我正在构建一个DotNetNuke 6网站的REST API,利用DNN的基于MVC的服务框架。 但是,我没有任何认证背景,所以我甚至不知道从哪里开始。
基本上,我们希望我们的客户能够对其门户数据发出GET请求,并且我们希望某些客户端(但不是全部)能够对其用户数据进行简单更新。
我一直在努力寻找信息,但麻烦在于我不确定我在寻找什么。 DNN有不同的登录和角色,但我不确定他们是否或如何考虑因素。我听说过类似oAuth的内容,但我对它的理解是最基本的。 我不知道这是否是我需要的,以及它是否适用于DNN。 任何人都可以将我指向正确的方向吗?
更新 :根据以下关于将其与模块绑定以及进一步研究的答案,下面是我所做的:
我为这项服务创建了一个模块,并为其添加了两个特殊权限:“APIGET”和“APIPOST”。 我将这些分配给DNN中的一些测试角色/测试帐户。 我写了一个自定义授权属性,该属性给定模块ID,检查当前用户是否具有必要权限(通过角色或直接)。 据我所知,标签ID与我无关。
它似乎与Web浏览器(基于我登录的DNN帐户)以及使用帐户用户名/密码发送HTTP请求的php脚本一起工作。
授权属性:
using DotNetNuke.Entities.Modules;
using DotNetNuke.Entities.Portals;
using DotNetNuke.Security;
using DotNetNuke.Security.Permissions;
using System.Web;
public class MyAuthorize : DotNetNuke.Web.Services.AuthorizeAttributeBase
{
public const string AuthModuleFriendlyName = "MyAuthModule";
public const string GETPermission = "APIGET";
public const string POSTPermission = "APIPOST";
public string Permission { get; set; }
protected override bool AuthorizeCore(HttpContextBase context)
{
ModuleController mc = new ModuleController();
ModuleInfo mi = mc.GetModuleByDefinition(PortalController.GetCurrentPortalSettings().PortalId, AuthModuleFriendlyName);
ModulePermissionCollection permCollection = mi.ModulePermissions;
return ModulePermissionController.HasModulePermission(permCollection, Permission);
}
}
控制器:(“mytest”是GET和POST的端点)
public class MyController : DnnController
{
[ActionName("mytest")]
[AcceptVerbs(HttpVerbs.Get)]
[DnnAuthorize(AllowAnonymous = true)]
[MyAuthorize(Permission = MyAuthorize.GETPermission)]
public string myget(string id = "")
{
return "You have my permission to GET";
}
[ActionName("mytest")]
[AcceptVerbs(HttpVerbs.Post)]
[DnnAuthorize(AllowAnonymous = true)]
[MyAuthorize(Permission = MyAuthorize.POSTPermission)]
public string mypost(string id = "")
{
return "You have my permission to POST";
}
}
I am building a REST API for a DotNetNuke 6 website, making use of DNN's MVC-based Services Framework. However, I don't have any background in authentication, so I'm not even sure where to start.
Basically, we want our clients to be able to make GET requests for their portal's data, and we want some clients (but not all) to be able to POST simple updates to their user data.
I've been trying to search for information, but the trouble is I'm not sure what I'm searching for. DNN has different logins and roles, but I'm not sure if or how they factor in. I've heard of things like oAuth but my understanding of it is at the most basic level. I don't know if it's what I need or not and if or how it applies to DNN. Can anyone point me in the right direction?
UPDATE: Based on the answer below about tying it with a module and further research, here is what I have done:
I created a module just for this service, and I added two special permissions for it: "APIGET" and "APIPOST." I assigned these to some test roles/test accounts in DNN. I wrote a custom authorize attribute that, given the module ID, checks if the current user has the necessary permission (either through roles or directly). As far as I can tell, tab ID is irrelevant in my case.
It appears to be working both with a web browser (based on the DNN account I'm logged into) and with a php script that sends an HTTP request with an account username/password.
