我們要實現下面的效果,某個controller,只允許某幾個角色訪問(admin,user,document controller)
[MyAuthorize(Roles = "Admin,User,Document Controller")] public class ClassController : Controller
首先, 登錄的時候,要把用戶的角色從DB拿出來,放到FormsAuthenticationTicket的UserData里. (假設我們使用Form認證)
var roles = db.TN_Role.Where(t => t.User_Code.Equals(UserCode)).ToList(); if (roles == null) return false; else { foreach (var role in roles) { if (role.Company_ID.Equals(CompanyId) || role.Company_ID == null) { Session["Role"] = role.Role; var authTicket = new FormsAuthenticationTicket( 1, UserCode, DateTime.Now, DateTime.Now.AddMinutes(30), // expiry false, role.Role, "/"); var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket)); Response.Cookies.Add(cookie); Response.Cookies.Set(new HttpCookie("Company", CompanyId.ToString())); return true; } } return false; }
重寫AuthorizeAttribute
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)] public class MyAuthorizeAttribute : AuthorizeAttribute { public override void OnAuthorization(AuthorizationContext filterContext) { string cookieName = FormsAuthentication.FormsCookieName; if (!filterContext.HttpContext.User.Identity.IsAuthenticated || filterContext.HttpContext.Request.Cookies == null || filterContext.HttpContext.Request.Cookies[cookieName] == null ) { HandleUnauthorizedRequest(filterContext); return; } var authCookie = filterContext.HttpContext.Request.Cookies[cookieName]; var authTicket = FormsAuthentication.Decrypt(authCookie.Value); string[] roles = authTicket.UserData.Split(','); var userIdentity = new GenericIdentity(authTicket.Name); var userPrincipal = new GenericPrincipal(userIdentity, roles); filterContext.HttpContext.User = userPrincipal; base.OnAuthorization(filterContext); } }
這個方法的缺陷: 只適合權限比較簡單的情況. 當新增角色或者角色改變時,只能修改每個Action對應的特性,當項目較大時工作量也很大.