Question

我们的OData端点是自托管的（OWIN）。对于单个请求：创建，更新，修补和删除一切都很好，但问题是当我发送包含多个操作的批处理请求时，我遇到基本授权问题。我看了很多文章，但仍然无法解决问题。在OData文档中，它说：

表示单个请求的每个MIME部分主体不得包含：

• authentication or authorization related HTTP headers

http://docs.oasis-open.org/odata/odata/v4.0/errata03/os/complete/part1-protocol/odata-v4.0-errata03-os-part1-protocol-complete.html#_Toc453752314

所以，如果我将Authorization设置为批处理请求，但是没有批量设置为每个单个请求，那么我在OnAuthorization方法的actionContext.Request.Headers.Authorization中得到null。我的问题是：如何在此批处理中从请求中获取批处理请求的授权标题？

在端点批处理已启用：

HttpConfiguration config = new HttpConfiguration();
var odataBatchHandler = new DefaultODataBatchHandler(new HttpServer(config));
config.MapODataServiceRoute("ODataApi", null, builder.GetEdmModel(), odataBatchHandler);
config.Count().Filter().OrderBy().Expand().MaxTop(null).Select();
appBuilder.UseWebApi(config);

这是授权逻辑：

public class ODataBasicAuthorizeAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
         //Question: here Authorization property is null, because this is Get request for SAStudent
                if (actionContext.Request.Headers.Authorization == null || actionContext.Request.Headers.Authorization.Scheme != "Basic")
                {
                    HandleUnauthorizedRequest(actionContext);
                }
                else
                {
                    ISession session = Login(actionContext.Request);
                    if (session == null)
                    {
                        HandleUnauthorizedRequest(actionContext);
                    }
                    else
                    {
                        IsAuthorized(actionContext);
                    }
                }
    }
}

以下是测试：

    [TestMethod]
        public void BatchRequestTest()
        {
            var odataAddress = "https://localhost:23170/Sample/Sample/OData/";
            var batchUrl = $"{odataAddress}$batch";
            HttpClient http = new HttpClient();
            // Global batch request
            HttpRequestMessage batchRequest = new HttpRequestMessage(HttpMethod.Post, batchUrl);
            batchRequest.Headers.Authorization = new AuthenticationHeaderValue("Basic", "QWRtaW5pc3RyYXRvcjpwdw==");
            MultipartContent batchContent = new MultipartContent("mixed", "batch_" + Guid.NewGuid().ToString());

            var getStudent = new HttpRequestMessage(HttpMethod.Get, $"{odataAddress}SAStudent");
            //getStudent.Headers.Authorization = new AuthenticationHeaderValue("Basic", "QWRtaW5pc3RyYXRvcjpwdw==");
            // First message content with GET request
            HttpMessageContent getRequestContent_1 = new HttpMessageContent(getStudent);
            getRequestContent_1.Headers.Remove("Content-Type");
            getRequestContent_1.Headers.Add("Content-Type", "application/http");
            getRequestContent_1.Headers.Add("Content-Transfer-Encoding", "binary");
            // Add this GET content to the batch content
            batchContent.Add(getRequestContent_1);

            var getPassport = new HttpRequestMessage(HttpMethod.Get, $"{odataAddress}SAPassport");
            //getPassport.Headers.Authorization = new AuthenticationHeaderValue("Basic", "QWRtaW5pc3RyYXRvcjpwdw==");
            // Second message content with GET request
            HttpMessageContent getRequestContent_2 = new HttpMessageContent(getPassport);
            getRequestContent_2.Headers.Remove("Content-Type");
            getRequestContent_2.Headers.Add("Content-Type", "application/http");
            getRequestContent_2.Headers.Add("Content-Transfer-Encoding", "binary");
            // Add this GET content to the batch content
            batchContent.Add(getRequestContent_2);

            // Here we go
            batchRequest.Content = batchContent;
            HttpResponseMessage response = http.SendAsync(batchRequest).Result;
            var responseString = response.Content.ReadAsStringAsync().Result;

}

如果我将批处理请求中的每个请求的授权设置为可行，但似乎不正确，因此仅将授权标头设置为批处理应该有效。

有什么想法吗？

提前致谢，

Answer 1

晚些时候参加聚会，但是最近也有类似的问题，尽管使用Http Cookies进行自定义身份验证。

首先，确保将Web Api和Batch Handler配置为使用相同的HttpServer实例。

HttpConfiguration config = new HttpConfiguration();
HttpServer httpServer = new HttpServer(config);
var odataBatchHandler = new DefaultODataBatchHandler(httpServer);
config.MapODataServiceRoute("ODataApi", null, builder.GetEdmModel(), odataBatchHandler);
config.Count().Filter().OrderBy().Expand().MaxTop(null).Select();
appBuilder.UseWebApi(httpServer);

我发现，没有这个，封闭的$ batch请求中的任何上下文都不可用于每个子请求，因为odata批处理程序正在使用与Web api不同的HttpServer实例。

我现在可以从OwinContext中获取标头以进行自定义身份验证-在您的情况下...

public class ODataBasicAuthorizeAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        //Question: here Authorization property is null, because this is Get request for SAStudent

        var isBatch = request.Properties.TryGetValue("MS_BatchRequest", out var value) ? (bool)value : default;
        OwinContext owinContext = request.Properties.TryGetValue("MS_OwinContext", out var owinCtxObj) ? (OwinContext)owinCtxObj : default;
        if (isBatch && owinContext != null)
        {
            // adjust your auth logic to use the owin context... my case I needed a cookie, so...
            // var jwtCookieKeyValuePair = owinContext.Request.Cookies.FirstOrDefault(cookie => cookie.Key == "jwt");
        }
        // Keep your existing logic for non-batch odata requests..
        if (actionContext.Request.Headers.Authorization == null || actionContext.Request.Headers.Authorization.Scheme != "Basic")
        {
            HandleUnauthorizedRequest(actionContext);
        }
        else
        {
            ISession session = Login(actionContext.Request);
            if (session == null)
            {
                HandleUnauthorizedRequest(actionContext);
            }
            else
            {
                IsAuthorized(actionContext);
            }
        }
    }
}

对于OP来说，一切都为时已晚，但可能会对某人有所帮助。

OData V4批量请求基本授权

1 个答案: