Web用戶的身份驗證及WebApi權限驗證流程的設計和實現 asp.net mvc AllowAnonymous 不起作用, asp.net mvc 匿名訪問

本文轉載自查看原文 2018-07-09 17:42 1042

原文地址: https://blog.csdn.net/zjlovety/article/details/17095627

前言：Web 用戶的身份驗證，及頁面操作權限驗證是B/S系統的基礎功能，一個功能復雜的業務應用系統，通過角色授權來控制用戶訪問，本文通過Form認證，Mvc的Controller基類及Action的權限驗證來實現Web系統登錄，Mvc前端權限校驗以及WebApi服務端的訪問校驗功能。

1. Web Form認證介紹

Web應用的訪問方式因為是基於瀏覽器的Http地址請求，所以需要驗證用戶身份的合法性。目前常見的方式是Form認證，其處理邏輯描述如下：
1. 用戶首先要在登錄頁面輸入用戶名和密碼，然后登錄系統，獲取合法身份的票據，再執行后續業務處理操作；
2. 用戶在沒有登錄的情況下提交Http頁面訪問請求，如果該頁面不允許匿名訪問，則直接跳轉到登錄頁面；
3. 對於允許匿名訪問的頁面請求，系統不做權限驗證，直接處理業務數據，並返回給前端；
4. 對於不同權限要求的頁面Action操作，系統需要校驗用戶角色，計算權限列表，如果請求操作在權限列表中，則正常訪問，如果不在權限列表中，則提示“未授權的訪問操作”到異常處理頁面。

2. WebApi 服務端Basic 方式驗證

WebApi服務端接收訪問請求，需要做安全驗證處理，驗證處理步驟如下：
1. 如果是合法的Http請求，在Http請求頭中會有用戶身份的票據信息，服務端會讀取票據信息，並校驗票據信息是否完整有效，如果滿足校驗要求，則進行業務數據的處理，並返回給請求發起方；
2. 如果沒有票據信息，或者票據信息不是合法的，則返回“未授權的訪問”異常消息給前端，由前端處理此異常。

3. 登錄及權限驗證流程

流程處理步驟說明：
1. 用戶打開瀏覽器，並在地址欄中輸入頁面請求地址，提交；
2. 瀏覽器解析Http請求，發送到Web服務器；Web服務器驗證用戶請求，首先判斷是否有登錄的票據信息；
3. 用戶沒有登錄票據信息，則跳轉到登錄頁面；
4. 用戶輸入用戶名和密碼信息；
5. 瀏覽器提交登錄表單數據給Web服務器；
6. Web服務需要驗證用戶名和密碼是否匹配，發送api請求給api服務器；
7. api用戶賬戶服務根據用戶名，讀取存儲在數據庫中的用戶資料，判斷密碼是否匹配；
1）如果用戶名和密碼不匹配，則提示密碼錯誤等信息，然該用戶重新填寫登錄資料；
2）如果驗證通過，則保存用戶票據信息；
8. 接第3步，如果用戶有登錄票據信息，則跳轉到用戶請求的頁面；
9. 驗證用戶對當前要操作的頁面或頁面元素是否有權限操作，首先需要發起api服務請求，獲取用戶的權限數據；
10. api用戶權限服務根據用戶名，查找該用戶的角色信息，並計算用戶權限列表，封裝為Json數據並返回；
11. 當用戶有權限操作頁面或頁面元素時，跳轉到頁面，並由頁面Controller提交業務數據處理請求到api服務器；
如果用戶沒有權限訪問該頁面或頁面元素時，則顯示“未授權的訪問操作”，跳轉到系統異常處理頁面。
12. api業務服務處理業務邏輯，並將結果以Json 數據返回；
13. 返回渲染后的頁面給瀏覽器前端，並呈現業務數據到頁面；
14. 用戶填寫業務數據，或者查找業務數據；
15. 當填寫或查找完業務數據后，用戶提交表單數據；
16. 瀏覽器腳本提交get，post等請求給web服務器，由web服務器再次解析請求操作，重復步驟2的后續流程；
17. 當api服務器驗證用戶身份是，沒有可信用戶票據，系統提示“未授權的訪問操作”，跳轉到系統異常處理頁面。

