I have a web API that utilizes role authorization ( ex: [Authorize(Roles="test")] ) for each controller and action.

我有一个Web API,它为每个控制器和操作使用角色授权(例如:[Authorize(Roles =“test”)])。

This API is meant to be a stand alone app with no actual MVC site for it, so there is no login method.

此API旨在成为一个独立的应用程序,没有实际的MVC站点,因此没有登录方法。

So let's say I have a separate "Students" app that needs to display a list of all current students in the school. In the API, I have a role-based authorized method that retrieves all current students from the database. How would I be able to call that API call from the "Students" app (which is on the same domain) if it's authorized?

所以,假设我有一个单独的“学生”应用程序,需要显示学校所有当前学生的列表。在API中,我有一个基于角色的授权方法,可以从数据库中检索所有当前学生。如果获得授权,我如何能够从“学生”应用程序(位于同一域中)调用该API调用?

Is there anyway I can spoof the "Students" app to run under one of the authorized roles? I don't want to use the roles of the user using the site because only Admins are allowed to execute these API calls.

反正我是否可以欺骗“学生”应用程序在其中一个授权角色下运行?我不想使用使用该站点的用户的角色,因为只允许管理员执行这些API调用。

1 个解决方案

#1

---