为什么需要JsonRequestBehavior?
本文翻译自:Why is JsonRequestBehavior needed?
Why is Json Request Behavior needed? 为什么需要“ Json Request Behavior ?
If I want to restrict the HttpGet requests to my action I can decorate the action with the [HttpPost] attribute 如果我想将HttpGet请求限制为我的操作,则可以使用[HttpPost]属性修饰该操作
Example: 例:
[HttpPost]
public JsonResult Foo()
{
return Json("Secrets");
}
// Instead of:
public JsonResult Foo()
{
return Json("Secrets", JsonRequestBehavior.AllowGet);
}
Why isn't [HttpPost] sufficient? 为什么[HttpPost]不够用?
Why the framework "bugs" us with the JsonRequestBehavior.AllowGet for every JsonResult that we have. 为什么框架为我们拥有的每个JsonResult都使用JsonRequestBehavior.AllowGet来“ JsonResult我们。 If I want to deny get requests I'll add the HttpPost attribute. 如果我想拒绝获取请求,我将添加HttpPost属性。
#1楼
参考:https://stackoom.com/question/ZW33/为什么需要JsonRequestBehavior
#2楼
To make it easier for yourself you could also create an actionfilterattribute 为了使自己更轻松,您还可以创建一个actionfilter属性
public class AllowJsonGetAttribute : ActionFilterAttribute
{
public override void OnResultExecuting(ResultExecutingContext filterContext)
{
var jsonResult = filterContext.Result as JsonResult;
if (jsonResult == null)
throw new ArgumentException("Action does not return a JsonResult,
attribute AllowJsonGet is not allowed");
jsonResult.JsonRequestBehavior = JsonRequestBehavior.AllowGet;
base.OnResultExecuting(filterContext);
}
}
and use it on your action 并用在你的行动上
[AllowJsonGet]
public JsonResult MyAjaxAction()
{
return Json("this is my test");
}
#3楼
Improving upon the answer of @Arjen de Mooij a bit by making the AllowJsonGetAttribute applicable to mvc-controllers (not just individual action-methods): 通过使AllowJsonGetAttribute适用于mvc控制器(而不仅仅是个别的操作方法),可以稍微改善@Arjen de Mooij的答案:
using System.Web.Mvc;
public sealed class AllowJsonGetAttribute : ActionFilterAttribute, IActionFilter
{
void IActionFilter.OnActionExecuted(ActionExecutedContext context)
{
var jsonResult = context.Result as JsonResult;
if (jsonResult == null) return;
jsonResult.JsonRequestBehavior = JsonRequestBehavior.AllowGet;
}
public override void OnResultExecuting(ResultExecutingContext filterContext)
{
var jsonResult = filterContext.Result as JsonResult;
if (jsonResult == null) return;
jsonResult.JsonRequestBehavior = JsonRequestBehavior.AllowGet;
base.OnResultExecuting(filterContext);
}
}
#4楼
You do not need it. 您不需要它。
If your action has the HttpPost attribute, then you do not need to bother with setting the JsonRequestBehavior and use the overload without it. 如果您的操作具有HttpPost属性,则无需费心设置JsonRequestBehavior并在没有它的情况下使用重载。 There is an overload for each method without the JsonRequestBehavior enum. 没有JsonRequestBehavior枚举的每个方法都有一个重载。 Here they are: 他们来了:
Without JsonRequestBehavior 没有JsonRequestBehavior
protected internal JsonResult Json(object data);
protected internal JsonResult Json(object data, string contentType);
protected internal virtual JsonResult Json(object data, string contentType, Encoding contentEncoding);
With JsonRequestBehavior 使用JsonRequestBehavior
protected internal JsonResult Json(object data, JsonRequestBehavior behavior);
protected internal JsonResult Json(object data, string contentType,
JsonRequestBehavior behavior);
protected internal virtual JsonResult Json(object data, string contentType,
Encoding contentEncoding, JsonRequestBehavior behavior);
#5楼
MVC defaults to DenyGet to protect you against a very specific attack involving JSON requests to improve the liklihood that the implications of allowing HTTP GET exposure are considered in advance of allowing them to occur. MVC默认使用DenyGet来保护您免受涉及JSON请求的非常特定的攻击,以改善这种可能性,即在允许发生HTTP GET之前先考虑允许HTTP GET暴露的含义。
This is opposed to afterwards when it might be too late. 与之相反,之后可能为时已晚。
Note: If your action method does not return sensitive data, then it should be safe to allow the get. 注意:如果您的操作方法未返回敏感数据,则允许获取是安全的。
Further reading from my Wrox ASP.NET MVC3 book 从我的Wrox ASP.NET MVC3书中进一步阅读
By default, the ASP.NET MVC framework does not allow you to respond to an HTTP GET request with a JSON payload. 默认情况下,ASP.NET MVC框架不允许您使用JSON有效负载来响应HTTP GET请求。 If you need to send JSON in response to a GET, you'll need to explicitly allow the behavior by using JsonRequestBehavior.AllowGet as the second parameter to the Json method. 如果您需要发送JSON以响应GET,则需要使用JsonRequestBehavior.AllowGet作为Json方法的第二个参数来明确允许该行为。 However, there is a chance a malicious user can gain access to the JSON payload through a process known as JSON Hijacking. 但是,恶意用户有可能通过称为JSON劫持的过程来访问JSON负载。 You do not want to return sensitive information using JSON in a GET request. 您不想在GET请求中使用JSON返回敏感信息。 For more details, see Phil's post at http://haacked.com/archive/2009/06/24/json-hijacking.aspx/ or this SO post. 有关更多详细信息,请参见http://haacked.com/archive/2009/06/24/json-hijacking.aspx/上的 Phil帖子或此SO帖子。
Haack, Phil (2011). Haack,Phil(2011)。 Professional ASP.NET MVC 3 (Wrox Programmer to Programmer) (Kindle Locations 6014-6020). 专业ASP.NET MVC 3(从程序员到程序员的近似编程器)(Kindle位置6014-6020)。 Wrox. 大约 Kindle Edition. Kindle版。
Related * question 相关*问题
With most recents browsers (starting with Firefox 21, Chrome 27, or IE 10), this is no more a vulnerability. 对于最新的浏览器(从Firefox 21,Chrome 27或IE 10开始),这不再是一个漏洞。
#6楼
By default Jsonresult "Deny get" 默认情况下,Jsonresult“ Deny get”
Suppose if we have method like below 假设我们有如下方法
[HttpPost]
public JsonResult amc(){}
By default it "Deny Get". 默认情况下为“拒绝获取”。
In the below method 在下面的方法
public JsonResult amc(){}
When you need to allowget or use get ,we have to use JsonRequestBehavior.AllowGet. 当您需要allowget或使用get时,我们必须使用JsonRequestBehavior.AllowGet。
public JsonResult amc()
{
return Json(new Modle.JsonResponseData { Status = flag, Message = msg, Html = html }, JsonRequestBehavior.AllowGet);
}
上一篇: elasticsearch分词器-analyzer
下一篇: IKAnalyzer分词器