ASP. NET WebApi Summary-custom permission verification, asp. netwebapi

ASP. NET WebApi Summary-custom permission verification, asp. netwebapi

There are two in. NETAuthorizeAttributeClass,

A definition inSystem.Web.HttpUnder the namespace

# Region assembly System. web. http, Version = 5.2.3.0, Culture = neutral, PublicKeyToken = 31bf3856ad364e35 // E: \ src \ packages \ Microsoft. aspNet. webApi. core.5.2.3 \ lib \ net45 \ System. web. http. dll # endregionusing System. web. http. controllers; using System. web. http. filters; namespace System. web. http {// Summary: // specify the System used to verify the request. security. principal. IPrincipal authorization filter. [AttributeUsage (AttributeTargets. class | AttributeTargets. method, Inherited = true, AllowMultiple = true)] public class AuthorizeAttribute: AuthorizationFilterAttribute {/// Abstract: // initialize System. web. http. A new instance of the AuthorizeAttribute class. Public AuthorizeAttribute (); // Abstract: // obtain or set an authorized role. //// Return result: // role string. Public string Roles {get; set ;}/// Abstract: // obtain the unique identifier of this feature. //// Return result: // unique identifier of this feature. Public override object TypeId {get;} // Abstract: // obtain or set an authorized user. //// Return result: // user string. Public string Users {get; set;} // Abstract: // This is called when the operation is authorized. //// Parameter: // actionContext: // context. //// Exception: // T: System. ArgumentNullException: // The context parameter is null. Public override void OnAuthorization (HttpActionContext actionContext); // Summary: // process Authorization failure requests. //// Parameter: // actionContext: // context. Protected virtual void HandleUnauthorizedRequest (HttpActionContext actionContext); // Summary: // indicates whether the specified control has been authorized. //// Parameter: // actionContext: // context. //// Return result: // true if the control has been authorized; otherwise, false. Protected virtual bool IsAuthorized (HttpActionContext actionContext );}}

The otherSystem.Web.MvcUnder the namespace

# Region assembly System. web. mvc, Version = 5.2.3.0, Culture = neutral, PublicKeyToken = 31bf3856ad364e35 // E: \ src \ packages \ Microsoft. aspNet. mvc.5.2.3 \ lib \ net45 \ System. web. mvc. dll # endregionnamespace System. web. mvc {//// Summary: // specifies that access to the Controller or operation method is limited to users who meet the authorization requirements. [AttributeUsage (AttributeTargets. class | AttributeTargets. method, Inherited = true, AllowMultiple = true)] public class AuthorizeAttribute: FilterAttribute, IAuthorizationFilter {// Summary: // initialize System. web. mvc. A new instance of the AuthorizeAttribute class. Public AuthorizeAttribute (); // Abstract: // gets or sets the user role that has the right to access the Controller or operation method. //// Return result: // The user role that has the right to access the Controller or operation method. Public string Roles {get; set ;}/// Abstract: // obtain the unique identifier of this feature. //// Return result: // unique identifier of this feature. Public override object TypeId {get;} // Abstract: // gets or sets the user with the right to access the Controller or operation method. //// Return result: // the user with the right to access the Controller or operation method. Public string Users {get; set ;}/// Abstract: // called during authorization request. //// Parameter: // filterContext: // filter context, which encapsulates information about using System. Web. Mvc. AuthorizeAttribute. //// Exception: // T: System. ArgumentNullException: // The filterContext parameter is null. Public virtual void OnAuthorization (AuthorizationContext filterContext); /// Abstract: // when rewriting, an entry point is provided for custom authorization check. //// Parameter: // httpContext: // HTTP context, which encapsulates all HTTP-specific information about a single HTTP request. //// Return result: // true if the user has been authorized; otherwise, false. //// Exception: // T: System. ArgumentNullException: // The httpContext parameter is null. Protected virtual bool AuthorizeCore (HttpContextBase httpContext); // Summary: // process HTTP requests that are not authorized. //// Parameter: // filterContext: // encapsulate information about using System. Web. Mvc. AuthorizeAttribute. The filterContext object includes the controller, HTTP context, request context, operation result, and route data. Protected virtual void HandleUnauthorizedRequest (AuthorizationContext filterContext); // Abstract: // called when the cache module requests authorization. //// Parameter: // httpContext: // HTTP context, which encapsulates all HTTP-specific information about a single HTTP request. //// Return result: // a reference to the verification status. //// Exception: // T: System. ArgumentNullException: // The httpContext parameter is null. Protected virtual HttpValidationStatus OnCacheAuthorization (HttpContextBase httpContext );}}

The main differences between the two are:

• System. Web. Http is mainly used in Web APIs.
• System. Web. Mvc is mainly used in ASP. net mvc.
• In System. Web. Http, the input parameter is HttpActionContext.

  public override void OnAuthorization(HttpActionContext actionContext);

  In System. Web. Mvc, the input parameter is AuthorizationContext.

  public virtual void OnAuthorization(AuthorizationContext filterContext);

It seems the same, but when dealing with custom permissions, there is a big difference in the way they are actually implemented.

 

The following lists the differences between the two attributes for obtaining cookies:

MVC:

public class Foo : AuthorizeAttribute{     public override void OnAuthorization(AuthorizationContext filterContext)      {          HttpCookie cookie = filterContext.HttpContext.Request.Cookies.Get("Bar");         }}

 

HTTP (Web Api ):

public class Foo : AuthorizeAttribute{      public override void OnAuthorization(HttpActionContext actionContext)      {           var cookies = actionContext.Request.Headers.GetCookies("Bar").FirstOrDefault();           var cookie = cookies["Bar"];      }}

 

There is also a different way of writing custom permissions, which will be introduced in subsequent articles.