问题描述:

I have written a code to fetch details from active directory as a GET call based on user id and password. I am passing user id and password in the url like -http://localhost:1234/api/User/IsAuthorized/UserID=1234;password=qwerty

but this is an unsafe technique. Can anybody give me a solution to pass these values in the body and use it as a POST call instead of a get call

my code goes like-

 [Route("IsAuthorized/UserID={userName};password={password}")]

[AllowAnonymous]

public IHttpActionResult GetIsAuthorized(string userName,string password)

{

HttpResponseMessage response = null;

string errorMessage = null;

bool hasError = false;

bool isValid;

UserDetails detail = null;

using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "ABC"))

{

isValid = pc.ValidateCredentials(userName, password);

string token = null;

if (isValid)

{

detail = IsAuthenticated("abc", userName, password, out errorMessage, out hasError);

}

if (hasError)

{

detail = new UserDetails(isValid, userName, null, null, null, errorMessage, null);

}

else

{

if (detail != null)

{

token = CreateToken(userName);

detail = new UserDetails(isValid, userName, detail.AssociateName, detail.Mobile, detail.Email, null, token);

}

else

detail = new UserDetails(isValid, userName, null, null, null, "unknown username or bad password", null);

}

return Ok(detail);

}

}

网友答案:

Why are you even doing it like this? You must be calling you web api from a client. Why are you not using the HttpClient to pass your credentials to your api. Something like this:

public async Task<TResult> PostAsync<TResult, TInput>(string uriString, TInput payload = null) where TInput : class
    {
        var uri = new Uri(uriString);
        using (var client = GetHttpClient())
        {
            var jsonContent = JsonConvert.SerializeObject(payload, Formatting.Indented, new JsonSerializerSettings { ContractResolver = new CamelCasePropertyNamesContractResolver() });
            HttpResponseMessage response = await client.PostAsync(uri, new StringContent(jsonContent, Encoding.UTF8, "application/json"));
            if (response.StatusCode != HttpStatusCode.OK)
            {
                //Log.Error(response.ReasonPhrase);
                return default(TResult);
            }
            var json = await response.Content.ReadAsStringAsync();
            return JsonConvert.DeserializeObject<TResult>(json);
        }
    }

    private HttpClient GetHttpClient()
    {
        var client = new HttpClient();
        var username = //get username
        var password = // get password
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(Encoding.UTF8.GetBytes($"{username}:{password}")));
        client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
        return client;
    }
网友答案:

First, you should use https instead of http.

Second, you shouldn't send the password, but a hash based on the password.

edit: Fur using post, here is an example: https://www.exceptionnotfound.net/using-http-methods-correctly-in-asp-net-web-api/

With the attribute [HttpPost], you can use POST.

相关阅读:
Top