DTO中的加密和解密敏感特性
我有一个WebAPI应用程序。它包含基本上是纯文本的数据。我想在将所有ID字段推向API响应时加密所有ID字段。同时,当我推向实体时,我想解密相同的数据。
我现在做了什么。
我正在使用自动应用程序来映射我的DTO和实体。我已经制定了加密和解密数据的方法。
dto model
public class MyDTO
{
public int Id { get; set; }
public string Property1 {get; set; }
public string Property2 { get; set; }
public int AnotherModelId { get; set }
}
我的自动应用程序
//Encrypting Id for DTO
CreateMap<MyEntity, MyDTO>()
.ForMember(o => o.Id, i => i.MapFrom(m => MySecurity.Encrypt(m.Id)))
.ForMember(o => o.AnotherModelId, i => i.MapFrom(m => MySecurity.Encrypt(m.AnotherModelId)));
//Decrypting Id for Entity
CreateMap<MyDTO, MyEntity>()
.ForMember(o => o.Id, i => i.MapFrom(m => MySecurity.Decrypt(m.Id)))
.ForMember(o => o.AnotherModelId, i => i.MapFrom(m => MySecurity.Decrypt(m.AnotherModelId)));
这可以很好地运行,并在我将价值传递回实体时在映射器和解密中加密ID。问题是我需要为我正在使用的每个createMap&gt;语句编写。
我的问题是,对于.NET中的ID字段进行此加密和解密肯定必须有一种更好的方法,
我看到了[Securestring]属性,该属性说“不要使用”每个人。所以我不想使用它。
在模型和实体模型本身中,有没有更好的方法来编写此内容,而不是在Automapper或其他方式中写这件?
I have a WebApi application. It contains data which are basically ID which comes as plain text. I want to Encrypt all the ID fields whenever it is pushed to API responses. At the same time I want to Decrypt the same data when I'm pushing to Entity.
What I have done now.
I am using Automapper to map my DTO and Entity. I have made methods to encrypt and decrypt the data.
DTO Model
public class MyDTO
{
public int Id { get; set; }
public string Property1 {get; set; }
public string Property2 { get; set; }
public int AnotherModelId { get; set }
}
My AutoMapper
//Encrypting Id for DTO
CreateMap<MyEntity, MyDTO>()
.ForMember(o => o.Id, i => i.MapFrom(m => MySecurity.Encrypt(m.Id)))
.ForMember(o => o.AnotherModelId, i => i.MapFrom(m => MySecurity.Encrypt(m.AnotherModelId)));
//Decrypting Id for Entity
CreateMap<MyDTO, MyEntity>()
.ForMember(o => o.Id, i => i.MapFrom(m => MySecurity.Decrypt(m.Id)))
.ForMember(o => o.AnotherModelId, i => i.MapFrom(m => MySecurity.Decrypt(m.AnotherModelId)));
This works perfectly and encrypts the Id's I mention in the mappers and decrypts when I pass the value back to the entity. The problem is I need to write it for every CreateMap<> statement I'm using.
My question is, there definitely must be a better way to do this encryption and decryption for the Id fields in .NET
I saw the [SecureString] attribute, which says "Do not use" by everyone. So I don't want to use that.
Is there a better way to write this in the Model and Entity model itself than in Automapper or another way?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
为所有需要加密的类创建一个基类:
现在继承所有您希望其ID加密的类:
现在您可以像通常一样使用AutoMapper(无需加密和解密),让类本身本身为您处理。
Create a base class for all those classes that would need encryption:
Now inherit all classes you want their Id to be encrypted:
Now you may use automapper as you would normally do (with no need to encrypt and decrypt), and let the class itself handle that for you.
首先...您可能应该从设置TLS和HTTP安全标头开始保护Web应用程序本身。 (我建议您查看SecurityHeaders.com,以便快速概述可能性),
其次...除此之外。如果您确实必须加密这些键,那么我可能会选择一个界面的组合,用于识别ID并为这些DTO( - &gt; this接口)编写自定义JSONCONVERTER,以照顾加密/解密。
Microsoft在.net 6中有一个很好的文档
。 rel =“ nofollow noreferrer”>如何为json序列化编写自定义转换器
第三:如果您不希望ID猜测,则应使用GUID。它们甚至可以通过EF核心用作身份。
First... You should probably start with securing the web application itself, by setting TLS and http security headers. (I'd recommend you to check securityheaders.com for a quick overview on the possibilities)
Second... Aside from that. If you really must encrypt these keys, then I'd probably choose a combination of an interface for identifying the ids and write a custom JsonConverter for these DTOs (-->this interface), that takes care of the encryption/decryption.
Microsoft has a pretty good documentation for this in .Net 6.
How to write custom converters for JSON serialization
Third: If you dont want the ids to be guessable, you should use GUIDs. They can even be used as identities by EF core.