我有两个.Net Core应用程序,一个Web API和一个Client.使用以下命令从客户端发送帖子:
I have two .Net Core applications, a Web API and Client. Sending Post from the client using :
<form asp-action="Create" method="post"> @Html.AntiForgeryToken() ..... </form>客户端控制器:
public async Task<IActionResult> Create([Bind("QuestionId,TheQuestion")] SecurityQuestion securityQuestion) { _session.SetString(SessionsKeys.Directory, "/SecurityQuestions"); if (ModelState.IsValid) { var data = await _theService.PostWebApi(securityQuestion); if (data.Item3 == "True") { return RedirectToAction(nameof(Index)); } return View(data.Item1); } return View(securityQuestion); }与Web API通信的方法:
Method to communicate with the Web API:
public async Task<(object, string, string)> PostWebApi(TObject model) { var dir = _session.GetString(SessionsKeys.Directory); using (HttpClient client = new HttpClient()) { client.BaseAddress = new Uri(_webApiData.WebApiitems.Url); MediaTypeWithQualityHeaderValue contentType = new MediaTypeWithQualityHeaderValue("application/json"); client.DefaultRequestHeaders.Accept.Add(contentType); string stringData = JsonConvert.SerializeObject(model); var contentData = new StringContent(stringData, System.Text.Encoding.UTF8, "application/json"); HttpResponseMessage response = client.PostAsync(dir + "/", contentData).Result; var msg = await response.Content.ReadAsStringAsync(); var theresponse = response.IsSuccessStatusCode.ToString(); return (model,msg,theresponse); } }Web API控制器:
Web API Controller:
[HttpPost] [ValidateAntiForgeryToken] public async Task<IActionResult> PostSecurityQuestion([FromRoute] SecurityQuestion securityQuestion) { if (!ModelState.IsValid) { return BadRequest(ModelState); } _context.SecurityQuestion.Add(securityQuestion); await _context.SaveChangesAsync(); return CreatedAtAction("GetSecurityQuestion", new { id = securityQuestion.QuestionId }, securityQuestion); }如果我删除了 [ValidateAntiForgeryToken] ,它会起作用.我还尝试删除了 [Form] ,但仍然出现400错误.
If I remove [ValidateAntiForgeryToken], it works. I also tried to remove [Form], still I get 400 error.
我是否缺少启动配置中的其他任何设置?
Am I missing any additional settings in the Startup configurations?
推荐答案防伪令牌用于确保客户提交的表单与您签发的表单相同-即,它不是伪造的.
Anti-forgery tokens are used to ensure the form your client submits is the form you issued it---that is, it is not forged.
在您的情况下,您的客户端应用正在通过 @ Html.AntiForgeryToken()生成自己的防伪令牌.但是,它不会传递给您创建的用于与Web API对话的 HttpClient .但是,即使您设法将该防伪令牌传递到Web API,由于它不是由Web API发行的,也很可能会被拒绝.
In your case, your client app is generating its own anti-forgery token via the @Html.AntiForgeryToken(). But then, it does not get passed to the HttpClient you create to talk to your Web API. But even if you manage to pass that anti-forgery token to your Web API, it will likely be rejected since it was not issued by the Web API.
您应该更改Web API,以允许客户端获取令牌.这是斯科特·艾伦(Scott Allen)的博客,介绍如何做到这一点:
You should change your Web API to allow your client to get a token. Here is a blog by Scott Allen on how you can do that:
- 反伪造令牌和ASP.NET Core API
更多推荐
使用ValidateAntiforgerytoken的.net Core 2.0 Web API 400错误
发布评论