任何人都可以帮助我发现我在做什么错,或者提出一些方法来帮助我确定正在发生的事情?
我正在尝试使用.net core 2.2和angular 1.x实现防伪
我已遵循https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-2.2的建议
我正在向Startup.ConfigureServices添加防伪
public void ConfigureServices(IServiceCollection services)
{
services.AddAntiforgery(options =>
{
options.HeaderName = "X-XSRF-TOKEN";
});
...
并在配置中设置cookie
public void Configure(IApplicationBuilder app, IHostingEnvironment env, IAntiforgery antiforgery)
{
app.Use(next => context =>
{
if (
string.Equals(context.Request.Path.Value, "/", StringComparison.OrdinalIgnoreCase) ||
string.Equals(context.Request.Path.Value, "/index.html", StringComparison.OrdinalIgnoreCase))
{
// We can send the request token as a JavaScript-readable cookie, and Angular will use it by default.
var tokens = antiforgery.GetAndStoreTokens(context);
context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken,
new CookieOptions() { HttpOnly = false });
}
return next(context);
});
并且我正在装饰控制器
namespace myApp.Controllers
{
[Authorize]
[Route("api/[controller]")]
[AutoValidateAntiforgeryToken]
public class MyController : BaseController {
...
对api的调用返回了400(错误请求)
查看请求,我可以看到已设置标题和cookie值:
POST /api/workorder/Comments HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 98
Accept: application/json, text/plain, */*
Origin: https://localhost
X-XSRF-TOKEN: CfDJ8BCa8m6CvM5GparPYbgIX8FXQjjHjRAiGd9e9COKtDhDUbgE7_X9qgikbPsIyHJeRjuw2y-qHEqTn5YESmw0Gj6ZVf9xXF-TUf_ditqyTuBRpeXr_JTH7Uk18oklltlyHkYwcQ2C3SpOIgqFYyT6to4
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Content-type: application/json
Referer: https://localhost/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
Cookie: .AspNetCore.Session=CfDJ8BCa8m6CvM5GparPYbgIX8GcURsnOV6r5RkBhFxasg3GeHxhTASIKLGW%2FKbAEe0diH8oX7Vi1JaiKpjHs3k9PAiCsbVFIjF2bketdVNP7XuAk3d4NiCW7xB2bR4CQrubL9E4aoAVVB4tf%2FENL6xRjSWlTxpzywiZ4SHm9%2FLB%2FFd3; ADRUM=s=1575051518681&r=https%3A%2F%2Flocalhost%2F%3F159349506; XSRF-TOKEN=CfDJ8BCa8m6CvM5GparPYbgIX8FXQjjHjRAiGd9e9COKtDhDUbgE7_X9qgikbPsIyHJeRjuw2y-qHEqTn5YESmw0Gj6ZVf9xXF-TUf_ditqyTuBRpeXr_JTH7Uk18oklltlyHkYwcQ2C3SpOIgqFYyT6to4; .AspNetCore.Cookies=CfDJ8BCa8m6CvM5GparPYbgIX8GRcj_GMNMrBD5Dse6ZyfxXHUlF5Ldok61Gtm49-6bEjvFWX7prULqhzvnVSsq_bOoQedsDBIWB11BP2a13ea50u6-QT0ap9j9kTtwXzw-vuZBpiD_N-WIovswE2IQ4MfpG2xuALfjQfVt9g2M_Nv3fhuBJMJnWcs0Oy4XPdDKumJ-pPmB3pvhv6RjeqdKOk_mz8SmU0Pa7-02cXFj9WIq3SbPi1oZy0msgTVpN9HCzbdA2KJJM9oRgsJ_mIN-EqP96WqVYT7SqoQBp2rGk7V-SOxGVSncQ5-j6s6vcL2oURFfyI3Cqz89DNL_lmddf-iJg4uPBcL6qP_2e12k89NHuv0c3F9XIQ9cT8fAfdjUurSpb4PrxrYVs4eSMAyecgWSmvIinCdXdzJUTM4mGKXd4ySwvHCFnL0xgJpuIWH-V4EmP5qsMexfiFAD80xiu2387PrEqLgmA0XGJEM-TEikbr5JQPy-gmxZLTq2sgUofc67v_vzJurdqojgseNw_ZrWke0bn9dSxFakgD7URFcIBeaeIkzTL0mqc_43j3xWUgfi-mpIQtL4Zo4OF_aIh2YQncRWgS5uBZ6RAwN2PnJJy_UoiFU37Adw_5pjqW4kfNQ8pxr1n7MRiPe6yB45qAE6dyGFpvrJ8pWOF5h3mxEz1q7zd4Mo5tcZeBpUooGwkyM5gMx0aSW4wcAL8dYzgMwY-gYDcMD4HJ3-XciFoP6Q0iycpfecQAGbPMfjxNnS0XdAP2bXbYklPcx7D0PL0onMkreBqlliU8oDjCmub-avPLcOB_LMzVn6aUy8_bwv7Qmx4PMPHG27PSEGLuhFu8AdmxfTZOHHtD2OvbIgGbIpodNTTK6Zg7dM6oKBM8RCUa3QszhszBIFaPgz4aGCeCfCLc1-FKujMbOhM3KjgRqkQ_-0ahr2JGEtLNbjx-0QhiJNvR6dDqCAWRQGxbwe-fc1N1CerDa1I_OW2aE8uwgAniPlSu0gCixutaonF5td8MeKe4O4538iHEg4VbcGwr2i6FSP4uTYPfZ3pQ1TBLB1aBRtT2mzFuaNZoPWhpxdnQFDvB1R4riy--364vWD7SygiQx9aLdVQ-ds2JY-wi0Dx0VyOP0csZ1NvBnrqOj7IPQWLrclHf1S3qokFwSV6ynqEf0iWvuUgES1PfsvN2xP4ESKT5CJPvS-9iMem9mmBGaT7P6vFDaknDpFy640wKNLRREgVCK7ByVNEF7qGmaPTPu21H08WIDwtt4Rmut8zEQ1-DaAOe2BWUKzL8Y9OR_cgcMIfL6ZjergoeYowNucNx5hw1v-h67XpQpDETNiD-me8NKxhnuEgRLFo4_sZOjwPQM5qi4ROw0x2I_GxKV9M-MAd5Z_YlbVUxO3PLxYSg2GqGNl8UR4fFQZrTeKZUu-dM8gy05CK-ULfFkdQAc_afwRPGptqc-Q0PpfQE4Be4Q; .AspNetCore.Antiforgery.EsC6NJJg3sg=CfDJ8BCa8m6CvM5GparPYbgIX8GfDalyGMrWa5wwuF0ZcWmHkAfzmHxl2IK7BOBoQWvXmTcq_I7t0a0vCdVfd97--Sj1Dv8v53dg--LHPU9UKz3YBG0MgV_dfvtShz7_7TYbeAdDLtQqAStRwFdCOdSyick
我将非常感谢您的帮助-我花了整整一天的时间,这真让我发疯!
X-XSRF-TOKEN和cookie名称XSRF-REQUEST-TOKEN。然后编写一个用于发布请求以读取该cookie并发送的拦截器,以及一个名称为X-XSRF-TOKEN的请求的附加标头。您可以在这里找到示例:
https://www.blinkingcaret.com/2018/11/29/asp-net-core-web-api-antiforgery/