我希望在每个HttpPost Action上使用AntiForgeryTokens,使用位于每个其他控制器继承的名为ControllerBase的控制器中的ActionFilter。
我想通过创建一个继承自ValidateAntiForgeryToken的ActionFilter来执行此操作,该ActionFilter接受一个参数,该参数告诉它应用自身的HTTP谓词。然后,我想在ControllerBase上应用该过滤器,以确保在整个网站上检查AntiForgeryToken的每个POST操作。
我正在考虑使用this solution,但
AuthorizationContext Constructor (ControllerContext)是一个过时的构造函数,我不知道如何使用推荐的AuthorizationContext(ControllerContext controllerContext, ActionDescriptor actionDescriptor)重建代码。
默认情况下,我似乎没有使用AntiForgeryToken,因为我收到以下错误: A required anti-forgery token was not supplied or was invalid在每次发布操作后。
我应该如何重写ActionFilter以符合当前的非过时标准,并在每个[HttpPost]动词上正确使用防伪标记?
我是否必须在每种形式中都包含一个防伪标记(我在想)? (而不是自动生成 - 不要笑,我很好奇) 更新:正如评论中指出的那样;是的,必须对每种形式都这样做。
以下是我的ControllerBase中的代码供参考:
[UseAntiForgeryTokenOnPostByDefault]
public class ControllerBase : Controller
{
[AttributeUsage(AttributeTargets.Method, AllowMultiple = false)]
public class BypassAntiForgeryTokenAttribute : ActionFilterAttribute
{
}
[AttributeUsage(AttributeTargets.Class, AllowMultiple = false)]
public class UseAntiForgeryTokenOnPostByDefault : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (ShouldValidateAntiForgeryTokenManually(filterContext))
{
var authorizationContext = new AuthorizationContext(filterContext.Controller.ControllerContext);
//Use the authorization of the anti forgery token,
//which can't be inhereted from because it is sealed
new ValidateAntiForgeryTokenAttribute().OnAuthorization(authorizationContext);
}
base.OnActionExecuting(filterContext);
}
/// <summary>
/// We should validate the anti forgery token manually if the following criteria are met:
/// 1. The http method must be POST
/// 2. There is not an existing [ValidateAntiForgeryToken] attribute on the action
/// 3. There is no [BypassAntiForgeryToken] attribute on the action
/// </summary>
private static bool ShouldValidateAntiForgeryTokenManually(ActionExecutingContext filterContext)
{
var httpMethod = filterContext.HttpContext.Request.HttpMethod;
//1. The http method must be POST
if (httpMethod != "POST") return false;
// 2. There is not an existing anti forgery token attribute on the action
var antiForgeryAttributes =
filterContext.ActionDescriptor.GetCustomAttributes(typeof (ValidateAntiForgeryTokenAttribute), false);
if (antiForgeryAttributes.Length > 0) return false;
// 3. There is no [BypassAntiForgeryToken] attribute on the action
var ignoreAntiForgeryAttributes =
filterContext.ActionDescriptor.GetCustomAttributes(typeof (BypassAntiForgeryTokenAttribute), false);
if (ignoreAntiForgeryAttributes.Length > 0) return false;
return true;
}
}
}
答案 0 :(得分:7)
我使用了以下方法:
public class SkipCSRFCheckAttribute : Attribute
{
}
public class AntiForgeryTokenFilter : IAuthorizationFilter
{
public void OnAuthorization(AuthorizationContext filterContext)
{
if (IsHttpPostRequest(filterContext) && !SkipCsrfCheck(filterContext))
AntiForgery.Validate();
}
private static bool IsHttpPostRequest(AuthorizationContext filterContext)
{
return filterContext.RequestContext.HttpContext.Request.HttpMethod == HttpMethod.Post.ToString();
}
private static bool SkipCsrfCheck(AuthorizationContext filterContext)
{
return filterContext.ActionDescriptor.GetCustomAttributes(typeof (SkipCSRFCheck), false).Any();
}
}
这使我们能够在使用SkipCSRFCheck属性的情况下逐个禁用它,然后在Application_Start中将其注册为全局过滤器:
GlobalFilters.Filters.Add(new AntiForgeryTokenFilter());
答案 1 :(得分:1)
您无需实例化任何AuthorizationContext或调用OnAuthorization方法,只需:
if (ShouldValidateAntiForgeryTokenManually(filterContext))
{
AntiForgery.Validate(filterContext.HttpContext, null);
}