Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
307 views
in Technique[技术] by (71.8m points)

c# - Should I be using an IAuthorizationFilter if I wish to create an ApiKey restricted resource with ASP.NET MVC4?

I have a few simple routes which I wish to restrict via a simple querystring param. If the key is incorrect or not provided, then I wish to throw a NotAuthorizedException.

Please don't suggest I use WebApi or the equiv - I can't just yet in this scenario.

So i'm not sure if I should be implementing an IAuthorizationFilter or implementing an IActionFilter or even something else.

My code logic?

  • Check querystring for key.
  • Check my RavenDb (repository) for a user with that key/value.

If they fail any of those checks, then throw the NotAuthorizedException.

I'm assuming I would then decorate a my action method with this filter. I'm also assuming i would need to pass in my repository into this action method also?

Any suggestions please?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

So i'm not sure if I should be implementing an IAuthorizationFilter or implementing an IActionFilter or even something else.

You should be implementing an IAuthorizationFilter:

public class MyAuthorizeAttribute: FilterAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationContext filterContext)
    {
        var key = filterContext.HttpContext.Request.QueryString["param_name"];
        if (!IsValid(key))
        {
            // Unauthorized!
            filterContext.Result = new HttpUnauthorizedResult();
        }
    }

    private bool IsValid(string key)
    {
        // You know what to do here => go hit your RavenDb
        // and perform the necessary checks
        throw new NotImplementedException();
    }
}

And if you wanted to use dependency injection into your custom action filter you could take a look at the following article in which you could implement a custom filter provider (IFilterProvider). You could have a marked attribute which you may use on controller actions and then have this custom filter provider simply look whether the action is decorated with this marker attribute and apply the custom authorization filter.

For example:

public class MyAuthorizeAttribute: Attribute
{

}

and your authorization filter will only implement the IAuthorizationFilter, it won't be a FilterAttribute:

public class MyAuthorizationFilter: IAuthorizationFilter
{
    private readonly ISomeRepository repository;
    public class MyAuthorizationFilter(ISomeRepository repository)
    {
        this.repository = repository;
    }

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        var key = filterContext.HttpContext.Request.QueryString["param_name"];
        if (!IsValid(key))
        {
            // Unauthorized!
            filterContext.Result = new HttpUnauthorizedResult();
        }
    }

    private bool IsValid(string key)
    {
        // You know what to do here => go hit your RavenDb
        // and perform the necessary checks
        throw new NotImplementedException();
    }
}

and then you will have the custom filter provider:

public class MyFilterProvider : IFilterProvider
{
    public IEnumerable<Filter> GetFilters(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
    {
        if (actionDescriptor.GetCustomAttributes(typeof(MyAuthorizeAttribute), true).Any())
        {
            var filter = DependencyResolver.Current.GetService<MyAuthorizationFilter>();
            yield return new Filter(filter, FilterScope.Global);
        }

        yield break;
    }
}

that will be registered in your Application_Start:

FilterProviders.Providers.Add(new MyFilterProvider());

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...