4. Mvc前端代碼示例

4.1 用戶登錄AccountController

[csharp] view plain copy

public class AccountController : Controller
{
//
// GET: /Logon/
public ActionResult Login(string returnUrl)
{
ViewBag.ReturnUrl = returnUrl;
return View();
}
[HttpPost]
public ActionResult Logon(LoginUser loginUser, string returnUrl)
{
string strUserName = loginUser.UserName;
string strPassword = loginUser.Password;
var accountModel = new AccountModel();
//驗證用戶是否是系統注冊用戶
if (accountModel.ValidateUserLogin(strUserName, strPassword))
{
if (Url.IsLocalUrl(returnUrl))
{
//創建用戶ticket信息
accountModel.CreateLoginUserTicket(strUserName, strPassword);
//讀取用戶權限數據
accountModel.GetUserAuthorities(strUserName);
return new RedirectResult(returnUrl);
}
else
{
return RedirectToAction("Index", "Home");
}
}
else
{
throw new ApplicationException("無效登錄用戶！");
}
}
/// <summary>
/// 用戶注銷，注銷之前，清除用戶ticket
/// </summary>
/// <returns></returns>
[HttpPost]
public ActionResult Logout()
{
var accountModel = new AccountModel();
accountModel.Logout();
return RedirectToAction("Login", "Account");
}
}

[csharp] view plain copy

public class AccountController : Controller
{
//
// GET: /Logon/
public ActionResult Login(string returnUrl)
{
ViewBag.ReturnUrl = returnUrl;
return View();
}
[HttpPost]
public ActionResult Logon(LoginUser loginUser, string returnUrl)
{
string strUserName = loginUser.UserName;
string strPassword = loginUser.Password;
var accountModel = new AccountModel();
//驗證用戶是否是系統注冊用戶
if (accountModel.ValidateUserLogin(strUserName, strPassword))
{
if (Url.IsLocalUrl(returnUrl))
{
//創建用戶ticket信息
accountModel.CreateLoginUserTicket(strUserName, strPassword);
//讀取用戶權限數據
accountModel.GetUserAuthorities(strUserName);
return new RedirectResult(returnUrl);
}
else
{
return RedirectToAction("Index", "Home");
}
}
else
{
throw new ApplicationException("無效登錄用戶！");
}
}
/// <summary>
/// 用戶注銷，注銷之前，清除用戶ticket
/// </summary>
/// <returns></returns>
[HttpPost]
public ActionResult Logout()
{
var accountModel = new AccountModel();
accountModel.Logout();
return RedirectToAction("Login", "Account");
}
}

4.2 用戶模型AccountModel

[csharp] view plain copy

public class AccountModel
{
/// <summary>
/// 創建登錄用戶的票據信息
/// </summary>
/// <param name="strUserName"></param>
internal void CreateLoginUserTicket(string strUserName, string strPassword)
{
//構造Form驗證的票據信息
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, strUserName, DateTime.Now, DateTime.Now.AddMinutes(90),
true, string.Format("{0}:{1}", strUserName, strPassword), FormsAuthentication.FormsCookiePath);
string ticString = FormsAuthentication.Encrypt(ticket);
//把票據信息寫入Cookie和Session
//SetAuthCookie方法用於標識用戶的Identity狀態為true
HttpContext.Current.Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, ticString));
FormsAuthentication.SetAuthCookie(strUserName, true);
HttpContext.Current.Session["USER_LOGON_TICKET"] = ticString;
//重寫HttpContext中的用戶身份，可以封裝自定義角色數據；
//判斷是否合法用戶，可以檢查：HttpContext.User.Identity.IsAuthenticated的屬性值
string[] roles = ticket.UserData.Split(',');
IIdentity identity = new FormsIdentity(ticket);
IPrincipal principal = new GenericPrincipal(identity, roles);
HttpContext.Current.User = principal;
}
/// <summary>
/// 獲取用戶權限列表數據
/// </summary>
/// <param name="userName"></param>
/// <returns></returns>
internal string GetUserAuthorities(string userName)
{
//從WebApi 訪問用戶權限數據，然后寫入Session
string jsonAuth = "[{\"Controller\": \"SampleController\", \"Actions\":\"Apply,Process,Complete\"}, {\"Controller\": \"Product\", \"Actions\": \"List,Get,Detail\"}]";
var userAuthList = ServiceStack.Text.JsonSerializer.DeserializeFromString(jsonAuth, typeof(UserAuthModel[]));
HttpContext.Current.Session["USER_AUTHORITIES"] = userAuthList;
return jsonAuth;
}
/// <summary>
/// 讀取數據庫用戶表數據，判斷用戶密碼是否匹配
/// </summary>
/// <param name="name"></param>
/// <param name="password"></param>
/// <returns></returns>
internal bool ValidateUserLogin(string name, string password)
{
//bool isValid = password == passwordInDatabase;
return true;
}
/// <summary>
/// 用戶注銷執行的操作
/// </summary>
internal void Logout()
{
FormsAuthentication.SignOut();
}
}

[csharp] view plain copy

public class AccountModel
{
/// <summary>
/// 創建登錄用戶的票據信息
/// </summary>
/// <param name="strUserName"></param>
internal void CreateLoginUserTicket(string strUserName, string strPassword)
{
//構造Form驗證的票據信息
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, strUserName, DateTime.Now, DateTime.Now.AddMinutes(90),
true, string.Format("{0}:{1}", strUserName, strPassword), FormsAuthentication.FormsCookiePath);
string ticString = FormsAuthentication.Encrypt(ticket);
//把票據信息寫入Cookie和Session
//SetAuthCookie方法用於標識用戶的Identity狀態為true
HttpContext.Current.Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, ticString));
FormsAuthentication.SetAuthCookie(strUserName, true);
HttpContext.Current.Session["USER_LOGON_TICKET"] = ticString;
//重寫HttpContext中的用戶身份，可以封裝自定義角色數據；
//判斷是否合法用戶，可以檢查：HttpContext.User.Identity.IsAuthenticated的屬性值
string[] roles = ticket.UserData.Split(',');
IIdentity identity = new FormsIdentity(ticket);
IPrincipal principal = new GenericPrincipal(identity, roles);
HttpContext.Current.User = principal;
}
/// <summary>
/// 獲取用戶權限列表數據
/// </summary>
/// <param name="userName"></param>
/// <returns></returns>
internal string GetUserAuthorities(string userName)
{
//從WebApi 訪問用戶權限數據，然后寫入Session
string jsonAuth = "[{\"Controller\": \"SampleController\", \"Actions\":\"Apply,Process,Complete\"}, {\"Controller\": \"Product\", \"Actions\": \"List,Get,Detail\"}]";
var userAuthList = ServiceStack.Text.JsonSerializer.DeserializeFromString(jsonAuth, typeof(UserAuthModel[]));
HttpContext.Current.Session["USER_AUTHORITIES"] = userAuthList;
return jsonAuth;
}
/// <summary>
/// 讀取數據庫用戶表數據，判斷用戶密碼是否匹配
/// </summary>
/// <param name="name"></param>
/// <param name="password"></param>
/// <returns></returns>
internal bool ValidateUserLogin(string name, string password)
{
//bool isValid = password == passwordInDatabase;
return true;
}
/// <summary>
/// 用戶注銷執行的操作
/// </summary>
internal void Logout()
{
FormsAuthentication.SignOut();
}
}

4.3 控制器基類WebControllerBase

[csharp] view plain copy

/// <summary>
/// 前端Mvc控制器基類
/// </summary>
[Authorize]
public abstract class WebControllerBase : Controller
{
/// <summary>
/// 對應api的Url
/// </summary>
public string ApiUrl
{
get;
protected set;
}
/// <summary>
/// 用戶權限列表
/// </summary>
public UserAuthModel[] UserAuthList
{
get
{
return AuthorizedUser.Current.UserAuthList;
}
}
/// <summary>
/// 登錄用戶票據
/// </summary>
public string UserLoginTicket
{
get
{
return AuthorizedUser.Current.UserLoginTicket;
}
}
}

[csharp] view plain copy

/// <summary>
/// 前端Mvc控制器基類
/// </summary>
[Authorize]
public abstract class WebControllerBase : Controller
{
/// <summary>
/// 對應api的Url
/// </summary>
public string ApiUrl
{
get;
protected set;
}
/// <summary>
/// 用戶權限列表
/// </summary>
public UserAuthModel[] UserAuthList
{
get
{
return AuthorizedUser.Current.UserAuthList;
}
}
/// <summary>
/// 登錄用戶票據
/// </summary>
public string UserLoginTicket
{
get
{
return AuthorizedUser.Current.UserLoginTicket;
}
}
}

