Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings
This repository was archived by the owner on Dec 14, 2018. It is now read-only.
/MvcPublic archive

Commitf02f55c

Browse files
Antiforgery goes at the end of filters
1 parent998a47d commitf02f55c

File tree

16 files changed

+379
-4
lines changed

16 files changed

+379
-4
lines changed

‎Mvc.sln‎

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,8 @@ Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "MvcSandbox", "samples\MvcSa
123123
EndProject
124124
Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") ="SimpleWebSite","test\WebSites\SimpleWebSite\SimpleWebSite.xproj","{396B40D7-AC70-49A7-B33C-ED42129FEBE3}"
125125
EndProject
126+
Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") ="SecurityWebSite","test\WebSites\SecurityWebSite\SecurityWebSite.xproj","{D28CAC79-7004-4B69-993B-EDEB4653BFA8}"
127+
EndProject
126128
Global
127129
GlobalSection(SolutionConfigurationPlatforms) =preSolution
128130
Debug|Any CPU=Debug|Any CPU
@@ -727,6 +729,18 @@ Global
727729
{396B40D7-AC70-49A7-B33C-ED42129FEBE3}.Release|Mixed Platforms.Build.0=Release|Any CPU
728730
{396B40D7-AC70-49A7-B33C-ED42129FEBE3}.Release|x86.ActiveCfg=Release|Any CPU
729731
{396B40D7-AC70-49A7-B33C-ED42129FEBE3}.Release|x86.Build.0=Release|Any CPU
732+
{D28CAC79-7004-4B69-993B-EDEB4653BFA8}.Debug|Any CPU.ActiveCfg=Debug|Any CPU
733+
{D28CAC79-7004-4B69-993B-EDEB4653BFA8}.Debug|Any CPU.Build.0=Debug|Any CPU
734+
{D28CAC79-7004-4B69-993B-EDEB4653BFA8}.Debug|Mixed Platforms.ActiveCfg=Debug|Any CPU
735+
{D28CAC79-7004-4B69-993B-EDEB4653BFA8}.Debug|Mixed Platforms.Build.0=Debug|Any CPU
736+
{D28CAC79-7004-4B69-993B-EDEB4653BFA8}.Debug|x86.ActiveCfg=Debug|Any CPU
737+
{D28CAC79-7004-4B69-993B-EDEB4653BFA8}.Debug|x86.Build.0=Debug|Any CPU
738+
{D28CAC79-7004-4B69-993B-EDEB4653BFA8}.Release|Any CPU.ActiveCfg=Release|Any CPU
739+
{D28CAC79-7004-4B69-993B-EDEB4653BFA8}.Release|Any CPU.Build.0=Release|Any CPU
740+
{D28CAC79-7004-4B69-993B-EDEB4653BFA8}.Release|Mixed Platforms.ActiveCfg=Release|Any CPU
741+
{D28CAC79-7004-4B69-993B-EDEB4653BFA8}.Release|Mixed Platforms.Build.0=Release|Any CPU
742+
{D28CAC79-7004-4B69-993B-EDEB4653BFA8}.Release|x86.ActiveCfg=Release|Any CPU
743+
{D28CAC79-7004-4B69-993B-EDEB4653BFA8}.Release|x86.Build.0=Release|Any CPU
730744
EndGlobalSection
731745
GlobalSection(SolutionProperties) =preSolution
732746
HideSolutionNode =FALSE
@@ -787,5 +801,6 @@ Global
787801
{9879B5D5-2325-4A81-B4DF-F279FE8FEEB4} ={3BA657BF-28B1-42DA-B5B0-1C4601FCF7B1}
788802
{14ED4476-9F24-4776-8417-EA6927F6C9C9} ={DAAE4C74-D06F-4874-A166-33305D2643CE}
789803
{396B40D7-AC70-49A7-B33C-ED42129FEBE3} ={16703B76-C9F7-4C75-AE6C-53D92E308E3C}
804+
{D28CAC79-7004-4B69-993B-EDEB4653BFA8} ={16703B76-C9F7-4C75-AE6C-53D92E308E3C}
790805
EndGlobalSection
791806
EndGlobal

