Role").Result;

我从我的代码中发出POST调用(这个只在我关闭HMAC时才有效):

private RestClient<Profile> profileClient = new RestClient<Profile>(System.Configuration.ConfigurationManager.AppSettings["WebApiUrl"],
        "xxxxxxxxxxxxxxx", true);

[HttpPost]
public ActionResult ProfileImport(IEnumerable<HttpPostedFileBase> files)
{
    //...
    var postResult = profileClient.PostRequest("api/Profile", newProfile).Result;
}

我的RestClient构建如下:

public class RestClient<T> where T : class
{
   //...

   private void SetupClient(HttpClient client, string methodName, string apiUrl, T content = null)
    {
        const string secretTokenName = "SecretToken";

        client.BaseAddress = new Uri(_baseAddress);
        client.DefaultRequestHeaders.Accept.Clear();
        client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

        if (_hmacSecret)
        {
            client.DefaultRequestHeaders.Date = DateTime.UtcNow;

            var datePart = client.DefaultRequestHeaders.Date.Value.UtcDateTime.ToString(CultureInfo.InvariantCulture);
            var fullUri = _baseAddress + apiUrl;
            var contentMD5 = "";

            if (content != null)
            {
                var json = new JavaScriptSerializer().Serialize(content);
                contentMD5 = Hashing.GetHashMD5OfString(json); // <--- Javascript serialized version is hashed
            }

            var messageRepresentation = 
                methodName + "\n" + 
                contentMD5 + "\n" +
                datePart + "\n" + 
                fullUri;

            var sharedSecretValue = ConfigurationManager.AppSettings[_sharedSecretName];
            var hmac = Hashing.GetHashHMACSHA256OfString(messageRepresentation, sharedSecretValue);

            client.DefaultRequestHeaders.Add(secretTokenName, hmac);
        }
        else if (!string.IsNullOrWhiteSpace(_sharedSecretName))
        {
            var sharedSecretValue = ConfigurationManager.AppSettings[_sharedSecretName];
            client.DefaultRequestHeaders.Add(secretTokenName, sharedSecretValue);
        }
    }

    public async Task<T[]> GetMultipleItemsRequest(string apiUrl)
    {
        T[] result = null;

        try
        {               
            using (var client = new HttpClient())
            {
                SetupClient(client, "GET", apiUrl);

                var response = await client.GetAsync(apiUrl).ConfigureAwait(false);

                response.EnsureSuccessStatusCode();

                await response.Content.ReadAsStringAsync().ContinueWith((Task<string> x) =>
                {
                    if (x.IsFaulted)
                        throw x.Exception;

                    result = JsonConvert.DeserializeObject<T[]>(x.Result);
                });
            }
        }
        catch (HttpRequestException exception)
        {
            if (exception.Message.Contains("401 (Unauthorized)"))
            {

            }
            else if (exception.Message.Contains("403 (Forbidden)"))
            {

            }
        }
        catch (Exception)
        {
        }

        return result;
    }

    public async Task<T> PostRequest(string apiUrl, T postObject)
    {
        T result = null;
        try
        {               
            using (var client = new HttpClient())
            {
                SetupClient(client, "POST", apiUrl, postObject);

                var response = await client.PostAsync(apiUrl, postObject, new JsonMediaTypeFormatter()).ConfigureAwait(false); //<--- not javascript formatted

                response.EnsureSuccessStatusCode();

                await response.Content.ReadAsStringAsync().ContinueWith((Task<string> x) =>
                {
                    if (x.IsFaulted)
                        throw x.Exception;

                    result = JsonConvert.DeserializeObject<T>(x.Result);

                });
            }
        }
        catch (HttpRequestException exception)
        {
            if (exception.Message.Contains("401 (Unauthorized)"))
            {

            }
            else if (exception.Message.Contains("403 (Forbidden)"))
            {

            }
        }
        catch (Exception)
        {
        }

        return result;
    }

   //...

}

我的Web API控制器定义如下:

[SecretAuthenticationFilter(SharedSecretName = "xxxxxxxxxxxxxxx", HmacSecret = true)]      
public class ProfileController : ApiController
{

    [HttpPost]
    [ResponseType(typeof(Profile))]
    public IHttpActionResult PostProfile(Profile Profile)
    {
        if (!ModelState.IsValid)
        {
            return BadRequest(ModelState);
        }
        GuidValue = Guid.NewGuid(); 

        Resource res = new Resource();
        res.ResourceId = GuidValue;
        var data23 = Resourceservices.Insert(res);

        Profile.ProfileId = data23.ResourceId;
        _profileservices.Insert(Profile);

        return CreatedAtRoute("DefaultApi", new { id = Profile.ProfileId }, Profile);
    }

}

以下是SecretAuthenticationFilter所做的一些事情:

//now try to read the content as string
string content = actionContext.Request.Content.ReadAsStringAsync().Result;
var contentMD5 = content == "" ? "" : Hashing.GetHashMD5OfString(content); //<-- Hashing the non-JavaScriptSerialized
var datePart = "";
var requestDate = DateTime.Now.AddDays(-2);
if (actionContext.Request.Headers.Date != null)
{
    requestDate = actionContext.Request.Headers.Date.Value.UtcDateTime;
    datePart = requestDate.ToString(CultureInfo.InvariantCulture);
}
var methodName = actionContext.Request.Method.Method;
var fullUri = actionContext.Request.RequestUri.ToString();

var messageRepresentation =
    methodName + "\n" +
    contentMD5 + "\n" +
    datePart + "\n" +
    fullUri;

var expectedValue = Hashing.GetHashHMACSHA256OfString(messageRepresentation, sharedSecretValue);

// Are the hmacs the same, and have we received it within +/- 5 mins (sending and
// receiving servers may not have exactly the same time)
if (messageSecretValue == expectedValue
    && requestDate > DateTime.UtcNow.AddMinutes(-5)
    && requestDate < DateTime.UtcNow.AddMinutes(5))
    goodRequest = true;

知道HMAC为什么不为POST工作?

编辑:
当SecretAuthenticationFilter尝试比较发送的HMAC时,它认为HMAC应该是他们不匹配的。原因是内容的MD5Hash与所接收内容的MD5Hash不匹配。 RestClient使用JavaScriptSerializer.Serialized版本的内容散列内容,但PostRequest将对象作为JsonMediaTypeFormatted传递。

这两种类型的格式不同。例如,JavaScriptSerializer给出了这样的日期: \&#34; EnteredDate \&#34;:\&#34; \ /日期(1434642998639)\ / \&#34;

传递的内容包含以下日期: \&#34; EnteredDate \&#34;:\&#34; 2015-06-18T11:56:38.6390407-04:00 \&#34;

我想我需要哈希使用相同的数据传递,所以另一端的过滤器可以正确确认。想法?

编辑: 找到答案,我需要使用以下行更改SetupClient代码:

var json = new JavaScriptSerializer().Serialize(content);
contentMD5 = Hashing.GetHashMD5OfString(json);

使用它:

var json = JsonConvert.SerializeObject(content);
contentMD5 = Hashing.GetHashMD5OfString(json);

现在发送的内容(通过JSON格式化)将与散列内容匹配。

我不是最初编写此代码的人。 :)

1 个答案:

答案 0 :(得分:0)

找到答案,我需要使用以下行更改SetupClient代码:

var json = new JavaScriptSerializer().Serialize(content);
contentMD5 = Hashing.GetHashMD5OfString(json);

使用它:

var json = JsonConvert.SerializeObject(content);
contentMD5 = Hashing.GetHashMD5OfString(json);

现在,用于哈希的内容将被格式化为JSON,并将匹配发送的内容(也通过JSON格式化)。

相关问题
最新问题