处理 AuthorizeAttribute 回答
Handle AuthorizeAttribute answer
我确实创建了应该处理 Jwt Bearer 令牌的自定义 AuthorizeAttribute 但问题是 - 现在我收到了所有答案,包括 Ok 状态下的 200 和 401,我应该如何更改它才能接收正确的http状态代码?这是 AuthorizeAttribute 的样子:
public class JwtAuthorizeAttribute : AuthorizeAttribute
{
private readonly string role;
public JwtAuthorizeAttribute()
{
}
public JwtAuthorizeAttribute(string role)
{
this.role = role;
}
protected override bool IsAuthorized(HttpActionContext actionContext)
{
var jwtToken = new JwtToken();
string json = String.Empty;
var ctx = actionContext.Request.GetRequestContext();
if (ctx.Principal.Identity.IsAuthenticated) return true;
if (actionContext.Request.Headers.Contains("Authorization"))
{
try
{
IJsonSerializer serializer = new JsonNetSerializer();
IDateTimeProvider provider = new UtcDateTimeProvider();
IJwtValidator validator = new JwtValidator(serializer, provider);
IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder);
json = decoder.Decode(actionContext.Request.Headers.Authorization.Parameter, SiteGlobal.Secret, verify: true);
jwtToken = JsonConvert.DeserializeObject<JwtToken>(json);
if (jwtToken.aud != SiteGlobal.Audience || jwtToken.iss != SiteGlobal.Issuer || role != jwtToken.role)
{
return false;
}
}
catch (TokenExpiredException)
{
return false;
}
catch (SignatureVerificationException)
{
return false;
}
}
else
{
return false;
}
var identity = new ClaimsIdentity("JWT");
identity.AddClaim(new Claim(ClaimTypes.Name, jwtToken.unique_name));
identity.AddClaim(new Claim(ClaimTypes.Role, jwtToken.role));
identity.AddClaim(new Claim("user_id", jwtToken.user_id.ToString()));
actionContext.Request.GetRequestContext().Principal = new ClaimsPrincipal(identity);
return true;
}
}
这是控制器的样子:
[JwtAuthorize("Admin")]
[HttpGet]
[ResponseType(typeof(CatalogueListDto))]
public async Task<IHttpActionResult> Get()
{
var result = await _catalogueService.GetCatalogues();
if (result == null) return BadRequest(ActionAnswer.Failed.CatalogueNotFound);
return Ok(result);
}
我通过遵循过去的一些教程具有类似的属性。如果授权,我不是 return 是真的,但我 return 这个:
return base.IsAuthorized(actionContext);
也许值得检查一下return您的状态代码是否正确。
我确实创建了应该处理 Jwt Bearer 令牌的自定义 AuthorizeAttribute 但问题是 - 现在我收到了所有答案,包括 Ok 状态下的 200 和 401,我应该如何更改它才能接收正确的http状态代码?这是 AuthorizeAttribute 的样子:
public class JwtAuthorizeAttribute : AuthorizeAttribute
{
private readonly string role;
public JwtAuthorizeAttribute()
{
}
public JwtAuthorizeAttribute(string role)
{
this.role = role;
}
protected override bool IsAuthorized(HttpActionContext actionContext)
{
var jwtToken = new JwtToken();
string json = String.Empty;
var ctx = actionContext.Request.GetRequestContext();
if (ctx.Principal.Identity.IsAuthenticated) return true;
if (actionContext.Request.Headers.Contains("Authorization"))
{
try
{
IJsonSerializer serializer = new JsonNetSerializer();
IDateTimeProvider provider = new UtcDateTimeProvider();
IJwtValidator validator = new JwtValidator(serializer, provider);
IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder);
json = decoder.Decode(actionContext.Request.Headers.Authorization.Parameter, SiteGlobal.Secret, verify: true);
jwtToken = JsonConvert.DeserializeObject<JwtToken>(json);
if (jwtToken.aud != SiteGlobal.Audience || jwtToken.iss != SiteGlobal.Issuer || role != jwtToken.role)
{
return false;
}
}
catch (TokenExpiredException)
{
return false;
}
catch (SignatureVerificationException)
{
return false;
}
}
else
{
return false;
}
var identity = new ClaimsIdentity("JWT");
identity.AddClaim(new Claim(ClaimTypes.Name, jwtToken.unique_name));
identity.AddClaim(new Claim(ClaimTypes.Role, jwtToken.role));
identity.AddClaim(new Claim("user_id", jwtToken.user_id.ToString()));
actionContext.Request.GetRequestContext().Principal = new ClaimsPrincipal(identity);
return true;
}
}
这是控制器的样子:
[JwtAuthorize("Admin")]
[HttpGet]
[ResponseType(typeof(CatalogueListDto))]
public async Task<IHttpActionResult> Get()
{
var result = await _catalogueService.GetCatalogues();
if (result == null) return BadRequest(ActionAnswer.Failed.CatalogueNotFound);
return Ok(result);
}
我通过遵循过去的一些教程具有类似的属性。如果授权,我不是 return 是真的,但我 return 这个:
return base.IsAuthorized(actionContext);
也许值得检查一下return您的状态代码是否正确。