我想为API调用实现自定义加密中间件。首先,我读取请求正文(IOwinContext.Request.Body)和标题(加密密钥和签名)。然后,我解密请求正文,它给了我纯粹的json字符串。现在来了一个棘手的部分:我想把这个json写回IOwinContextRequest.Body,因此它可以被反序列化为object,后来作为Controller方法的参数传递。这是我的所作所为:
启动:
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
app.Use(typeof(EncryptionMiddleware));
...
}
}
中间件:
public class EncryptionMiddleware : OwinMiddleware
{
public EncryptionMiddleware(OwinMiddleware next) : base(next)
{
//
}
public async override Task Invoke(IOwinContext context)
{
var request = context.Request;
string json = GetDecryptedJson(context);
MemoryStream stream = new MemoryStream();
stream.Write(json, 0, json.Length);
request.Headers["Content-Lenght"] = json.Lenght.ToString();
request.Body = stream;
await Next.Invoke(context);
}
}
现在,我得到的是这个错误:
System.Web.Extensions.dll!System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializePrimitiveObject() 抛出异常:System.Web.Extensions.dll中的“System.ArgumentException”
Additional information: Invalid JSON primitive: 8yi9OH2JE0H0cwZ.
原始IOwinContext.Request.Body是:
8yi9OH2JE0H0cwZ/fyY5Fks4nW(...omitted...)PvL32AVRjLA==
所以我假设你不能以这种方式改变请求体。为了测试这个,我重写了这样的中间件:
public async override Task Invoke(IOwinContext context)
{
var request = context.Request;
string requestBody = new StreamReader(request.Body).ReadToEnd();
Debug.WriteLine(requestBody); // Prints "ORIGINAL BODY"
string newBody = "\"newBody\"";
MemoryStream memStream = new MemoryStream(Encoding.UTF8.GetBytes(newBody));
request.Headers["Content-Length"] = newBody.Length.ToString();
request.Body = memStream;
await Next.Invoke(context);
}
现在我认为Controller方法应该接收“ORIGINAL BODY”而不是“newBody”,但实际上我遇到了这个错误:
System.dll中!System.Diagnostics.PerformanceCounter.InitializeImpl() 抛出异常:System.dll中的“System.InvalidOperationException”
附加信息:请求的性能计数器不是 自定义计数器,它必须初始化为ReadOnly。
问题是:我的做法出了什么问题?重写请求体的正确方法是什么?有没有足够的解决方法? BTW:对数据的解密进行了测试并且完美无缺,因此错误不应该源于那里。
编辑:在您回答/评论之前,已经使用了TLS。这是另一层安全。我不是在重新发明轮子。我正在添加一个新的。
答案 0 :(得分:4)
我创建了一些中间件来测试在OWIN管道中改变OWIN Request.Body
public class DecryptionMiddleWare : OwinMiddleware {
private string expected;
private string decryptedString;
public DecryptionMiddleWare(OwinMiddleware next, string expected, string decryptedString)
: base(next) {
this.expected = expected;
this.decryptedString = decryptedString;
}
public async override System.Threading.Tasks.Task Invoke(IOwinContext context) {
await DecryptRequest(context);
await Next.Invoke(context);
}
private async Task DecryptRequest(IOwinContext context) {
var request = context.Request;
var requestBody = new StreamReader(request.Body).ReadToEnd();
Assert.AreEqual(expected, requestBody);
//Fake decryption code
if (expected == requestBody) {
//replace request stream to downstream handlers
var decryptedContent = new StringContent(decryptedString, Encoding.UTF8, "application/json");
var requestStream = await decryptedContent.ReadAsStreamAsync();
request.Body = requestStream;
}
}
}
public class AnotherCustomMiddleWare : OwinMiddleware {
private string expected;
private string responseContent;
public AnotherCustomMiddleWare(OwinMiddleware next, string expected, string responseContent)
: base(next) {
this.expected = expected;
this.responseContent = responseContent;
}
public async override System.Threading.Tasks.Task Invoke(IOwinContext context) {
var request = context.Request;
var requestBody = new StreamReader(request.Body).ReadToEnd();
Assert.AreEqual(expected, requestBody);
var owinResponse = context.Response;
// hold on to original stream
var owinResponseStream = owinResponse.Body;
//buffer the response stream in order to intercept downstream writes
var responseBuffer = new MemoryStream();
owinResponse.Body = responseBuffer;
await Next.Invoke(context);
if (expected == requestBody) {
owinResponse.ContentType = "text/plain";
owinResponse.StatusCode = (int)HttpStatusCode.OK;
owinResponse.ReasonPhrase = HttpStatusCode.OK.ToString();
var customResponseBody = new StringContent(responseContent);
var customResponseStream = await customResponseBody.ReadAsStreamAsync();
await customResponseStream.CopyToAsync(owinResponseStream);
owinResponse.ContentLength = customResponseStream.Length;
owinResponse.Body = owinResponseStream;
}
}
}
然后创建一个内存OWIN集成测试,以查看数据如何通过中间件,测试是否正在接收正确的数据。
[TestMethod]
public async Task Change_OWIN_Request_Body_Test() {
var encryptedContent = "Hello World";
var expectedResponse = "I am working";
using (var server = TestServer.Create<Startup1>()) {
var content = new StringContent(encryptedContent);
var response = await server.HttpClient.PostAsync("/", content);
var result = await response.Content.ReadAsStringAsync();
Assert.AreEqual(expectedResponse, result);
}
}
public class Startup1 {
public void Configuration(IAppBuilder appBuilder) {
var encryptedContent = "Hello World";
var decryptedString = "Hello OWIN";
var expectedResponse = "I am working";
appBuilder.Use<DecryptionMiddleWare>(encryptedContent, decryptedString);
appBuilder.Use<AnotherCustomMiddleWare>(decryptedString, expectedResponse);
}
}
它通过了测试,证明数据可以通过OWIN管道传递。
好的,接下来我想知道它是否适用于web api。所以创建了一个测试api控制器
public class TestController : ApiController {
[HttpPost]
public IHttpActionResult Post([FromBody]string input) {
if (input == "Hello From OWIN")
return Ok("I am working");
return NotFound();
}
}
并配置了一个新的启动来使用web api和自定义解密中间件。
public class Startup2 {
public void Configuration(IAppBuilder appBuilder) {
var encryptedContent = "Hello World";
var decryptedString = "\"Hello From OWIN\"";
appBuilder.Use<DecryptionMiddleWare>(encryptedContent, decryptedString);
//Configure Web API middleware
var config = new HttpConfiguration();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
appBuilder.UseWebApi(config);
}
}
这是内存集成测试
[TestMethod]
public async Task Change_OWIN_Request_Body_To_WebApi_Test() {
var encryptedContent = "Hello World";
var expectedResponse = "\"I am working\"";
using (var server = TestServer.Create<Startup2>()) {
var content = new StringContent(encryptedContent, Encoding.UTF8, "application/json");
var response = await server.HttpClient.PostAsync("api/Test", content);
var result = await response.Content.ReadAsStringAsync();
Assert.AreEqual(expectedResponse, result);
}
}
这也过去了。
请查看上面的示例代码,看看它是否能够提供有关您问题中示例错误的信息。
另外请记住确保在web api中间件之前将管道中的早期自定义中间件放入管道。
希望有所帮助
答案 1 :(得分:3)
很久以前我已经解决了这个问题,但只有在@Nkosi的建议之后,我才会发布解决方案。
我所做的是一种解决方法,或者说是#34;桥接&#34;从中间件到动作过滤器。这是代码:
<强>中间件
public class EncryptionMiddleware : OwinMiddleware
{
public EncryptionMiddleware(OwinMiddleware next) : base(next)
{
//
}
public async override Task Invoke(IOwinContext context)
{
var request = context.Request;
string requestBody = new StreamReader(request.Body).ReadToEnd();
var obj = // do your work here
System.Web.HttpContext.Current.Items[OBJECT_ITEM_KEY] = obj;
await Next.Invoke(context);
return;
}
}
过滤
public class EncryptedParameter : ActionFilterAttribute, IActionFilter
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var obj = HttpContext.Current.Items[OBJECT_ITEM_KEY];
HttpContext.Current.Items.Remove(AppConfig.ITEM_DATA_KEY);
if (filterContext.ActionParameters.ContainsKey("data"))
filterContext.ActionParameters["data"] = obj;
}
}
<强>控制器
public class MyController : Controller
{
[HttpPost]
[EncryptedParameter]
public JsonResult MyMethod(MyObject data)
{
// your logic here
}
}