4.4 權限屬性RequireAuthorizationAttribute

[csharp] view plain copy

/// <summary>
/// 權限驗證屬性類
/// </summary>
public class RequireAuthorizeAttribute : AuthorizeAttribute
{
/// <summary>
/// 用戶權限列表
/// </summary>
public UserAuthModel[] UserAuthList
{
get
{
return AuthorizedUser.Current.UserAuthList;
}
}
/// <summary>
/// 登錄用戶票據
/// </summary>
public string UserLoginTicket
{
get
{
return AuthorizedUser.Current.UserLoginTicket;
}
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
////驗證是否是登錄用戶
var identity = filterContext.HttpContext.User.Identity;
if (identity.IsAuthenticated)
{
var actionName = filterContext.ActionDescriptor.ActionName;
var controllerName = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;
//驗證用戶操作是否在權限列表中
if (HasActionQulification(actionName, controllerName, identity.Name))
if (!string.IsNullOrEmpty(UserLoginTicket))
//有效登錄用戶，有權限訪問此Action，則寫入Cookie信息
filterContext.HttpContext.Response.Cookies[FormsAuthentication.FormsCookieName].Value = UserLoginTicket;
else
//用戶的Session, Cookie都過期，需要重新登錄
filterContext.HttpContext.Response.Redirect("~/Account/Login", false);
else
//雖然是登錄用戶，但沒有該Action的權限，跳轉到“未授權訪問”頁面
filterContext.HttpContext.Response.Redirect("~/Home/UnAuthorized", true);
}
else
{
//未登錄用戶，則判斷是否是匿名訪問
var attr = filterContext.ActionDescriptor.GetCustomAttributes(true).OfType<AllowAnonymousAttribute>();
bool isAnonymous = attr.Any(a => a is AllowAnonymousAttribute);
if (!isAnonymous)
//未驗證（登錄）的用戶, 而且是非匿名訪問，則轉向登錄頁面
filterContext.HttpContext.Response.Redirect("~/Account/Login", true);
}
}
/// <summary>
/// 從權限列表驗證用戶是否有權訪問Action
/// </summary>
/// <param name="actionName"></param>
/// <param name="controllerName"></param>
/// <returns></returns>
private bool HasActionQulification(string actionName, string controllerName, string userName)
{
//從該用戶的權限數據列表中查找是否有當前Controller和Action的item
var auth = UserAuthList.FirstOrDefault(a =>
{
bool rightAction = false;
bool rightController = a.Controller == controllerName;
if (rightController)
{
string[] actions = a.Actions.Split(',');
rightAction = actions.Contains(actionName);
}
return rightAction;
});
//此處可以校驗用戶的其它權限條件
//var notAllowed = HasOtherLimition(userName);
//var result = (auth != null) && notAllowed;
//return result;
return (auth != null);
}
}

