在 PreRequestHandlerExecute 中,确定 .asmx 文件中的类名称
最终,我试图在处理请求之前获取对将处理请求的 webmethod 的引用,以便检查其自定义属性。
目前,我通过将请求路径附加到项目命名空间、删除 .asmx 扩展名并将斜线替换为点来使其工作。然而,这假设类命名空间层次结构与请求路径层次结构相匹配,并且没有理由这样做。
缺少打开文件并解析它 - 有没有一种方法可以给定 asmx 文件的请求路径,我可以检索对其中类类型或类类型名称的引用?
对.NET来说还很陌生,所以我所做的可能很愚蠢。但无论哪种方式,我都会对答案感兴趣:)
编辑:这不是我的项目,它被锁定使用 ASP.NET 3.5 和 asmx webservices
编辑:目的是能够防止某些 web 服务被执行未经身份验证的用户,无需向每个 Web 方法添加身份验证代码。我的想法是在 webmethods 上使用自定义属性,将它们标记为公共,并且只有自定义 HTTP 模块或处理程序才允许未经身份验证的用户执行这些属性。用户的类型存储在会话中。
Ultimately, i'm trying to obtain a reference to the webmethod that will handle a request, BEFORE it handles the request, in order to check its custom attributes.
Currently, I have it working by appending the request path to the project namespace, removing the .asmx extension and replacing slashes with dots. However, this assumes that the class namespace hierarchy matches the request path hierarchy, and there's no reason why it should.
Short of opening the file and parsing it - is there a way that given a request path to an asmx file I can retrieve a reference to either the class type within or the name of the class type within?
Pretty new to .NET so what i'm doing might be silly. But either way, i'd be interested in the answer :)
EDIT: It's not my project, and it's locked in to using ASP.NET 3.5 and asmx webservices
EDIT: The aim is to be able to prevent certain webservices from being executed by unauthenticated users, without adding authentication code to every webmethod. My idea was to use a custom attribute on webmethods marking them as public, and only those will be allowed by a custom HTTP module or handler to be executed by an unauthenticated user. The type of user is stored in the session.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
首先,我建议您切换到 WCF Web 服务,因为 asmx 现在被视为遗留技术(请参阅 MSDN)。 WCF 的管道中有几个扩展点可以满足您的目标。
现在说来,黑客解决方案之一可能是为 asmx 文件放置您自己的处理程序或处理程序工厂,然后使用 WebServiceParser.GetCompiledType 方法获取实际的 asmx 服务类型,检查您的属性。然后,您可以使用 WebServiceHandlerFactory.GetHandler 创建实际的处理程序并执行请求。
也许,您应该解释一下您想要使用自定义属性做什么,以便有人可以为您提供更好的解决方案。
编辑:如果您想保护整个 asmx 或目录,那么可以轻松地使用内置授权 - 例如:
这将允许访问所有经过身份验证的用户并拒绝匿名用户。
如果您想要在 Web 方法级别进行精细控制,那么我建议将整个逻辑放在辅助方法中 - 例如
EnforceSecurity(针对 asmx 的基本 Web 服务调用的静态方法或实例方法)并调用相关网络方法中的辅助方法。它或多或少与您希望执行的操作相同 - 您将在其中插入方法调用,而不是使用自定义属性来装饰方法。First of all, I will suggest that you switch to WCF web services because asmx is now considered as legacy technologies (see MSDN). WCF has several extension points in its pipe-line that should meet your goals.
Now said that, one of the hack solution could be to put your own handler or handler factory for asmx files and then use WebServiceParser.GetCompiledType method to get actual asmx service type, inspect your attributes. You can then use WebServiceHandlerFactory.GetHandler to create actual handler and execute the request.
Perhaps, you should explain what you want to do with custom attributes so that someone can provide you with the better solution.
EDIT: In case you want to secure the entire asmx or directory then it can be easily possibly using built-in authorization - for example:
This will allow access to all authenticated users and deny to anonymous users.
If you want a granular control at web method level then I will suggest to put the entire logic in a helper method - say
EnforceSecurity(static method or instance method on base web service call for asmx) and invoke the helper method in relevant web methods. Its more or less equivalent from what you wish to do - instead of decorating methods with custom attribute, you will insert a method call into it.