从 Web API 引发验证错误

Question

我正在用 C# 编写 web api，尝试遵循 REST 概念，即成功响应将是 HttpStatus: 200，验证错误将是 433 等等。

我在 global.asax 中为整个应用程序注册了 ExceptionFilter。

我的问题是，对于身份验证期间的验证错误，如果身份验证失败，那么应该如何将消息传回给客户端（它必须是不同的状态代码，例如 433 或 401）。

到目前为止，我正在从业务层抛出自定义异常。是否建议出现错误时抛出异常？

以下是代码示例：

记录器

public class ExceptionFilter : ExceptionFilterAttribute
{
    public override void OnException(HttpActionExecutedContext context)
    {
        HttpResponseMessage response;
        if (context.Exception is ExceptionBase)
        {
            response = context.Request.CreateResponse(HttpStatusCode.InternalServerError,
                new ErrorDTO() { ErrorCode = (int)((ExceptionBase)context.Exception).ExceptionCode, Messages = ((ExceptionBase)context.Exception).Message });
        }
        else {
            response = context.Request.CreateResponse(HttpStatusCode.InternalServerError,
                new ErrorDTO() { ErrorCode = (int)HttpStatusCode.InternalServerError, Messages = "Error occured at server." });
        }
        context.Response = response;
        base.OnException(context);
        LogException(context);
    }

    private static void LogException(HttpActionExecutedContext context)
    {
        if (context.Exception != null)
        {
            Logger.Instance.LogError(context.ActionContext.ActionDescriptor.ActionName, context.Exception);
        }
    }

    public override Task OnExceptionAsync(HttpActionExecutedContext context, CancellationToken cancellationToken)
    {
        return base.OnExceptionAsync(context, cancellationToken);
    }
}

业务层

public AuthorizationTokenDTO AuthenticateUser(UserDTO userDTO)
{
    User userEntity = _userRepository.GetUserWithAssociatedRole(userDTO.UserName);

    if (userEntity == null)
        throw new BLException("User does not exists.", ExceptionCode.RestApiValidation);

    ActiveDirectory activeDirectory = _activeDirectoryRepository.GetEntityById(ConfigurationSettings.GetConfigSetting<int>(ApplicationConstants.ActiveDirectoryId));

    if (activeDirectory == null)
        throw new BLException("UserName or password is incorrect.", ExceptionCode.RestApiValidation);

    using (var context = new PrincipalContext(ContextType.Domain))
    {
        string password = EncryptionUtility.Decrypt(userDTO.Password, ConfigurationSettings.GetConfigSetting<string>(ApplicationConstants.PrivateKeyForRSAEncryption));

        if (!context.ValidateCredentials(userDTO.UserName, password))
            throw new BLException("UserName or password is incorrect.", ExceptionCode.RestApiValidation);

        UserAccessTokenDTO accessToken = GenrateNewUserAccessToken(userEntity);

        if (accessToken == null)
            throw new BLException("Error occured while generating access token.", ExceptionCode.RestApiValidation);

        return GetAuthorizationTokenDTO(userEntity, accessToken);
    }
}

是否建议在这种情况下抛出异常？还是有更好的方法来编写 Web API？

Answer 1

ExceptionFilter 应该只捕获“未处理”的异常，可以这么说。您可以将这些异常保留在 BusinessLayer 中并在控制器中捕获它们，或者返回某种对象。然后只需从控制器返回带有适当 HttpStatusCode 的响应。

或者，您可以将您的响应包装到也知道 HttpStatusCode（和错误消息）的内容中。