<script src="~/Scripts/jquery-1.10.2.min.js"></script>
1.WepApi Basic ([BasicAuthorize] and [AllowAnonymous]):
Web.Config.xml
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="AuthorizeKey" value="AuthorizeKey" />
<add key="AuthorizeValue" value="AuthorizeValue" />
</appSettings>
</configuration>
Class AppSetting.cs
public class AppSetting
{
public static readonly string AuthorizeKey = "AuthorizeKey";
public static readonly string AuthorizeValue = "AuthorizeValue";
}
公共基礎類:CommonBasicAuthorize : AuthorizeAttribute
public override void OnAuthorization(HttpActionContext actionContext)
{
/*Get Identity data from the requestion info*/
var userAuthorization = actionContext.Request.Headers.Authorization;
if (userAuthorization != null && userAuthorization.Parameter != null)
{
if (CheckTicket(userAuthorization.Parameter))
{
/*base.OnAuthorization(actionContext);*/
base.IsAuthorized(actionContext);
}
else
{
/*Authentication is not validated by authorization*/
HandleUnauthorizedRequest(actionContext);
}
}
else
{
var attributeList = actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().OfType<AllowAnonymousAttribute>();
bool allowAnonymous = attributeList.Any(attribute => attribute is AllowAnonymousAttribute);
//if exist Anonymous
if (allowAnonymous)
{
base.OnAuthorization(actionContext);
}
else
{
HandleUnauthorizedRequest(actionContext);
}
}
}
private bool CheckTicket(string strTicket)
{
/*The post ticket had Encrypt,Format is "Key&Value"*/
var userData = FormsAuthentication.Decrypt(strTicket).UserData;
int temp = userData.IndexOf('&');
string userKey = userData.Substring( 0, temp);
string userValue = userData.Substring(temp + 1);
/*Authrize Key And Value*/
string authrizeKey = ConfigurationManager.AppSettings[AppSetting.AuthorizeKey];
string authrizeValue = ConfigurationManager.AppSettings[AppSetting.AuthorizeValue];
if (userKey.Equals(authrizeKey) && userValue.Equals(authrizeValue))
{
return true;
}
else
{
return false;
}
}
/// <summary>
/// 授權測試
/// </summary>
[CommonBasicAuthorize]
[RoutePrefix("api/MyAuthorizeApi")]
public class MyAuthorizeApiController : ApiController
[AllowAnonymous]//匿名驗證
[Route("GetMyId")]
[HttpGet]
public int GetMyId()
{
return 1;
}
/// <summary>
/// 只有驗證才能獲取信息
/// </summary>
/// <returns></returns>
[Route("GetMyName")]
[HttpPost]
public string GetMyName()
{
return "My Name is Bloss";
}
View:AuthorizeIndex
$(function () {
$("#btnA1").click(function () {
$.get("/api/MyAuthorizeApi/GetMyId", null,
function (data, status) {
alert(data);
});
});
$("#btnA2").click(function () {
$.get("/api/MyAuthorizeApi/GetMyName", null,
function (data, status) {
alert(data);
});
});
});
<input type="button" id="btnA1" value="Test WebApi Authorize">
<input type="button" id="btnA2" value="Test WebApi Authorize">
[CommonBasicAuthorize]:添加這個後,當前控制器下面的所有動作方法,都會被攔截到,如果有匿名允許特性,則可以直接調用,否則必須通過驗證纔行
[AllowAnonymous]:只要沒有添加這個特性,都會被攔截...