‎src/Microsoft.AspNetCore.Mvc.ViewFeatures/AutoValidateAntiforgeryTokenAttribute.cs‎

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,23 @@ namespace Microsoft.AspNetCore.Mvc
2121
[AttributeUsage(AttributeTargets.Class|AttributeTargets.Method,AllowMultiple=false,Inherited=true)]
2222
publicclassAutoValidateAntiforgeryTokenAttribute:Attribute,IFilterFactory,IOrderedFilter
2323
{
24-
/// <inheritdoc />
25-
publicintOrder{get;set;}
24+
/// <summary>
25+
/// Gets the order value for determining the order of execution of filters. Filters execute in
26+
/// ascending numeric value of the <see cref="Order"/> property.
27+
/// </summary>
28+
/// <remarks>
29+
/// <para>
30+
/// Filters are executed in an ordering determined by an ascending sort of the <see cref="Order"/> property.
31+
/// </para>
32+
/// <para>
33+
/// The default Order for this attribute is 1000 because it must run after any filter which does authentication
34+
/// or login in order to allow them to behave as expected (ie Unauthenticated or Redirect instead of 400).
35+
/// </para>
36+
/// <para>
37+
/// Look at <see cref="IOrderedFilter.Order"/> for more detailed info.
38+
/// </para>
39+
/// </remarks>
40+
publicintOrder{get;set;}=1000;
2641

2742
/// <inheritdoc />
2843
publicboolIsReusable=>true;

‎src/Microsoft.AspNetCore.Mvc.ViewFeatures/ValidateAntiForgeryTokenAttribute.cs‎

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,8 +20,23 @@ namespace Microsoft.AspNetCore.Mvc
2020
[AttributeUsage(AttributeTargets.Class|AttributeTargets.Method,AllowMultiple=false,Inherited=true)]
2121
publicclassValidateAntiForgeryTokenAttribute:Attribute,IFilterFactory,IOrderedFilter
2222
{
23-
/// <inheritdoc />
24-
publicintOrder{get;set;}
23+
/// <summary>
24+
/// Gets the order value for determining the order of execution of filters. Filters execute in
25+
/// ascending numeric value of the <see cref="Order"/> property.
26+
/// </summary>
27+
/// <remarks>
28+
/// <para>
29+
/// Filters are executed in an ordering determined by an ascending sort of the <see cref="Order"/> property.
30+
/// </para>
31+
/// <para>
32+
/// The default Order for this attribute is 1000 because it must run after any filter which does authentication
33+
/// or login in order to allow them to behave as expected (ie Unauthenticated or Redirect instead of 400).
34+
/// </para>
35+
/// <para>
36+
/// Look at <see cref="IOrderedFilter.Order"/> for more detailed info.
37+
/// </para>
38+
/// </remarks>
39+
publicintOrder{get;set;}=1000;
2540

