ASP.NET WebAPI 安全与身份验证 基础验证与非对称加密

因为安全需要,又没有申请HTTPS证书 只对密码进行了非对称加密 同时服务端验证了是否有证书

本文参考了：

MSDN 13年6月的期刊（启用和自定义 ASP.NET Web API 服务的安全性 ）：https://msdn.microsoft.com/zh-cn/magazine/dn201748.aspx

与园子里（C#使用RSA证书文件加密和解密示例）：http://www.cnblogs.com/eshizhan/archive/2012/10/07/2713680.html

根据实际使用环境做了一定修改：

服务端 HttpModel 验证：

 1  /// <summary>
 2     /// 身份验证
 3     /// </summary>
 4     public class PHVHttpAuthentication : IHttpModule, IDisposable
 5     {
 6         /// <summary>
 7         /// 初始化
 8         /// </summary>
 9         /// <param name="context"></param>
10         public void Init(HttpApplication context)
11         {
12             context.AuthenticateRequest += AuthenticateRequests;
13             context.EndRequest += TriggerCredentials;
14         }
15 
16         private static void TriggerCredentials(object sender, EventArgs e)
17         {
18             HttpResponse resp = HttpContext.Current.Response;
19             if (resp.StatusCode == 401)
20             {
21                 resp.Headers.Add("WWW-Authenticate", @"Basic realm='PHVIS'");
22             }
23         }
24 
25         private static void AuthenticateRequests(object sender, EventArgs e)
26         {
27             System.Web.HttpClientCertificate cert = HttpContext.Current.Request.ClientCertificate;
28 
29             if (cert != null && cert.IsValid) //验证证书是否存在并且有效
30             {
31                 string authHeader = HttpContext.Current.Request.Headers["Authorization"];
32 
33                 if (authHeader != null)
34                 {
35                     AuthenticationHeaderValue authHeaderVal = AuthenticationHeaderValue.Parse(authHeader);
36                     if (authHeaderVal.Parameter != null)
37                     {
38                         byte[] unencoded = Convert.FromBase64String(authHeaderVal.Parameter);
39                         string userpw = Encoding.GetEncoding("iso-8859-1").GetString(unencoded);
40 
41                         string[] creds = userpw.Split(':');
42                         string path = HttpContext.Current.Server.MapPath("~/App_Data/token.pfx");
43                         X509Certificate2 prvcrt = new X509Certificate2(path, "rootshell", X509KeyStorageFlags.Exportable);
44                         RSACryptoServiceProvider prvkey = (RSACryptoServiceProvider)prvcrt.PrivateKey;
45                         var passwordbits = SecurityHelper.RSADecrypt(Convert.FromBase64String(creds[1]), prvkey.ExportParameters(true), false);
46                         var password = Encoding.GetEncoding("iso-8859-1").GetString(passwordbits);
47                         if (creds[0] == "Peter" && password == "123")
48                         {
49                             GenericIdentity gi = new GenericIdentity(creds[0]);
50                             Thread.CurrentPrincipal = new GenericPrincipal(gi, null);
51                             HttpContext.Current.User = Thread.CurrentPrincipal;
52 
53                             //string[] roles = "manager,admin".Split(',');
54                             //Thread.CurrentPrincipal = new GenericPrincipal(gi, roles);
55                         }
56                     }
57                 }
58             }
59             else
60             {
61 
62             }
63 
64 
65         }
66 
67         /// <summary>
68         /// 销毁
69         /// </summary>
70         public void Dispose()
71         {
72 
73         }
74 
75 
76     }

PHVHttpAuthentication