gpt4 book ai didi

c# - 如果 EnableCors Origin 无效,则完全阻止 Web API 执行

转载 作者:太空狗 更新时间:2023-10-29 23:37:25 31 4
gpt4 key购买 nike

我正在为我的 Web API 调用使用 Microsofts EnableCors 属性。客户端行为如我所料运行:例如当 Origin 无效时,调用返回失败。

但是,当我在方法中放置一个断点并从无效来源调用时...该方法仍然从上到下执行(即使客户端得到失败的结果)。如果 Origin 无效,我根本不希望它执行。

我的问题是:
如果 EnableCors Origin 无效,我如何才能完全阻止 Web API 方法的执行?

帮助我 Obi-Wan Kenobi...你是我唯一的希望。

我的代码看起来像:

[HttpPost]
[EnableCors(origins: "www.zippitydoodah.com", headers: "*", methods: "*")]
public HttpResponseMessage Enqueue(HttpRequestMessage request)
{
// NONE OF THIS SHOULD RUN: If the Origin is bad...but (oddly) it is
TraceHandler.TraceIn(TraceLevel.Info);

string claimId = string.Empty;
ClaimMessage claimMessage = null;

try
{
claimId = GetClaimId(request);
claimMessage = CreateClaimMessage(claimId, segmentClaimFullName);

Enqueue(claimMessage);

TraceHandler.TraceAppend(FORMAT_ENQUEUED_SUCCESS, claimId);
}
catch (Exception ex)
{
TraceHandler.TraceError(ex);
TraceHandler.TraceOut();

EnqueueToPoison(ex, claimMessage);
return Request.CreateResponse(HttpStatusCode.InternalServerError, GetHttpError());
}

TraceHandler.TraceOut();
return Request.CreateResponse(HttpStatusCode.OK, string.Format(FORMAT_ENQUEUED_SUCCESS, claimId));
}

我的配置看起来像:

public static class WebApiConfig
{
#region <Methods>

public static void Register(HttpConfiguration config)
{
// ENABLE CORS
config.EnableCors();

// CREATE ROUTES
config.Routes.MapHttpRoute(
name: "DefaultRpcApiActions",
routeTemplate: "api/{controller}/actions/{action}/{id}",
defaults: new { id = RouteParameter.Optional });

config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional });
}

#endregion
}

最佳答案

事实证明...

CORS header 不应阻止对 Controller 的调用:MVC 或 Web API。它只是阻止将 RESULTS 返回给浏览器。无论如何都会执行的方法...因此您必须通过其他方式阻止执行。

还有什么意思?
您或许可以使用 AuthorizeAttribute 来完成。但我想在 ACTION 级别执行此操作,所以我选择了 ActionFilterAttribute - 并在 OnActionExecuting

中执行检查

使用注意事项:ActionFilterAttribute

  • 继续向所有人开放 CORS,然后通过操作进行限制(这样每个人都可以 PING)

  • 假设所有调用都来自有效的REFERRER

这意味着诸如从数据库调用 SQL CLR 之类的事情(我正在做的)将无法工作,因为 REFERRER 是null(因此,我稍后会发布更好的解决方案)。

  • ICorsPolicyProvider 没用 - 我正在删除它(但包含在此处)

我看到的所有示例都包含它,但我还没有找到调用它的场景。我的构造函数已经创建了 CorsPolicy 并且该策略在整个调用生命周期内都可用...因此 ICorsPolicyProvider 方法似乎毫无用处(目前)。

  • TraceHandler 实现是我自己的 - 继续并使用您自己的实现

  • 必须添加 Access-Control-Allow-Origin header 以确保某些客户端的预期返回消息行为

代码如下:ActionFilterAttribute

namespace My.Application.Security
{
using My.Application.Diagnostics;
using System;
using System.Configuration;
using System.Diagnostics;
using System.Net;
using System.Net.Http;
using System.Threading;
using System.Threading.Tasks;
using System.Web.Cors;
using System.Web.Http.Controllers;
using System.Web.Http.Cors;
using System.Web.Http.Filters;

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false)]
public class EnableWebApiCorsFromAppSettingsAttribute : ActionFilterAttribute, ICorsPolicyProvider
{
#region <Fields & Constants>

private const string EXCEPTION_CONTEXT_NULL = "Access Denied: HttpActionContext cannot be null.";
private const string EXCEPTION_REFERRER_NULL = "Access Denied: Referrer cannot be null.";
private const string FORMAT_INVALID_REFERRER = "Access Denied: '{0}' is not a valid referrer.";
private const string FORMAT_REFERRER = "Referrer: '{0}' was processed for this request.";
private const string FORMAT_REFERRER_FOUND = "Referrer IsFound: {0}.";

private readonly CorsPolicy policy;

#endregion

#region <Constructors>

public EnableWebApiCorsFromAppSettingsAttribute(string appSettingKey, bool allowAnyHeader = true, bool allowAnyMethod = true, bool supportsCredentials = true)
{
policy = new CorsPolicy();
policy.AllowAnyOrigin = false;
policy.AllowAnyHeader = allowAnyHeader;
policy.AllowAnyMethod = allowAnyMethod;
policy.SupportsCredentials = supportsCredentials;

SetValidOrigins(appSettingKey);

if (policy.Origins.Count == 0)
policy.AllowAnyOrigin = true;
}

#endregion

#region <Methods>

#region public

public override void OnActionExecuting(HttpActionContext actionContext)
{
TraceHandler.TraceIn(TraceLevel.Info);

if (actionContext == null)
throw new ArgumentNullException("HttpActionContext");

if (actionContext.Request.Headers.Referrer == null)
actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Forbidden, EXCEPTION_REFERRER_NULL);

var referrer = actionContext.Request.Headers.Referrer.ToString();

TraceHandler.TraceAppend(string.Format(FORMAT_REFERRER, referrer));

// If no Origins Are Set - Do Nothing
if (policy.Origins.Count > 0)
{
var isFound = policy.Origins.Contains(referrer);

TraceHandler.TraceAppend(string.Format(FORMAT_REFERRER_FOUND, isFound));

if (!isFound)
{
TraceHandler.TraceAppend("IsFound was FALSE");
actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Forbidden, string.Format(FORMAT_INVALID_REFERRER, referrer));
}
}

TraceHandler.TraceOut();
base.OnActionExecuting(actionContext);
}

public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
if (cancellationToken.CanBeCanceled && cancellationToken.IsCancellationRequested)
return Task.FromResult<CorsPolicy>(null);

return Task.FromResult(policy);
}

#endregion

#region private

private void SetValidOrigins(string appSettingKey)
{
// APP SETTING KEY: <add key="EnableCors.Origins" value="http://www.zippitydoodah.com" />
var origins = string.Empty;
if (!string.IsNullOrEmpty(appSettingKey))
{
origins = ConfigurationManager.AppSettings[appSettingKey];
if (!string.IsNullOrEmpty(origins))
{
foreach (string origin in origins.Split(",;|".ToCharArray(), StringSplitOptions.RemoveEmptyEntries))
policy.Origins.Add(origin);
}
}
}

#endregion

#endregion
}
}

这里是代码的用法: ActionFilterAttribute

namespace My.Application.Web.Controllers
{
using Security;
using My.Application.Diagnostics;
using My.Application.Framework.Configuration;
using My.Application.Models;
using My.Application.Process;
using System;
using System.Configuration;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Messaging;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using System.Web.Http.Cors;
using System.Xml.Linq;
using System.Xml.Serialization;

[EnableCors(origins: "*", headers: "*", methods: "*")]
public class OutboundEventController : ApiControllerBase
{
#region <Actions>

[HttpGet]
public HttpResponseMessage Ping()
{
TraceHandler.TraceIn(TraceLevel.Info);

if (Request.Headers.Referrer == null)
TraceHandler.TraceAppend(MESSAGE_REFERRER_NULL);

if (Request.Headers.Referrer != null)
TraceHandler.TraceAppend(string.Format(FORMAT_REFERRER, Request.Headers.Referrer));

TraceHandler.TraceOut();
return Request.CreateResponse(HttpStatusCode.OK, "Ping back at cha...");
}

[HttpPost]
[EnableWebApiCorsFromAppSettings("EnableCors.Origins")]
public HttpResponseMessage Enqueue(HttpRequestMessage request)
{
TraceHandler.TraceIn(TraceLevel.Info);

if (Request.Headers.Referrer == null)
TraceHandler.TraceAppend(MESSAGE_REFERRER_NULL);

if (Request.Headers.Referrer != null)
TraceHandler.TraceAppend(string.Format(FORMAT_REFERRER, Request.Headers.Referrer));

try
{
// Do Amazing Stuff Here...

TraceHandler.TraceAppend(FORMAT_ENQUEUED_SUCCESS, claimId);
}
catch (Exception ex)
{
TraceHandler.TraceError(ex);
TraceHandler.TraceOut();

EnqueueToPoison(ex, claimMessage);
return Request.CreateResponse(HttpStatusCode.InternalServerError, GetHttpError());
}

TraceHandler.TraceOut();

// FORCE: Correct Header
var response = Request.CreateResponse(HttpStatusCode.OK, string.Format(FORMAT_ENQUEUED_SUCCESS, claimId));
response.Headers.Add("Access-Control-Allow-Origin", "*");
return response;
}

#endregion

private string GetClaimId(HttpRequestMessage request)
{
var stream = request.Content.ReadAsStreamAsync().Result;
var xdoc = XDocument.Load(stream);
var result = GetElementValue(xdoc, "ClaimId");

return result;
}

private ClaimMessage CreateClaimMessage(string claimId, string process)
{
ClaimMessage message = new ClaimMessage();

message.ClaimID = claimId;
message.Process = process;

return message;
}

private void Enqueue(ClaimMessage claimMessage)
{
var queueName = ConfigurationManager.AppSettings[Settings.Messaging.Queue.Name].ToString();
var queue = new MessageQueue(queueName);
queue.DefaultPropertiesToSend.Recoverable = true;

TraceHandler.TraceAppend(FORMAT_QUEUE_NAME, queueName);

MessageQueueTransaction transaction;
transaction = new MessageQueueTransaction();
transaction.Begin();

var message = new System.Messaging.Message();
message.Formatter = new XmlMessageFormatter(new Type[] { typeof(ClaimMessage) });

message.Label = "ClaimID " + claimMessage.ClaimID;

message.Body = claimMessage;
queue.Send(message, transaction);

transaction.Commit();
queue.Close();
}

private void EnqueueToPoison(Exception exception, ClaimMessage claimdata)
{
TraceHandler.TraceIn(TraceLevel.Info);

var poison = ToPoisonMessage(exception, claimdata);
var message = new System.Messaging.Message();

try
{
var poisonQueueName = ConfigurationManager.AppSettings[Settings.Messaging.PoisonQueue.Name].ToString();

TraceHandler.TraceAppend(FORMAT_QUEUE_NAME, poisonQueueName);

if (MessageQueue.Exists(poisonQueueName))
{
var queue = new MessageQueue(poisonQueueName);
queue.DefaultPropertiesToSend.Recoverable = true;

var transaction = new MessageQueueTransaction();
transaction.Begin();

message.Formatter = new XmlMessageFormatter(new Type[] { typeof(PoisonClaimMessage) });
message.Label = "Poison ClaimID " + poison.ClaimID;

var xmlSerializer = new XmlSerializer(poison.GetType());
xmlSerializer.Serialize(message.BodyStream, poison);

queue.Send(message, transaction);

TraceHandler.TraceAppend(FORMAT_ENQUEUED_POISON_SUCCESS, poison.ClaimID);

transaction.Commit();
queue.Close();
}
}
catch(Exception ex)
{
// An error occurred while enqueuing to POISON
var poisonXml = ToString(poison);

TraceHandler.TraceError(ex);
TraceHandler.TraceAppend(poisonXml);
}
finally
{
TraceHandler.TraceOut();
}
}


#endregion
}
}

应用程序设置:ActionFilterAttribute

  <appSettings>
<add key="EnableCors.Origins" value="" />
</appSettings>

关于c# - 如果 EnableCors Origin 无效,则完全阻止 Web API 执行,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36556075/

31 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com