我有一个 Angular2 应用.它在 ASP.NET 5(核心)中运行. 它将Http调用到正常工作的控制器.
但是现在我需要建立跨站点脚本投影.
如何在每个Http请求上生成一个新令牌,然后在Angular2应用中执行AntiForgeryToken检查?
注意:我在Angular中的数据表单不是从MVC视图生成的,而是完全用Angular2编写的,并且仅调用Web服务.
我所看到的所有示例都已过时,无法使用/无法完全使用.
如何在表单为纯Angular的ASP.NET 5中针对 Angular2 集成AntiForgeryToken检查?
谢谢.
解决方案自定义操作过滤器不是必需的.都可以在Startup.cs中将其连接起来.
using Microsoft.AspNetCore.Antiforgery; (...) public void ConfigureServices(IServiceCollection services) { services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN"); (...) } public void Configure(IApplicationBuilder app, IAntiforgery antiforgery) { app.Use(next => context => { if (context.Request.Path == "/") { //send the request token as a JavaScript-readable cookie, and Angular will use it by default var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions { HttpOnly = false }); } return next(context); }); (...) }然后,您需要在控制器中使用的任何地方都需要[ValidateAntiForgeryToken]装饰器,以强制提供令牌.
作为参考,我在这里找到了此解决方案- AspNet反伪造Github第29期./p>
I have an Angular2 app. It is running within ASP.NET 5 (Core). It makes Http calls to the controller which is working fine.
But now I need to establish Cross Site Scripting projection.
How do I generate a new token on each Http request and then subsequently perform the AntiForgeryToken check in Angular2 apps?
Note: My data forms in Angular are not produced from an MVC view but entirely written in Angular2 and call web services only.
All the examples I have seen are out dated and do not work / do not work fully.
How do I integrate AntiForgeryToken checks in Angular2 against ASP.NET 5 where forms are pure Angular?
Thanks.
解决方案A custom action filter is not necessary. It can all be wired up in Startup.cs.
using Microsoft.AspNetCore.Antiforgery; (...) public void ConfigureServices(IServiceCollection services) { services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN"); (...) } public void Configure(IApplicationBuilder app, IAntiforgery antiforgery) { app.Use(next => context => { if (context.Request.Path == "/") { //send the request token as a JavaScript-readable cookie, and Angular will use it by default var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions { HttpOnly = false }); } return next(context); }); (...) }Then all you need in your controllers is the [ValidateAntiForgeryToken] decorator wherever you want to enforce that a token is provided.
For reference, I found this solution here - AspNet AntiForgery Github Issue 29.
更多推荐
Angular2 ASP.NET Core防伪令牌
发布评论