WebAPI 用户认证防篡改实现（二）签名验证 AbsBaseAuthenticatio

WebAPI的用户身份认证与MVC一样都是通过Attribute进行验证，此处定义了一个抽象基类，子类需要实现根据合作号获取合作用户信息的抽象方法

AbsBaseAuthenticationAttribute

using System;using System.Web;using System.Collections.Specialized;using System.Net;using System.Net.Http;using System.Text.RegularExpressions;using System.Web.Http.Controllers;using System.Web.Http.Filters;/// <summary>/// WebAPI防篡改签名验证抽象基类Attribute/// </summary>public abstract class AbsBaseAuthenticationAttribute : ActionFilterAttribute{/// <summary>/// Occurs before the action method is invoked./// </summary>/// <param name="actionContext">The action context</param>public override void OnActionExecuting(HttpActionContext actionContext){//获取Asp.Net对应的Requestvar request = ((HttpContextWrapper)actionContext.Request.Properties["MS_HttpContext"]).Request;NameValueCollection getCollection = request.QueryString;//此签名要求Partner及Sign均通过QueryString传递if (getCollection != null && getCollection.Count > 0){string partner = getCollection[SecuritySignHelper.Partner];string sign = getCollection[SecuritySignHelper.Sign];if (!string.IsNullOrWhiteSpace(partner)//必须包含partner&& !string.IsNullOrWhiteSpace(sign)//必须包含sign&& Regex.IsMatch(sign, "^[0-9A-Za-z]{32}$"))//sign必须为32位Md5摘要{//获取partner对应的key//这里暂时只做了合作key校验，不做访问权限校验，如有需要，此处可进行调整，建议RBACstring partnerKey = this.GetPartnerKey(partner);if (!string.IsNullOrWhiteSpace(partnerKey)){NameValueCollection postCollection = null;switch (request.RequestType.ToUpper()){case "GET": break;//只是为了同时显示restful四种方式才有这部分无意义代码//实际该以哪种方式进行请求应遵循restful标准case "POST":case "PUT":case "DELETE":postCollection = request.Form;//post的数据必须通过application/x-www-form-urlencoded方式传递break;default:throw new NotImplementedException();}//根据请求数据获取MD5签名string vSign = getCollection.GetSecuritySign(partner, partnerKey, postCollection);if (string.Equals(sign, vSign, StringComparison.OrdinalIgnoreCase)){//验证通过,执行基类方法base.OnActionExecuting(actionContext);return;}}}}//此处暂时以401返回，，可调整为其它返回actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);//actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);}/// <summary>/// 获取合作号对应的合作Key,如果未能获取，则返回空字符串或者null/// </summary>/// <param name="partner"></param>/// <returns></returns>protected abstract string GetPartnerKey(string partner);}子类例子 public class AuthenticationAttribute : AbsBaseAuthenticationAttribute{protected override string GetPartnerKey(string partner){//TODO:从缓存中或者其它地方读取数据return "bbb";}}实际可以在需要身份验证的ApiController上增加[Authentication]，也可以写一个基类，然后需要身份验证的ApiController继承自该基类 [Authentication]public class ApiControllerBase : ApiController{}

有时间，我们可以去爬山，