ValidateAntiForgeryToken Salt 值的运行时加载

发布于 2024-09-05 02:15:46 字数 592 浏览 7 评论 0原文

考虑一个在 [ValidateAntiForgeryToken] 指令中使用 Salt 参数的 ASP.NET MVC 应用程序。

该应用程序将被许多客户使用。在编译时就知道 Salt 并不是非常可取的。

当前的策略是在 web.config 中找到 Salt 值。

[ValidateAntiForgeryToken(Salt = Config.AppSalt)]
//Config.AppSalt is a static property that reads the web.config.

这会导致编译时异常，表明 Salt 在编译时必须是 const。

属性参数必须是属性参数类型的常量表达式、typeof 表达式或数组创建表达式

如何修改应用程序以允许运行时加载 Salt 以便应用程序不具有为每个客户重新加盐并重新编译？

考虑到 Salt 不会经常更改（如果有的话），从而消除了表单无效的可能性

原文

Consider an ASP.NET MVC application using the Salt parameter in the [ValidateAntiForgeryToken] directive.

The scenario is such that the app will be used by many customers. It's not terribly desirable to have the Salt known at compile time.

The current strategy is to locate the Salt value in the web.config.

[ValidateAntiForgeryToken(Salt = Config.AppSalt)]
//Config.AppSalt is a static property that reads the web.config.

This leads to a compile-time exception suggesting that the Salt must be a const at compile time.

An attribute argument must be a constant expression, typeof expression or array creation expression of an attribute parameter type

How can I modify the application to allow for a runtime loading of the Salt so that the app doesn't have to be re-salted and recompiled for each customer?

Consider that the Salt won't change frequently, if at all, thereby removing the possibility of invalidating form

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

无人接听 2024-09-12 02:16:25

我需要为不同的客户提供不同的盐。在本例中，我使用 Dixin 的解决方案在运行时注入盐。

ASP.NET MVC 和 AJAX 的防伪造请求配方，位于标题为“在运行时指定非常量盐”的部分。

用新属性装饰您的控制器：

[ValidateAntiForgeryTokenWrapper(HttpVerbs.Post)]
public class ProductController : Controller
{     
    // Only HTTP POST requests are validated.
}

这个新属性定义为：

public class ValidateAntiForgeryTokenWrapperAttribute : FilterAttribute, IAuthorizationFilter
{
    public ValidateAntiForgeryTokenWrapperAttribute(HttpVerbs verbs)
    {
        this._verbs = new AcceptVerbsAttribute(verbs);
        this._validator = new ValidateAntiForgeryTokenAttribute()
            {
                //load from web.config or anywhere else
                Salt = Configurations.AntiForgeryTokenSalt
            };
    }

    // Other members.
}

I had the requirement to have different salts for different customers. In this case, I used Dixin's solution for injecting the salt at runtime.

Anti Forgery Request Recipes For ASP.NET MVC and AJAX at the section titled "Specify non-constant salt in runtime".

Decorate your Controllers with a new attribute:

[ValidateAntiForgeryTokenWrapper(HttpVerbs.Post)]
public class ProductController : Controller
{     
    // Only HTTP POST requests are validated.
}

This new attribute is defined as:

public class ValidateAntiForgeryTokenWrapperAttribute : FilterAttribute, IAuthorizationFilter
{
    public ValidateAntiForgeryTokenWrapperAttribute(HttpVerbs verbs)
    {
        this._verbs = new AcceptVerbsAttribute(verbs);
        this._validator = new ValidateAntiForgeryTokenAttribute()
            {
                //load from web.config or anywhere else
                Salt = Configurations.AntiForgeryTokenSalt
            };
    }

    // Other members.
}

回复收藏 0 原文