[csharp] view plain copy

/// <summary>
/// 權限驗證屬性類
/// </summary>
public class RequireAuthorizeAttribute : AuthorizeAttribute
{
/// <summary>
/// 用戶權限列表
/// </summary>
public UserAuthModel[] UserAuthList
{
get
{
return AuthorizedUser.Current.UserAuthList;
}
}
/// <summary>
/// 登錄用戶票據
/// </summary>
public string UserLoginTicket
{
get
{
return AuthorizedUser.Current.UserLoginTicket;
}
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
////驗證是否是登錄用戶
var identity = filterContext.HttpContext.User.Identity;
if (identity.IsAuthenticated)
{
var actionName = filterContext.ActionDescriptor.ActionName;
var controllerName = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;
//驗證用戶操作是否在權限列表中
if (HasActionQulification(actionName, controllerName, identity.Name))
if (!string.IsNullOrEmpty(UserLoginTicket))
//有效登錄用戶，有權限訪問此Action，則寫入Cookie信息
filterContext.HttpContext.Response.Cookies[FormsAuthentication.FormsCookieName].Value = UserLoginTicket;
else
//用戶的Session, Cookie都過期，需要重新登錄
filterContext.HttpContext.Response.Redirect("~/Account/Login", false);
else
//雖然是登錄用戶，但沒有該Action的權限，跳轉到“未授權訪問”頁面
filterContext.HttpContext.Response.Redirect("~/Home/UnAuthorized", true);
}
else
{
//未登錄用戶，則判斷是否是匿名訪問
var attr = filterContext.ActionDescriptor.GetCustomAttributes(true).OfType<AllowAnonymousAttribute>();
bool isAnonymous = attr.Any(a => a is AllowAnonymousAttribute);
if (!isAnonymous)
//未驗證（登錄）的用戶, 而且是非匿名訪問，則轉向登錄頁面
filterContext.HttpContext.Response.Redirect("~/Account/Login", true);
}
}
/// <summary>
/// 從權限列表驗證用戶是否有權訪問Action
/// </summary>
/// <param name="actionName"></param>
/// <param name="controllerName"></param>
/// <returns></returns>
private bool HasActionQulification(string actionName, string controllerName, string userName)
{
//從該用戶的權限數據列表中查找是否有當前Controller和Action的item
var auth = UserAuthList.FirstOrDefault(a =>
{
bool rightAction = false;
bool rightController = a.Controller == controllerName;
if (rightController)
{
string[] actions = a.Actions.Split(',');
rightAction = actions.Contains(actionName);
}
return rightAction;
});
//此處可以校驗用戶的其它權限條件
//var notAllowed = HasOtherLimition(userName);
//var result = (auth != null) && notAllowed;
//return result;
return (auth != null);
}
}

4.5 業務Controller示例

[csharp] view plain copy

public class ProductController : WebControllerBase
{
[AllowAnonymous]
public ActionResult Query()
{
return View("ProductQuery");
}
[HttpGet]
//[AllowAnonymous]
[RequireAuthorize]
public ActionResult Detail(string id)
{
var cookie = HttpContext.Request.Cookies;
string url = base.ApiUrl + "/Get/" + id;
HttpClient httpClient = HttpClientHelper.Create(url, base.UserLoginTicket);
string result = httpClient.GetString();
var model = JsonSerializer.DeserializeFromString<Product>(result);
ViewData["PRODUCT_ADD_OR_EDIT"] = "E";
return View("ProductForm", model);
}
}

[csharp] view plain copy

public class ProductController : WebControllerBase
{
[AllowAnonymous]
public ActionResult Query()
{
return View("ProductQuery");
}
[HttpGet]
//[AllowAnonymous]
[RequireAuthorize]
public ActionResult Detail(string id)
{
var cookie = HttpContext.Request.Cookies;
string url = base.ApiUrl + "/Get/" + id;
HttpClient httpClient = HttpClientHelper.Create(url, base.UserLoginTicket);
string result = httpClient.GetString();
var model = JsonSerializer.DeserializeFromString<Product>(result);
ViewData["PRODUCT_ADD_OR_EDIT"] = "E";
return View("ProductForm", model);
}
}

5. WebApi 服務端代碼示例

5.1 控制器基類ApiControllerBase

[csharp] view plain copy

/// <summary>
/// Controller的基類，用於實現適合業務場景的基礎功能
/// </summary>
/// <typeparam name="T"></typeparam>
[BasicAuthentication]
public abstract class ApiControllerBase : ApiController
{
}

[csharp] view plain copy

/// <summary>
/// Controller的基類，用於實現適合業務場景的基礎功能
/// </summary>
/// <typeparam name="T"></typeparam>
[BasicAuthentication]
public abstract class ApiControllerBase : ApiController
{
}

5.2 權限屬性BaseAuthenticationAttribute

[csharp] view plain copy

/// <summary>
/// 基本驗證Attribtue，用以Action的權限處理
/// </summary>
public class BasicAuthenticationAttribute : ActionFilterAttribute
{
/// <summary>
/// 檢查用戶是否有該Action執行的操作權限
/// </summary>
/// <param name="actionContext"></param>
public override void OnActionExecuting(HttpActionContext actionContext)
{
//檢驗用戶ticket信息，用戶ticket信息來自調用發起方
if (actionContext.Request.Headers.Authorization != null)
{
//解密用戶ticket,並校驗用戶名密碼是否匹配
var encryptTicket = actionContext.Request.Headers.Authorization.Parameter;
if (ValidateUserTicket(encryptTicket))
base.OnActionExecuting(actionContext);
else
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
else
{
//檢查web.config配置是否要求權限校驗
bool isRquired = (WebConfigurationManager.AppSettings["WebApiAuthenticatedFlag"].ToString() == "true");
if (isRquired)
{
//如果請求Header不包含ticket，則判斷是否是匿名調用
var attr = actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().OfType<AllowAnonymousAttribute>();
bool isAnonymous = attr.Any(a => a is AllowAnonymousAttribute);
//是匿名用戶，則繼續執行；非匿名用戶，拋出“未授權訪問”信息
if (isAnonymous)
base.OnActionExecuting(actionContext);
else
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
else
{
base.OnActionExecuting(actionContext);
}
}
}
/// <summary>
/// 校驗用戶ticket信息
/// </summary>
/// <param name="encryptTicket"></param>
/// <returns></returns>
private bool ValidateUserTicket(string encryptTicket)
{
var userTicket = FormsAuthentication.Decrypt(encryptTicket);
var userTicketData = userTicket.UserData;
string userName = userTicketData.Substring(0, userTicketData.IndexOf(":"));
string password = userTicketData.Substring(userTicketData.IndexOf(":") + 1);
//檢查用戶名、密碼是否正確，驗證是合法用戶
//var isQuilified = CheckUser(userName, password);
return true;
}
}

[csharp] view plain copy

/// <summary>
/// 基本驗證Attribtue，用以Action的權限處理
/// </summary>
public class BasicAuthenticationAttribute : ActionFilterAttribute
{
/// <summary>
/// 檢查用戶是否有該Action執行的操作權限
/// </summary>
/// <param name="actionContext"></param>
public override void OnActionExecuting(HttpActionContext actionContext)
{
//檢驗用戶ticket信息，用戶ticket信息來自調用發起方
if (actionContext.Request.Headers.Authorization != null)
{
//解密用戶ticket,並校驗用戶名密碼是否匹配
var encryptTicket = actionContext.Request.Headers.Authorization.Parameter;
if (ValidateUserTicket(encryptTicket))
base.OnActionExecuting(actionContext);
else
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
else
{
//檢查web.config配置是否要求權限校驗
bool isRquired = (WebConfigurationManager.AppSettings["WebApiAuthenticatedFlag"].ToString() == "true");
if (isRquired)
{
//如果請求Header不包含ticket，則判斷是否是匿名調用
var attr = actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().OfType<AllowAnonymousAttribute>();
bool isAnonymous = attr.Any(a => a is AllowAnonymousAttribute);
//是匿名用戶，則繼續執行；非匿名用戶，拋出“未授權訪問”信息
if (isAnonymous)
base.OnActionExecuting(actionContext);
else
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
else
{
base.OnActionExecuting(actionContext);
}
}
}
/// <summary>
/// 校驗用戶ticket信息
/// </summary>
/// <param name="encryptTicket"></param>
/// <returns></returns>
private bool ValidateUserTicket(string encryptTicket)
{
var userTicket = FormsAuthentication.Decrypt(encryptTicket);
var userTicketData = userTicket.UserData;
string userName = userTicketData.Substring(0, userTicketData.IndexOf(":"));
string password = userTicketData.Substring(userTicketData.IndexOf(":") + 1);
//檢查用戶名、密碼是否正確，驗證是合法用戶
//var isQuilified = CheckUser(userName, password);
return true;
}
}

5.3 api服務Controller實例

[csharp] view plain copy

public class ProductController : ApiControllerBase
{
[HttpGet]
public object Find(string id)
{
return ProductServiceInstance.Find(2);
}
// GET api/product/5
[HttpGet]
[AllowAnonymous]
public Product Get(string id)
{
var headers = Request.Headers;
var p = ProductServiceInstance.GetById<Product, EPProduct>(long.Parse(id));
if (p == null)
{
throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.BadRequest)
Content = new StringContent("id3 not found"), ReasonPhrase = "product id not exist." });
}
return p;
}
}

[csharp] view plain copy

public class ProductController : ApiControllerBase
{
[HttpGet]
public object Find(string id)
{
return ProductServiceInstance.Find(2);
}
// GET api/product/5
[HttpGet]
[AllowAnonymous]
public Product Get(string id)
{
var headers = Request.Headers;
var p = ProductServiceInstance.GetById<Product, EPProduct>(long.Parse(id));
if (p == null)
{
throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.BadRequest)
Content = new StringContent("id3 not found"), ReasonPhrase = "product id not exist." });
}
return p;
}
}

6. 其它配置說明

6.1 Mvc前端Web.Config 配置

[html] view plain copy

<system.web>
<compilation debug="true" targetFramework="4.5">
<assemblies>
<add assembly="System.Web.Http.Data.Helpers, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" defaultUrl="~/Home/Index" protection="All" timeout="90" name=".AuthCookie"></forms>
</authentication>
<machineKey validationKey="3FFA12388DDF585BA5D35E7BC87E3F0AB47FBBEBD12240DD3BEA2BEAEC4ABA213F22AD27E8FAD77DCFEE306219691434908D193A17C1FC8DCE51B71A4AE54920" decryptionKey="ECB6A3AF9ABBF3F16E80685ED68DC74B0B13CCEE538EBBA97D0B893139683B3B" validation="SHA1" decryption="AES" />
</system.web>

[html] view plain copy

<system.web>
<compilation debug="true" targetFramework="4.5">
<assemblies>
<add assembly="System.Web.Http.Data.Helpers, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" defaultUrl="~/Home/Index" protection="All" timeout="90" name=".AuthCookie"></forms>
</authentication>
<machineKey validationKey="3FFA12388DDF585BA5D35E7BC87E3F0AB47FBBEBD12240DD3BEA2BEAEC4ABA213F22AD27E8FAD77DCFEE306219691434908D193A17C1FC8DCE51B71A4AE54920" decryptionKey="ECB6A3AF9ABBF3F16E80685ED68DC74B0B13CCEE538EBBA97D0B893139683B3B" validation="SHA1" decryption="AES" />
</system.web>

machineKey節點配置，是應用於對用戶ticket數據加密和解密。

6.2 WebApi服務端Web.Config配置

[html] view plain copy

<system.web>
<machineKey validationKey="3FF112388DDF585BA5D35E7BC87E3F0AB47FBBEBD12240DD3BEA2BEAEC4ABA213F22AD27E8FAD77DCFEE306219691434908D193A17C1FC8DCE51B71A4AE54920" decryptionKey="ECB6A3AF9ABBF3F16E80685ED68DC74B0B13CCEE538EBBA97D0B893139683B3B" validation="SHA1" decryption="AES" />
</system.web>

[html] view plain copy

<system.web>
<machineKey validationKey="3FF112388DDF585BA5D35E7BC87E3F0AB47FBBEBD12240DD3BEA2BEAEC4ABA213F22AD27E8FAD77DCFEE306219691434908D193A17C1FC8DCE51B71A4AE54920" decryptionKey="ECB6A3AF9ABBF3F16E80685ED68DC74B0B13CCEE538EBBA97D0B893139683B3B" validation="SHA1" decryption="AES" />
</system.web>

machineKey節點配置，是應用於對用戶ticket數據加密和解密。

7. 總結

Web系統的用戶登錄及頁面操作權限驗證在處理邏輯上比較復雜，需要考慮到Form認證、匿名訪問，Session和Cookie存儲，以及Session和Cookie的過期處理，本文實現了整個權限驗證框架的基本功能，供系統架構設計人員以及Web開發人員參考。

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 Asp.net MVC 權限驗證，以及是否允許匿名訪問 ASP.NET MVC 4 (十三) 基於表單的身份驗證 ASP.NET MVC Cookie 身份驗證 jwt的ASP.NET MVC 身份驗證 Asp.Net MVC 身份驗證-Forms 【記錄】ASP.NET MVC 4/5 Authentication 身份驗證無效 ASP.NET MVC5（五）：身份驗證、授權 Asp.net Mvc 身份驗證、異常處理、權限驗證（攔截器） Asp.net Mvc 身份驗證、異常處理、權限驗證(攔截器)實現代碼 ASP.NET MVC：窗體身份驗證及角色權限管理示例