Asp.net WEBAPI 简单的OAUTH认证

最近想买需要，公司使用了完全的前后端分离技术，后端使用ASP.NET WEBAPI实现，前端使用PHP作为中转服务器调用后端服务器提供的WEBAPI，前期测试环境没有加OAUTH 安全认证，但是实际的生产环境肯定要认证，不然暴露出去的WEB API就会很危险，很容易被别人利用来生成脏数据，所以经过仔细思考，前期暂时先使用认证指定IP的方式来防止异常注入操作,整体操作思路比较简单：1. 创建授权过滤器类【这是过滤的入口动作，主要负责连接用户请求和授权验证方法】。2. 创建授权验证方法，这里面是认证的核心内容，可以自定义认证规则，比如想复杂一点的可以加入Token认证什么的。3. 将过滤规则注册到全局过滤器中。 经过上面三步，就大功告成，只接受指定服务器IP的访问请求，其它的访问会被过滤拒绝掉，这样安全性就高了很多！

具体操作如下：

1.新建授权过滤器类APIAuthorizeAttribute.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Security.Principal;
using System.Text;
using System.Threading;
using System.Web;
using System.Web.Http.Filters;
using Uuch.HP.WebAPI.Helper;
namespace Uuch.HP.WebAPI.Filter
{
public class APIAuthorizeAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
//如果用户使用了forms authentication，就不必在做basic authentication了
if (Thread.CurrentPrincipal.Identity.IsAuthenticated)
{
return;
}
var authHeader = actionContext.Request.Headers.Authorization;
if (authHeader != null)
{
if (authHeader.Scheme.Equals("basic", StringComparison.OrdinalIgnoreCase) &&
!String.IsNullOrWhiteSpace(authHeader.Parameter))
{
var credArray = GetCredentials(authHeader);
var userName = credArray[0];
var key = credArray[1];
string ip = System.Web.HttpContext.Current.Request.UserHostAddress;
//if (IsResourceOwner(userName, actionContext))
//{
//You can use Websecurity or asp.net memebrship provider to login, for
//for he sake of keeping example simple, we used out own login functionality
if (APIAuthorizeInfoValidate.ValidateApi(userName,key,ip))//Uuch.HPKjy.Core.Customs.APIAuthorizeInfo.GetModel(userName, key, ip) != null
{
var currentPrincipal = new GenericPrincipal(new GenericIdentity(userName), null);
Thread.CurrentPrincipal = currentPrincipal;
return;
}
//}
}
}
HandleUnauthorizedRequest(actionContext);
}
private string[] GetCredentials(System.Net.Http.Headers.AuthenticationHeaderValue authHeader)
{
//Base 64 encoded string
var rawCred = authHeader.Parameter;
var encoding = Encoding.GetEncoding("iso-8859-1");
var cred = encoding.GetString(Convert.FromBase64String(rawCred));
var credArray = cred.Split(':');
return credArray;
}
private bool IsResourceOwner(string userName, System.Web.Http.Controllers.HttpActionContext actionContext)
{
var routeData = actionContext.Request.GetRouteData();
var resourceUserName = routeData.Values["userName"] as string;
if (resourceUserName == userName)
{
return true;
}
return false;
}
private void HandleUnauthorizedRequest(System.Web.Http.Controllers.HttpActionContext actionContext)
{
actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
actionContext.Response.Headers.Add("WWW-Authenticate",
"Basic Scheme='eLearning' location='http://localhost:8323/APITest'");
}
}
}

添加验证方法类APIAuthorizeInfoValidate.cs

using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
namespace Uuch.HP.WebAPI.Helper
{
public class APIAuthorizeInfo
{
public string UserName { get; set; }
public string Key { get; set; }
}
public class APIAuthorizeInfoValidate
{
public static bool ValidateApi(string username, string key, string ip)
{
var _APIAuthorizeInfo = JsonConvert.DeserializeObject <List<APIAuthorizeInfo>>(WebConfigHelper.ApiAuthorize);
var ips = WebConfigHelper.IPs.Contains(",") ? WebConfigHelper.IPs.Split(',') : new string[] { WebConfigHelper.IPs };
if (_APIAuthorizeInfo != null && _APIAuthorizeInfo.Count > 0)
{
foreach (var v in _APIAuthorizeInfo)
{
if (v.UserName == username && v.Key == key && ips.Contains(ip))
{
return true;
}
}
}
return false;
}
}
}

3、把添加到全局过滤器中，这里要注意了，不要添加到FilterConfig.cs，而要添加到WebApiConfig.cs，因为FilterConfig是MVC用的，我们这里是WebAPI。

public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
config.Filters.Add(new APIAuthorizeAttribute());
}
}