For an HTTP request how to ensure its security, this is not a new topic, for the security of the request we usually consider nothing more than "the tampering of the request" and "The replication of the request", the first problem we can easily achieve, through the parameter + key way, and the second problem is difficult to achieve, So far there is no uniform standard, and today we want to talk about the security, also mainly for the first kind of speaking.
For a URL address, this could be the format
http://
After a security tamper with the address above, the address may become
http://www.domain.com?vid=1&type=3&main=ok&cipherText= e10adc3949ba59abbe56e057f20f883e
Where ciphertext we are called ciphertext, it is generated by all parameter name + parameter value + key MD5, where the key is not public, in the process of data transfer, as long as you modify any parameters, you generate ciphertext is different from our correct value, then, Your verification is not through, hehe.
In this case, I abstracted this set of logic and extracted it into the feature (filter), and if your action requires this security verification, add this feature directly to the method
/// <summary> ///API Data Security Validation/// </summary>[AttributeUsage (AttributeTargets.Method)] Public classApiValidateFilter:System.Web.Mvc.ActionFilterAttribute { Public Override voidonactionexecuting (System.Web.Mvc.ActionExecutingContext filtercontext) {varRequest =filterContext.HttpContext.Request; varMETHOD =request. HttpMethod; varpasskey ="tsingda123"; varParamstr =NewStringBuilder (); foreach(stringParaminchrequest. Form.keys) {if(param! ="Ciphertext") Paramstr.append (request. Form[param]); } paramstr.append (passkey); if(VCommons.Encryptor.Utility.EncryptString (Paramstr.tostring (), VCommons.Encryptor.Utility.EncryptorType.MD5)! = Request. form["Ciphertext"]) { //validation FailedFilterContext.HttpContext.Response.ContentType ="Applicatin/json"; FilterContext.HttpContext.Response.Write (VCommons.SerializeMemoryHelper.SerializeToJson (New{Message ="validation Failed" })); FilterContext.HttpContext.Response.End (); } Else { Base. OnActionExecuting (Filtercontext); } } }
Very simple to use, hehe
[Apivalidatefilter] public jsonresult Addhello (stringstring String Email) { return Json (new {Message = username + password + email}, jsonrequestbehavior.allowget); }
In the world of system architecture, we need to have the abstraction of the problem, the refactoring of the code, this refactoring is constant, repeated, I have not believed "once write good Code", the code is in the unceasing reconstruction perfect!
WEBAPI Series ~ Design and implementation of request security based on single request encapsulation multi-Request