The authorize attribute:
using DotNetNuke.Entities.Modules;
using DotNetNuke.Entities.Portals;
using DotNetNuke.Security;
using DotNetNuke.Security.Permissions;
using System.Web;
public class MyAuthorize : DotNetNuke.Web.Services.AuthorizeAttributeBase
{
public const string AuthModuleFriendlyName = "MyAuthModule";
public const string GETPermission = "APIGET";
public const string POSTPermission = "APIPOST";
public string Permission { get; set; }
protected override bool AuthorizeCore(HttpContextBase context)
{
ModuleController mc = new ModuleController();
ModuleInfo mi = mc.GetModuleByDefinition(PortalController.GetCurrentPortalSettings().PortalId, AuthModuleFriendlyName);
ModulePermissionCollection permCollection = mi.ModulePermissions;
return ModulePermissionController.HasModulePermission(permCollection, Permission);
}
}
The controller: ("mytest" is the endpoint for both GET and POST)
public class MyController : DnnController
{
[ActionName("mytest")]
[AcceptVerbs(HttpVerbs.Get)]
[DnnAuthorize(AllowAnonymous = true)]
[MyAuthorize(Permission = MyAuthorize.GETPermission)]
public string myget(string id = "")
{
return "You have my permission to GET";
}
[ActionName("mytest")]
[AcceptVerbs(HttpVerbs.Post)]
[DnnAuthorize(AllowAnonymous = true)]
[MyAuthorize(Permission = MyAuthorize.POSTPermission)]
public string mypost(string id = "")
{
return "You have my permission to POST";
}
}
最满意答案
将DNN服务框架中的服务绑定到DNN权限的主要方式是将权限与模块实例相关联。 也就是说,您需要服务的用户确定他们从/ about调用哪个模块(通过在请求[headers,query-string,cookies,form]中发送ModuleId和TabId),然后您可以指示什么权限他们需要在该模块上对服务采取特定的行动。
您可以在服务上使用SupportedModules属性,并传入逗号分隔的模块名称列表,以确保只允许使用您自己的模块。 然后,在服务或个别操作级别添加DnnModuleAuthorize属性,以说明用户在该模块上需要什么权限。 在您的实例中,您还可以在GET操作中添加AllowAnonymous属性,并在服务上为POST方法(以及其他任何操作)提供一个DnnModuleAuthorize 。 请注意,您不能在控制器上放置AllowAnonymous属性; 它会覆盖对该行动的授权,使得行动不可能更具限制性。
您还需要在POST操作中添加ValidateAntiForgeryToken属性,以防止CSRF攻击。
如果您没有将其权限与您的服务自然关联的模块,则可以创建一个用于此目的的模块,仅将其自身公开为权限管理实用程序。
一旦你找到了上面的授权片段,DNN将使用你的表单cookie(即自动处理AJAX场景)或通过基本或摘要认证(对于非AJAX场景)来处理认证。 也就是说,如果你在做非AJAX,你需要找出一种方法来验证防伪造标记,只有当它适用。
The main way that you tie a service in the DNN Services Framework into DNN permissions is to associate the permissions with a module instance. That is, you'll require users of your service to identify which module they're calling from/about (by sending ModuleId and TabId in the request [headers, query-string, cookies, form]), then you can indicate what permissions they need on that module to take a particular action on the service.
You can use the SupportedModules attribute on your service, and pass in a comma-delimited list of module names, to ensure that only your own modules are being allowed. Then, add the DnnModuleAuthorize attribute at the service or individual action level to say what permission the user needs on that module. In your instance, you can also add the AllowAnonymous attribute on the GET actions, and have one DnnModuleAuthorize on the service, for the POST methods (and anything else). Note that you cannot put the AllowAnonymous attribute on the controller; it will override authorizations put at the action, making it impossible to make actions more restrictive.
You'll also want to add the ValidateAntiForgeryToken attribute on the POST actions, to protect against CSRF attacks.
If you don't have a module that naturally associates its permissions with your service, you can create one just for that purpose, solely to expose itself as a permissions management utility.
Once you've figured out the authorization piece above, DNN will take care of authentication using your forms cookie (i.e. AJAX scenarios are taken care of automatically), or via basic or digest authentication (for non-AJAX scenarios). That said, if you're doing non-AJAX, you'll need to figure out a way to validate the anti-forgery token only when it applies.
更多推荐
发布评论