i具有.NET 4.5 API应用程序。它受Owin/Oauth的保护。我打电话给Postman并假装承载令牌,因此我可以测试此案。validateToken函数发现JWT令牌已被操纵/无效之后,如何打破代码执行?
ClaimsPrincipal principal = handler.ValidateToken(protectedText, _validationParameters, out validToken);
此行还给SecurityTokenexception。我发现这样的例外:
catch (SecurityTokenException ex)
{
var msg = new HttpResponseMessage(HttpStatusCode.Unauthorized) { ReasonPhrase = "Access Token is manipulated" };
throw new HttpResponseException(msg);
}
之后,应用程序执行继续并进入我通过[授权]保护的postman拨打的apicontroller的构造函数,而不是给我401的httpresponse,未经授权
P.S。这是apicontroller中的构造函数的代码
public class TicketController : ApiController
{
private readonly TicketService _svcTicket;
public TicketController()
{
try
{
_svcTicket = new TicketService(JwtFormat.AppContext);
}
catch (SecurityTokenException ex)
{
var msg = new HttpResponseMessage(HttpStatusCode.Unauthorized) { ReasonPhrase = "Access Token is manipulated" };
throw new HttpResponseException(msg);
}
catch (Exception ex)
{
throw ex;
}
}
}
我发现了它:
public class TicketController : ApiController
{
private readonly TicketService _svcTicket;
public TicketController()
{
try
{
if(tokenIsManipulated) {
throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.Unauthorized)
{
Content = new StringContent("Access Token is manipulated")
});
}
}
catch(HttpResponseException)
{
throw;
}
}
}
我的代码之前有2件事:
- 投掷时新的httpresponsemessage对象
- httpresponseexception的额外捕获块