項目是前端和后端分離的,想在服務器上攔截客戶端傳上來的參數,然后做進一步處理,如:權限,驗證是否登錄,或者其他的
1.添加新類:OperationAttribute,用來做權限驗證的
代碼如下:
/// <summary> /// 判斷是否有權限訪問某操作 /// </summary> public class OperationAttribute:ActionFilterAttribute { public override void OnActionExecuting(HttpActionContext actionContext) { var parmethod = actionContext.Request.Method; string method = parmethod.Method; dynamic model = CommonTools.SessionHelper.GetSession("UserInfo"); int UserId = model.UserId; int IsSuper = model.IsSuper; string ActionLogo = ""; if (method.ToLower() == "post")//post提交的時候 { //post提交的參數 var task = actionContext.Request.Content.ReadAsStreamAsync(); var content = string.Empty; using (Stream sm = task.Result) { sm.Seek(0, SeekOrigin.Begin);//設置流的開始位置 var bytes = sm.ToByteArray(); content = bytes.ToStr();//此處就是客戶端出來的參數 } dynamic obj = CommonTools.JsonHelper.DeserializeJsonToObject<dynamic>(content);//序列化為對象 ActionLogo = obj.ActionLogo == null ? "" : obj.ActionLogo;//獲取前端傳過來的動作標識 } else { //get提交獲取參數 var qs = HttpUtility.ParseQueryString(actionContext.Request.RequestUri.Query); if (qs.Count > 0) { string[] keys = qs.AllKeys; if (keys.Contains("ActionLogo")) { ActionLogo = qs["ActionLogo"]; } } } IsVisit(UserId, IsSuper, ActionLogo, actionContext);//開始驗證 } public void IsVisit(int UserId, int IsSuper, string ActionLogo, HttpActionContext actionContext) { if (IsSuper == 1)//超級管理員不需要驗證 { base.OnActionExecuting(actionContext); } else { if (ActionLogo =="") { actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.InternalServerError, new { code = "1", data = "", message = "您無權限進行此操作" }); } else { //進行下一步判斷 } } } }
2.添加一個公共類,用來處理post參數
public static class Common { /// <summary> /// 轉為byte數組 /// </summary> /// <param name="stream"></param> /// <returns></returns> public static byte[] ToByteArray(this Stream stream) { byte[] bytes = new byte[stream.Length]; stream.Read(bytes, 0, bytes.Length); // 設置當前流的位置為流的開始 stream.Seek(0, SeekOrigin.Begin); return bytes; } /// <summary> /// 轉為字符串 /// </summary> /// <param name="arr"></param> /// <returns></returns> public static string ToStr(this byte[] arr) { return Encoding.Default.GetString(arr); } }
之所以要這樣寫,是為了防止過濾器重疊的時候,post提交獲取不到參數。
寫好過濾類之后,直接在方法,或者控制器上使用,
[Operation]加在方法上,就可以驗證方法的權限,加在控制器上,就可以驗證控制器下所有的方法,若在控制中有不需要驗證的方法,可以在OnActionExecuting上加上:
if (actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Any())
{
return;
},
然后在不需要驗證的方法上調用[AllowAnonymous],
如登錄方法:
[AllowAnonymous] [HttpGet] public HttpResponseMessage Login(string UserName, string UserPwd) { string jsonresult = ""; List<object> OperationResult = db.Login(UserName, UserPwd); switch (OperationResult[0].ToString()) { case "0": jsonresult = "{\"State\":0,\"err\":\"10001\",\"info\":\"登錄出錯\"}"; break; case "-1": jsonresult = "{\"State\":0,\"err\":\"10002\",\"info\":\"密碼錯誤\"}"; break; case "-2": jsonresult = "{\"State\":0,\"err\":\"10003\",\"info\":\"用戶名不存在\"}"; break; default: User model = (User)OperationResult[1]; CommonTools.SessionHelper.SetSession("UserInfo",model); jsonresult = "{\"State\":1,\"err\":\"10000\",\"info\":\"登錄成功\",\"LoginInfo\":{\"UserInfo\":{\"UserName\":\"" + model.UserName + "\",\"UserId\":" + model.UserId + "}"; string jsonstr = OperationResult[2].ToString(); jsonresult += ",\"MenuInfo\":" + jsonstr; jsonresult += "}}"; break; } HttpResponseMessage result = new HttpResponseMessage { Content = new StringContent(jsonresult, Encoding.GetEncoding("UTF-8"), "application/json") }; return result; }
這樣登錄的方法就繞過了驗證