result:
/api/MyAuthorizeApi/GetMyId 可以訪問
/api/MyAuthorizeApi/GetMyName 不能訪問
2.登陸驗證設置Ticket值,保存Ticket訪問WebApi
Controller:SysAdminController
[RoutePrefix("api/SysAdmin")]
public class SysAdminController : ApiController
{
[AllowAnonymous]
[Route("AdminLogin")]
[HttpPost]
public string AdminLogin(SysAdmin sysAdmin)
{
if (CheckLogin(sysAdmin))//Login in and save ticket info
{
#region
//Create Indentity ticket
FormsAuthenticationTicket userTicket = new FormsAuthenticationTicket( 0, sysAdmin.LoginId, DateTime.Now,DateTime.Now.AddHours(1),true,
$"{sysAdmin.LoginId}&{sysAdmin.LoginPwd}",FormsAuthentication.FormsCookiePath);
//Encrypt
var encryptTicket = new { Success = true,Ticket = FormsAuthentication.Encrypt(userTicket) };
//Serialize
return Newtonsoft.Json.JsonConvert.SerializeObject(encryptTicket);
#endregion
}
else
{
return Newtonsoft.Json.JsonConvert.SerializeObject(new { Success = false }).ToString();
}
}
private bool CheckLogin(Models.SysAdmin admin)
{
//Get identity data from database and Validate
return true;
}
}
Controller:MyAuthorizeApiController
[CommonBasicAuthorize]
[RoutePrefix("api/MyAuthorizeApi")]
public class MyAuthorizeApiController : ApiController
{
[AllowAnonymous]//匿名驗證
[Route("GetMyId")]
[HttpGet]
public int GetMyId()
{
return 1;
}
/// <summary>
/// 只有驗證才能獲取信息
/// </summary>
/// <returns></returns>
[AllowAnonymous]
[Route("GetMyName")]
[HttpPost]
public string GetMyName()
{
return "My Name is Bloss";
}
}
View:AuthorizeIndex
var userTicket = "";
$(function () {
$("#btnA2").click(function () {
var vObject = { LoginId: "AuthorizeKey", LoginPwd: "AuthorizeValue" };
$.post("/api/SysAdmin/AdminLogin", vObject,
function (data, status) {
alert(data);
var result = JSON.parse(data);
alert(result);
if (result.Success) {
userTicket = result.Ticket;
alert(userTicket);
}
else {
alert("Login error,please check LoginId and LoginPwd. "); }
});
});
});
$(function () {
//【3】調用具有驗證特性的API控制器,並攜帶Ticket做驗證(本驗證,必須先調用【2】才能觀察到票據信息,否則沒有)
$("#btnA3").click(function () {
$.ajax({
type: "post",
url: "/api/MyAuthorizeApi/GetMyName",
data: {},
beforeSend: function (xmlHttpRequest) {//brfore send request, put "Ticket" into "Headers"
alert(userTicket);
//setRequestHeader "BasicAuthorize "careful empty
xmlHttpRequest.setRequestHeader("Authorization", "BasicAuthorize " + userTicket);
},
success: function (data, status) {
alert("Ticket validat is true,result is" + data);
}
});
});
});
<div>
<input type="button" id="btnA2" value="Test WebApi Authorize Login">
<input type="button" id="btnA3" value="Test WebApi Access by Authorize">
</div>
Result:
/api/MyAuthorizeApi/GetMyName:沒有添加匿名屬性[AllowAnonymous]的“/api/MyAuthorizeApi/GetMyName”可以訪問
3.WebApi 跨域訪問
WebApiConfig:
using System.Web.Http.Cors;
public static void Register(HttpConfiguration config)
{
#region 瀏覽器跨域問題解決
//方式一:全局開放
//也就是說,我們允許所有的請求進來訪問我的API,安全性非常低
// config.EnableCors(new EnableCorsAttribute("*", "*", "*"));
//方式二:獨立開放(也就是對哪些域名開發,對哪些方法開發,可以單獨設置)
string origins = ConfigurationManager.AppSettings[AppSetting.Cors_Origins];
string headers = ConfigurationManager.AppSettings[AppSetting.Cors_Headers];
string methods = ConfigurationManager.AppSettings[AppSetting.Cors_Methods];
config.EnableCors(new EnableCorsAttribute(origins, headers, methods));
#endregion
// Web API 配置和服務
// 擴展方法:啓用WebAPI的特性路由
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
//自定義路由:和MVC類似,增加action
config.Routes.MapHttpRoute(
name: "customRoute1",
routeTemplate: "myapi/{controller}/{action}/{id}",
defaults: new { id = RouteParameter.Optional }
);
}
Web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="Cors_Origins" value="http://localhost:7956"/> <!--如果兩個域名用逗號分隔-->
<add key="Cors_Headers" value="*"/>
<add key="Cors_Methods" value="get,post,put,delete"/>
</appSettings>
</configuration>
類AppSetting.cs
public class AppSetting
{
#region WebApi Cross Domain
public static readonly string Cors_Origins = "Cross_Origins";
public static readonly string Cors_Headers = "Cross_Headers";
public static readonly string Cors_Methods = "Cross_Methods";
#endregion
}
View:index
jQuery.support.cors = true;//更好的提高兼容性
<script type="text/javascript">
$(function () {
jQuery.support.cors = true;//更好的提高兼容性
$("#btn1").click(function () {
$.get("http://localhost:12496//Course/QueryCourse", { courseId: 2000 },
function (data, status) {
alert(data);
});
});
});
</script>
<div>
<input type="button" id="btn1" value="瀏覽器跨域問題測試"/>
</div>
"http://localhost:12496//Course/QueryCourse":WebApi Web site
“http://localhost:7956”:extenl web site(7956 request 12496)