<script src="~/Scripts/jquery-1.10.2.min.js"></script>
1.WepApi Basic ([BasicAuthorize] and [AllowAnonymous]):
Web.Config.xml
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="AuthorizeKey" value="AuthorizeKey" />
<add key="AuthorizeValue" value="AuthorizeValue" />
</appSettings>
</configuration>
Class AppSetting.cs
public class AppSetting
{
public static readonly string AuthorizeKey = "AuthorizeKey";
public static readonly string AuthorizeValue = "AuthorizeValue";
}
公共基础类:CommonBasicAuthorize : AuthorizeAttribute
public override void OnAuthorization(HttpActionContext actionContext)
{
/*Get Identity data from the requestion info*/
var userAuthorization = actionContext.Request.Headers.Authorization;
if (userAuthorization != null && userAuthorization.Parameter != null)
{
if (CheckTicket(userAuthorization.Parameter))
{
/*base.OnAuthorization(actionContext);*/
base.IsAuthorized(actionContext);
}
else
{
/*Authentication is not validated by authorization*/
HandleUnauthorizedRequest(actionContext);
}
}
else
{
var attributeList = actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().OfType<AllowAnonymousAttribute>();
bool allowAnonymous = attributeList.Any(attribute => attribute is AllowAnonymousAttribute);
//if exist Anonymous
if (allowAnonymous)
{
base.OnAuthorization(actionContext);
}
else
{
HandleUnauthorizedRequest(actionContext);
}
}
}
private bool CheckTicket(string strTicket)
{
/*The post ticket had Encrypt,Format is "Key&Value"*/
var userData = FormsAuthentication.Decrypt(strTicket).UserData;
int temp = userData.IndexOf('&');
string userKey = userData.Substring( 0, temp);
string userValue = userData.Substring(temp + 1);
/*Authrize Key And Value*/
string authrizeKey = ConfigurationManager.AppSettings[AppSetting.AuthorizeKey];
string authrizeValue = ConfigurationManager.AppSettings[AppSetting.AuthorizeValue];
if (userKey.Equals(authrizeKey) && userValue.Equals(authrizeValue))
{
return true;
}
else
{
return false;
}
}
/// <summary>
/// 授权测试
/// </summary>
[CommonBasicAuthorize]
[RoutePrefix("api/MyAuthorizeApi")]
public class MyAuthorizeApiController : ApiController
[AllowAnonymous]//匿名验证
[Route("GetMyId")]
[HttpGet]
public int GetMyId()
{
return 1;
}
/// <summary>
/// 只有验证才能获取信息
/// </summary>
/// <returns></returns>
[Route("GetMyName")]
[HttpPost]
public string GetMyName()
{
return "My Name is Bloss";
}
View:AuthorizeIndex
$(function () {
$("#btnA1").click(function () {
$.get("/api/MyAuthorizeApi/GetMyId", null,
function (data, status) {
alert(data);
});
});
$("#btnA2").click(function () {
$.get("/api/MyAuthorizeApi/GetMyName", null,
function (data, status) {
alert(data);
});
});
});
<input type="button" id="btnA1" value="Test WebApi Authorize">
<input type="button" id="btnA2" value="Test WebApi Authorize">
[CommonBasicAuthorize]:添加这个后,当前控制器下面的所有动作方法,都会被拦截到,如果有匿名允许特性,则可以直接调用,否则必须通过验证才行
[AllowAnonymous]:只要没有添加这个特性,都会被拦截...
result:
/api/MyAuthorizeApi/GetMyId 可以访问
/api/MyAuthorizeApi/GetMyName 不能访问
2.登陆验证设置Ticket值,保存Ticket访问WebApi
Controller:SysAdminController
[RoutePrefix("api/SysAdmin")]
public class SysAdminController : ApiController
{
[AllowAnonymous]
[Route("AdminLogin")]
[HttpPost]
public string AdminLogin(SysAdmin sysAdmin)
{
if (CheckLogin(sysAdmin))//Login in and save ticket info
{
#region
//Create Indentity ticket
FormsAuthenticationTicket userTicket = new FormsAuthenticationTicket( 0, sysAdmin.LoginId, DateTime.Now,DateTime.Now.AddHours(1),true,
$"{sysAdmin.LoginId}&{sysAdmin.LoginPwd}",FormsAuthentication.FormsCookiePath);
//Encrypt
var encryptTicket = new { Success = true,Ticket = FormsAuthentication.Encrypt(userTicket) };
//Serialize
return Newtonsoft.Json.JsonConvert.SerializeObject(encryptTicket);
#endregion
}
else
{
return Newtonsoft.Json.JsonConvert.SerializeObject(new { Success = false }).ToString();
}
}
private bool CheckLogin(Models.SysAdmin admin)
{
//Get identity data from database and Validate
return true;
}
}
Controller:MyAuthorizeApiController
[CommonBasicAuthorize]
[RoutePrefix("api/MyAuthorizeApi")]
public class MyAuthorizeApiController : ApiController
{
[AllowAnonymous]//匿名验证
[Route("GetMyId")]
[HttpGet]
public int GetMyId()
{
return 1;
}
/// <summary>
/// 只有验证才能获取信息
/// </summary>
/// <returns></returns>
[AllowAnonymous]
[Route("GetMyName")]
[HttpPost]
public string GetMyName()
{
return "My Name is Bloss";
}
}
View:AuthorizeIndex
var userTicket = "";
$(function () {
$("#btnA2").click(function () {
var vObject = { LoginId: "AuthorizeKey", LoginPwd: "AuthorizeValue" };
$.post("/api/SysAdmin/AdminLogin", vObject,
function (data, status) {
alert(data);
var result = JSON.parse(data);
alert(result);
if (result.Success) {
userTicket = result.Ticket;
alert(userTicket);
}
else {
alert("Login error,please check LoginId and LoginPwd. "); }
});
});
});
$(function () {
//【3】调用具有验证特性的API控制器,并携带Ticket做验证(本验证,必须先调用【2】才能观察到票据信息,否则没有)
$("#btnA3").click(function () {
$.ajax({
type: "post",
url: "/api/MyAuthorizeApi/GetMyName",
data: {},
beforeSend: function (xmlHttpRequest) {//brfore send request, put "Ticket" into "Headers"
alert(userTicket);
//setRequestHeader "BasicAuthorize "careful empty
xmlHttpRequest.setRequestHeader("Authorization", "BasicAuthorize " + userTicket);
},
success: function (data, status) {
alert("Ticket validat is true,result is" + data);
}
});
});
});
<div>
<input type="button" id="btnA2" value="Test WebApi Authorize Login">
<input type="button" id="btnA3" value="Test WebApi Access by Authorize">
</div>
Result:
/api/MyAuthorizeApi/GetMyName:没有添加匿名属性[AllowAnonymous]的“/api/MyAuthorizeApi/GetMyName”可以访问
3.WebApi 跨域访问
WebApiConfig:
using System.Web.Http.Cors;
public static void Register(HttpConfiguration config)
{
#region 浏览器跨域问题解决
//方式一:全局开放
//也就是说,我们允许所有的请求进来访问我的API,安全性非常低
// config.EnableCors(new EnableCorsAttribute("*", "*", "*"));
//方式二:独立开放(也就是对哪些域名开发,对哪些方法开发,可以单独设置)
string origins = ConfigurationManager.AppSettings[AppSetting.Cors_Origins];
string headers = ConfigurationManager.AppSettings[AppSetting.Cors_Headers];
string methods = ConfigurationManager.AppSettings[AppSetting.Cors_Methods];
config.EnableCors(new EnableCorsAttribute(origins, headers, methods));
#endregion
// Web API 配置和服务
// 扩展方法:启用WebAPI的特性路由
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
//自定义路由:和MVC类似,增加action
config.Routes.MapHttpRoute(
name: "customRoute1",
routeTemplate: "myapi/{controller}/{action}/{id}",
defaults: new { id = RouteParameter.Optional }
);
}
Web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="Cors_Origins" value="http://localhost:7956"/> <!--如果两个域名用逗号分隔-->
<add key="Cors_Headers" value="*"/>
<add key="Cors_Methods" value="get,post,put,delete"/>
</appSettings>
</configuration>
类AppSetting.cs
public class AppSetting
{
#region WebApi Cross Domain
public static readonly string Cors_Origins = "Cross_Origins";
public static readonly string Cors_Headers = "Cross_Headers";
public static readonly string Cors_Methods = "Cross_Methods";
#endregion
}
View:index
jQuery.support.cors = true;//更好的提高兼容性
<script type="text/javascript">
$(function () {
jQuery.support.cors = true;//更好的提高兼容性
$("#btn1").click(function () {
$.get("http://localhost:12496//Course/QueryCourse", { courseId: 2000 },
function (data, status) {
alert(data);
});
});
});
</script>
<div>
<input type="button" id="btn1" value="浏览器跨域问题测试"/>
</div>
"http://localhost:12496//Course/QueryCourse":WebApi Web site
“http://localhost:7956”:extenl web site(7956 request 12496)