ASP.NET MVC SSO 單點登錄設計與實現


實驗環境配置

HOST文件配置如下:

127.0.0.1 app.com
127.0.0.1 sso.com

IIS配置如下:

應用程序池采用.Net Framework 4.0

注意IIS綁定的域名,兩個完全不同域的域名。

app.com網站配置如下:

 

 sso.com網站配置如下:

memcached緩存:

 數據庫配置:

 數據庫采用EntityFramework 6.0.0,首次運行會自動創建相應的數據庫和表結構。

授權驗證過程演示:

在瀏覽器地址欄中訪問:http://app.com,如果用戶還未登陸則網站會自動重定向至:http://sso.com/passport,同時通過QueryString傳參數的方式將對應的AppKey應用標識傳遞過來,運行截圖如下:

URL地址:http://sso.com/passport?appkey=670b14728ad9902aecba32e22fa4f6bd&username=

 輸入正確的登陸賬號和密碼后,點擊登陸按鈕系統自動301重定向至應用會掉首頁,毀掉成功后如下所示:

 由於在不同的域下進行SSO授權登陸,所以采用QueryString方式返回授權標識。同域網站下可采用Cookie方式。由於301重定向請 求是由瀏覽器發送的,所以在如果授權標識放入Handers中的話,瀏覽器重定向的時候會丟失。重定向成功后,程序自動將授權標識寫入到Cookie中, 點擊其他頁面地址時,URL地址欄中將不再會看到授權標示信息。Cookie設置如下:

登陸成功后的后續授權驗證(訪問其他需要授權訪問的頁面):

校驗地址:http://sso.com/api/passport?sessionkey=xxxxxx&remark=xxxxxx

返回結果:true,false

客戶端可以根據實際業務情況,選擇提示用戶授權已丟失,需要重新獲得授權。默認自動重定向至SSO登陸頁面,即:http://sso.com /passport?appkey=670b14728ad9902aecba32e22fa4f6bd&username=seo@ljja.cn 同時登陸頁面郵箱地址文本框會自定補全用戶的登陸賬號,用戶只需輸入登陸密碼即可,授權成功后會話有效期自動延長一年時間。

SSO數據庫驗證日志:

用戶授權驗證日志:

用戶授權會話Session:

數據庫用戶賬號和應用信息:

應用授權登陸驗證頁面核心代碼:

復制代碼
  1 /// <summary>  2 /// 公鑰:AppKey  3 /// 私鑰:AppSecret  4 /// 會話:SessionKey  5 /// </summary>  6 public class PassportController : Controller  7  {  8 private readonly IAppInfoService _appInfoService = new AppInfoService();  9 private readonly IAppUserService _appUserService = new AppUserService();  10 private readonly IUserAuthSessionService _authSessionService = new UserAuthSessionService();  11 private readonly IUserAuthOperateService _userAuthOperateService = new UserAuthOperateService();  12  13 private const string AppInfo = "AppInfo";  14 private const string SessionKey = "SessionKey";  15 private const string SessionUserName = "SessionUserName";  16  17 //默認登錄界面  18 public ActionResult Index(string appKey = "", string username = "")  19  {  20 TempData[AppInfo] = _appInfoService.Get(appKey);  21  22 var viewModel = new PassportLoginRequest  23  {  24 AppKey = appKey,  25 UserName = username  26  };  27  28 return View(viewModel);  29  }  30  31 //授權登錄  32  [HttpPost]  33 public ActionResult Index(PassportLoginRequest model)  34  {  35 //獲取應用信息  36 var appInfo = _appInfoService.Get(model.AppKey);  37 if (appInfo == null)  38  {  39 //應用不存在  40 return View(model);  41  }  42  43 TempData[AppInfo] = appInfo;  44  45 if (ModelState.IsValid == false)  46  {  47 //實體驗證失敗  48 return View(model);  49  }  50  51 //過濾字段無效字符  52  model.Trim();  53  54 //獲取用戶信息  55 var userInfo = _appUserService.Get(model.UserName);  56 if (userInfo == null)  57  {  58 //用戶不存在  59 return View(model);  60  }  61  62 if (userInfo.UserPwd != model.Password.ToMd5())  63  {  64 //密碼不正確  65 return View(model);  66  }  67  68 //獲取當前未到期的Session  69 var currentSession = _authSessionService.ExistsByValid(appInfo.AppKey, userInfo.UserName);  70 if (currentSession == null) 71 { 72 //構建Session 73 currentSession = new UserAuthSession 74 { 75 AppKey = appInfo.AppKey, 76 CreateTime = DateTime.Now, 77 InvalidTime = DateTime.Now.AddYears(1), 78 IpAddress = Request.UserHostAddress, 79 SessionKey = Guid.NewGuid().ToString().ToMd5(), 80 UserName = userInfo.UserName 81 }; 82 83 //創建Session 84 _authSessionService.Create(currentSession); 85 } 86 else 87 { 88 //延長有效期,默認一年 89 _authSessionService.ExtendValid(currentSession.SessionKey); 90 } 91 92 //記錄用戶授權日志 93 _userAuthOperateService.Create(new UserAuthOperate 94 { 95 CreateTime = DateTime.Now, 96 IpAddress = Request.UserHostAddress, 97 Remark = string.Format("{0} 登錄 {1} 授權成功", currentSession.UserName, appInfo.Title), 98 SessionKey = currentSession.SessionKey 99 }); 104 105 var redirectUrl = string.Format("{0}?SessionKey={1}&SessionUserName={2}", 106 appInfo.ReturnUrl, 107 currentSession.SessionKey, 108 userInfo.UserName); 109 110 //跳轉默認回調頁面 111 return Redirect(redirectUrl); 112 } 113 }
復制代碼