2641
/// <inheritdoc />
2742
publicboolIsReusable=>true;
Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
// Copyright (c) .NET Foundation. All rights reserved.
2+
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
3+
4+
usingSystem;
5+
usingSystem.Net;
6+
usingSystem.Net.Http;
7+
usingSystem.Threading.Tasks;
8+
usingSecurityWebSite;
9+
usingXunit;
10+
11+
namespaceMicrosoft.AspNetCore.Mvc.FunctionalTests
12+
{
13+
publicclassAntiforgeryAuthTests:IClassFixture<MvcTestFixture<Startup>>
14+
{
15+
publicAntiforgeryAuthTests(MvcTestFixture<Startup>fixture)
16+
{
17+
Client=fixture.Client;
18+
}
19+
20+
publicHttpClientClient{get;}
21+
22+
[Fact]
23+
publicasyncTaskAutomaticAuthenticationBeforeAntiforgery()
24+
{
25+
// Arrange & Act
26+
varresponse=awaitClient.PostAsync("http://localhost/Home/AutoAntiforgery",null);
27+
28+
// Assert
29+
Assert.Equal(HttpStatusCode.Redirect,response.StatusCode);
30+
Assert.Equal("/Home/Login",response.Headers.Location.AbsolutePath,StringComparer.OrdinalIgnoreCase);
31+
}
32+
33+
[Fact]
34+
publicasyncTaskAuthBeforeAntiforgery()
35+
{
36+
// Arrange & Act
37+
varresponse=awaitClient.GetAsync("http://localhost/Home/Antiforgery");
38+
39+
// Assert
40+
// Redirected to login page, Antiforgery didn't fail yet
41+
Assert.Equal(HttpStatusCode.Redirect,response.StatusCode);
42+
Assert.Equal("/Home/Login",response.Headers.Location.AbsolutePath,StringComparer.OrdinalIgnoreCase);
43+
}
44+
}
45+
}

‎test/Microsoft.AspNetCore.Mvc.FunctionalTests/project.json‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
"RazorPageExecutionInstrumentationWebSite":"1.0.0",
3737
"RazorWebSite":"1.0.0",
3838
"RoutingWebSite":"1.0.0",
39+
"SecurityWebSite":"1.0.0",
3940
"SimpleWebSite":"1.0.0",
4041
"TagHelpersWebSite":"1.0.0",
4142
"VersioningWebSite":"1.0.0",
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
// Copyright (c) .NET Foundation. All rights reserved.
2+
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
3+
4+
usingMicrosoft.AspNetCore.Authorization;
5+
usingMicrosoft.AspNetCore.Mvc;
6+
7+
namespaceSecurityWebSite.Controllers
8+
{
9+
publicclassHomeController:Controller
10+
{
11+
publicIActionResultIndex()
12+
{
13+
returnView();
14+
}
15+
16+
[AutoValidateAntiforgeryToken]
17+
[Authorize]
18+
[HttpPost]
19+
publicIActionResultAutoAntiforgery()
20+
{
21+
returnContent("Automaticaly doesn't matter");
22+
}
23+
24+
[Authorize]
25+
[ValidateAntiForgeryToken]
26+
publicIActionResultAntiforgery()
27+
{
28+
returnContent("Doesn't matter");
29+
}
30+
31+
publicIActionResultLogin()
32+
{
33+
returnContent("Login!");
34+
}
35+
36+
publicIActionResultLogout()
37+
{
38+
returnContent("Logout!");
39+
}
40+
}
41+
}
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
// Copyright (c) .NET Foundation. All rights reserved.
2+
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
3+
4+
usingSystem.IO;
5+
usingMicrosoft.AspNetCore.Hosting;
6+
7+
namespaceSecurityWebSite
8+
{
9+
publicclassProgram
10+
{
11+
publicstaticvoidMain(string[]args)
12+
{
13+
varhost=newWebHostBuilder()
14+
.UseKestrel()
15+
.UseContentRoot(Directory.GetCurrentDirectory())
16+
.UseStartup<Startup>()
17+
.Build();
18+
19+
host.Run();
20+
}
21+
}
22+
}
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
<?xml version="1.0" encoding="utf-8"?>
2+
<ProjectToolsVersion="14.0"DefaultTargets="Build"xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3+
<PropertyGroup>
4+
<VisualStudioVersionCondition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
5+
<VSToolsPathCondition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
6+
</PropertyGroup>
7+
<ImportProject="$(VSToolsPath)\DotNet\Microsoft.DotNet.Props"Condition="'$(VSToolsPath)' != ''" />
8+
<PropertyGroupLabel="Globals">
9+
<ProjectGuid>d28cac79-7004-4b69-993b-edeb4653bfa8</ProjectGuid>
10+
<RootNamespace>AjaxAntiForgeryValidation</RootNamespace>
11+
<BaseIntermediateOutputPathCondition="'$(BaseIntermediateOutputPath)'==''">.\obj</BaseIntermediateOutputPath>
12+
<OutputPathCondition="'$(OutputPath)'==''">.\bin\</OutputPath>
13+
<TargetFrameworkVersion>v4.5.2</TargetFrameworkVersion>
14+
</PropertyGroup>
15+
<PropertyGroup>
16+
<SchemaVersion>2.0</SchemaVersion>
17+
</PropertyGroup>
18+
<ItemGroup>
19+
<DnxInvisibleContentInclude="bower.json" />
20+
<DnxInvisibleContentInclude=".bowerrc" />
21+
</ItemGroup>
22+
<ImportProject="$(VSToolsPath)\DotNet.Web\Microsoft.DotNet.Web.targets"Condition="'$(VSToolsPath)' != ''" />
23+
</Project>
Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
// Copyright (c) .NET Foundation. All rights reserved.
2+
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
3+
4+
usingMicrosoft.AspNetCore.Builder;
5+
usingMicrosoft.AspNetCore.Hosting;
6+
usingMicrosoft.Extensions.Configuration;
7+
usingMicrosoft.Extensions.DependencyInjection;
8+
usingMicrosoft.Extensions.Logging;
9+
10+
namespaceSecurityWebSite
11+
{
12+
publicclassStartup
13+
{
14+
publicStartup(IHostingEnvironmentenv)
15+
{
16+
varbuilder=newConfigurationBuilder()
17+
.SetBasePath(env.ContentRootPath)
18+
.AddJsonFile("appsettings.json",optional:true,reloadOnChange:true)
19+
.AddJsonFile($"appsettings.{env.EnvironmentName}.json",optional:true)
20+
.AddEnvironmentVariables();
21+
Configuration=builder.Build();
22+
}
23+
24+
publicIConfigurationRootConfiguration{get;}
25+
26+
// This method gets called by the runtime. Use this method to add services to the container.
27+
publicvoidConfigureServices(IServiceCollectionservices)
28+
{
29+
// Add framework services.
30+
services.AddMvc();
31+
services.AddAntiforgery();
32+
services.AddAuthentication();
33+
}
34+
35+
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
36+
publicvoidConfigure(IApplicationBuilderapp,IHostingEnvironmentenv,ILoggerFactoryloggerFactory)
37+
{
38+
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
39+
loggerFactory.AddDebug();
40+
41+
if(env.IsDevelopment())
42+
{
43+
app.UseDeveloperExceptionPage();
44+
}
45+
46+
app.UseStaticFiles();
47+
app.UseCookieAuthentication(newCookieAuthenticationOptions
48+
{
49+
LoginPath="/Home/Login",
50+
LogoutPath="/Home/Logout",
51+
AutomaticAuthenticate=true,
52+
AutomaticChallenge=true
53+
});
54+
55+
app.UseMvc(routes=>
56+
{
57+
routes.MapRoute(
58+
name:"default",
59+
template:"{controller=Home}/{action=Index}/{id?}");
60+
});
61+
}
62+
}
63+
}
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
@{
2+
ViewData["Title"]="Home Page";
3+
}
4+
<h1>Hello!</h1>
5+
<scriptsrc="https://ajax.aspnetcdn.com/ajax/jQuery/jquery-2.1.4.min.js"></script>
6+
<script>
7+
$(document).ready(function () {
8+
$.ajax({
9+
type:"get",
10+
dataType:"html",
11+
url:'@Url.Action("Antiforgery", "Home")',
12+
data: {},
13+
success:function (result) {
14+
alert("We were redirected to login!");
15+
},
16+
error:function (err,scnd) {
17+
alert(err.statusText);
18+
}
19+
});
20+
});
21+
</script>

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp