我有一个带有这些属性的端点:
[HttpPost]
[ValidateAntiForgeryToken]
[Route("[controller]/[action]")]
当我应用IgnoreAntiforgeryTokenAttribute
全球应用
.AddMvc(opts =>
{
opts.Filters.Add(typeof(CustomExceptionFilter));
opts.Filters.Add(new IgnoreAntiforgeryTokenAttribute());
// or
opts.Filters.Add(typeof(IgnoreAntiforgeryTokenAttribute));
})
并没有禁用[ValidateAntiForgeryToken]
,但是当我做这样的事情时:
[HttpPost]
[ValidateAntiForgeryToken]
[IgnoreAntiforgeryToken]
[Route("[controller]/[action]")]
然后被禁用,为什么?
对于内置的ValidateAntiForgeryToken
,您无法通过Startup.cs
中的IgnoreAntiforgeryTokenAttribute
禁用它。您可以重新执行默认顺序。
对于解决方法,您可以像
一样实现自己的ValidateAntiforgeryTokenAuthorizationFilter
public class CustomValidateAntiforgeryTokenAuthorizationFilter : ValidateAntiforgeryTokenAuthorizationFilter
{
public CustomValidateAntiforgeryTokenAuthorizationFilter(IAntiforgery antiforgery, ILoggerFactory loggerFactory)
:base(antiforgery, loggerFactory)
{
}
protected override bool ShouldValidate(AuthorizationFilterContext context)
{
var filters = context.Filters;
if (filters.Where(f => f.GetType() == typeof(IgnoreAntiforgeryTokenAttribute)) != null)
{
return false;
}
else
{
return base.ShouldValidate(context);
}
}
}
和ValidateAntiforgeryTokenAuthorizationFilter
注册
services.AddMvc(options => {
options.Filters.Insert(0, new IgnoreAntiforgeryTokenAttribute());
options.Filters.Add(typeof(WebApiExceptionFilter)); // by type
});
services.AddScoped<ValidateAntiforgeryTokenAuthorizationFilter, CustomValidateAntiforgeryTokenAuthorizationFilter > ();
尝试将过滤器插入列表的顶部,因此它需要现有过滤器的优先级,例如AutoValidateAntiforgeryTokenAttribute
:
opts.Filters.Insert(0, new IgnoreAntiforgeryTokenAttribute());