 

Memcached會話標識驗證核心代碼:

復制代碼
public class PassportController : ApiController { private readonly IUserAuthSessionService _authSessionService = new UserAuthSessionService(); private readonly IUserAuthOperateService _userAuthOperateService = new UserAuthOperateService(); public bool Get(string sessionKey = "", string remark = "") { if (_authSessionService.GetCache(sessionKey)) { _userAuthOperateService.Create(new UserAuthOperate { CreateTime = DateTime.Now, IpAddress = Request.RequestUri.Host, Remark = string.Format("驗證成功-{0}", remark), SessionKey = sessionKey }); return true; } _userAuthOperateService.Create(new UserAuthOperate { CreateTime = DateTime.Now, IpAddress = Request.RequestUri.Host, Remark = string.Format("驗證失敗-{0}", remark), SessionKey = sessionKey }); return false; } }
復制代碼

 

Client授權驗證Filters Attribute

復制代碼
public class SSOAuthAttribute : ActionFilterAttribute { public const string SessionKey = "SessionKey"; public const string SessionUserName = "SessionUserName"; public override void OnActionExecuting(ActionExecutingContext filterContext) { var cookieSessionkey = ""; var cookieSessionUserName = ""; //SessionKey by QueryString if (filterContext.HttpContext.Request.QueryString[SessionKey] != null) { cookieSessionkey = filterContext.HttpContext.Request.QueryString[SessionKey]; filterContext.HttpContext.Response.Cookies.Add(new HttpCookie(SessionKey, cookieSessionkey)); } //SessionUserName by QueryString if (filterContext.HttpContext.Request.QueryString[SessionUserName] != null) { cookieSessionUserName = filterContext.HttpContext.Request.QueryString[SessionUserName]; filterContext.HttpContext.Response.Cookies.Add(new HttpCookie(SessionUserName, cookieSessionUserName)); } //從Cookie讀取SessionKey if (filterContext.HttpContext.Request.Cookies[SessionKey] != null) { cookieSessionkey = filterContext.HttpContext.Request.Cookies[SessionKey].Value; } //從Cookie讀取SessionUserName if (filterContext.HttpContext.Request.Cookies[SessionUserName] != null) { cookieSessionUserName = filterContext.HttpContext.Request.Cookies[SessionUserName].Value; } if (string.IsNullOrEmpty(cookieSessionkey) || string.IsNullOrEmpty(cookieSessionUserName)) { //直接登錄 filterContext.Result = SsoLoginResult(cookieSessionUserName); } else { //驗證 if (CheckLogin(cookieSessionkey, filterContext.HttpContext.Request.RawUrl) == false) { //會話丟失,跳轉到登錄頁面 filterContext.Result = SsoLoginResult(cookieSessionUserName); } } base.OnActionExecuting(filterContext); } public static bool CheckLogin(string sessionKey, string remark = "") { var httpClient = new HttpClient { BaseAddress = new Uri(ConfigurationManager.AppSettings["SSOPassport"]) }; var requestUri = string.Format("api/Passport?sessionKey={0}&remark={1}", sessionKey, remark); try { var resp = httpClient.GetAsync(requestUri).Result; resp.EnsureSuccessStatusCode(); return resp.Content.ReadAsAsync<bool>().Result; } catch (Exception ex) { throw ex; } } private static ActionResult SsoLoginResult(string username) { return new RedirectResult(string.Format("{0}/passport?appkey={1}&username={2}", ConfigurationManager.AppSettings["SSOPassport"], ConfigurationManager.AppSettings["SSOAppKey"], username)); } }
復制代碼

 

示例SSO驗證特性使用方法:

復制代碼
[SSOAuth]
    public class HomeController : Controller { public ActionResult Index() { return View(); } public ActionResult About() { ViewBag.Message = "Your application description page."; return View(); } public ActionResult Contact() { ViewBag.Message = "Your contact page."; return View(); } }
復制代碼

 

總結:

從草稿示例代碼中可以看到代碼性能上還有很多優化的地方,還有SSO應用授權登陸頁面的用戶賬號不存在、密碼錯誤等一系列的提示信息等。在業務代碼 運行基本正確的后期,可以考慮往更多的安全性層面優化,比如啟用AppSecret私鑰簽名驗證,IP范圍驗證,固定會話請求攻擊、SSO授權登陸界面的 驗證碼、會話緩存自動重建、SSo服務器、緩存的水平擴展等。

源碼地址:https://github.com/smartbooks/SmartSSO

分類: 編程知識


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM