在asp.net core中,微軟提供了基於認證(Authentication)和授權(Authorization)的方式,來實現權限管理的,本篇博文,介紹基於固定角色的權限管理和自定義角色權限管理,本文內容,更適合傳統行業的BS應用,而非互聯網應用。
在asp.net core中,我們認證(Authentication)通常是在Login的Post Action中進行用戶名或密碼來驗證用戶是否正確,如果通過驗證,即該用戶就會獲得一個或幾個特定的角色,通過ClaimTypes.Role來存儲角色,從而當一個請求到達時,用這個角色和Controller或Action上加的特性 [Authorize(Roles = "admin,system")]來授權是否有權訪問該Action。本文中的自定義角色,會把驗證放在中間件中進行處理。
一、固定角色:
即把角色與具體的Controller或Action直接關聯起來,整個系統中的角色是固定的,每種角色可以訪問那些Controller或Action也是固定的,這做法比較適合小型項目,角色分工非常明確的項目。
項目代碼:
https://github.com/axzxs2001/Asp.NetCoreExperiment/tree/master/Asp.NetCoreExperiment/%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86/RolePrivilegeManagement
始於startup.cs
需要在ConfigureServices中注入Cookie的相關信息,options是CookieAuthenticationOptions,關於這個類型提供如下屬性,可參考:https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?tabs=aspnetcore2x
它提供了登錄的一些信息,或登錄生成Cookie的一些信息,用以后
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
//添加認證Cookie信息
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.LoginPath = new PathString("/login");
options.AccessDeniedPath = new PathString("/denied");
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseBrowserLink();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
//驗證中間件
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
HomeController.cs
對於Login Get的Action,把returnUrl用戶想要訪問的地址(有可能用戶記錄下想要訪問的url了,但系統會轉到登錄頁,登錄成功后直接跳轉到想要訪問的returnUrl頁)
對於Login Post的Action,驗證用戶密和密碼,成功能,定義一個ClaimsIdentity,把用戶名和角色,和用戶姓名的聲明都添回進來(這個角色,就是用來驗證可訪問action的角色 )作來該用戶標識,接下來調用HttpContext.SignInAsync進行登錄,注意此方法的第一個參數,必需與StartUp.cs中services.AddAuthentication的參數相同,AddAuthentication是設置登錄,SigninAsync是按設置參數進行登錄
對於Logout Get的Action,是退出登錄
HomeController上的[Authorize(Roles=”admin,system”)]角色和權限的關系時,所有Action只有admin和system兩個角色能訪問到,About上的[Authorize(Roles=”admin”)]聲明這個action只能admin角色訪問,Contact上的[Authorize(Roles=”system”)]聲明這個action只能system角色訪問,如果action上聲明的是[AllowAnomymous],說明不受授權管理,可以直接訪問。
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using RolePrivilegeManagement.Models;
using System.Security.Claims;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authorization;
namespace RolePrivilegeManagement.Controllers
{
[Authorize(Roles = "admin,system")]
public class HomeController : Controller
{
public IActionResult Index()
{
return View();
}
[Authorize(Roles = "admin")]
public IActionResult About()
{
ViewData["Message"] = "Your application description page.";
return View();
}
[Authorize(Roles = "system")]
public IActionResult Contact()
{
ViewData["Message"] = "Your contact page.";
return View();
}
public IActionResult Error()
{
return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
}
[AllowAnonymous]
[HttpGet("login")]
public IActionResult Login(string returnUrl = null)
{
TempData["returnUrl"] = returnUrl;
return View();
}
[AllowAnonymous]
[HttpPost("login")]
public async Task<IActionResult> Login(string userName, string password, string returnUrl = null)
{
var list = new List<dynamic> {
new { UserName = "gsw", Password = "111111", Role = "admin" },
new { UserName = "aaa", Password = "222222", Role = "system" }
};
var user = list.SingleOrDefault(s => s.UserName == userName && s.Password == password);
if (user!=null)
{
//用戶標識
var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);
identity.AddClaim(new Claim(ClaimTypes.Sid, userName));
identity.AddClaim(new Claim(ClaimTypes.Name, user.Name));
identity.AddClaim(new Claim(ClaimTypes.Role, user.Role));
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity));
if (returnUrl == null)
{
returnUrl = TempData["returnUrl"]?.ToString();
}
if (returnUrl != null)
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction(nameof(HomeController.Index), "Home");
}
}
else
{
const string badUserNameOrPasswordMessage = "用戶名或密碼錯誤!";
return BadRequest(badUserNameOrPasswordMessage);
}
}
[HttpGet("logout")]
public async Task<IActionResult> Logout()
{
await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
return RedirectToAction("Index", "Home");
}
[AllowAnonymous]
[HttpGet("denied")]
public IActionResult Denied()
{
return View();
}
}
}
前端_Layout.cshtml布局頁,在登錄成功后的任何頁面都可以用@User.Identity.Name就可以獲取用戶姓名,同時用@User.Claims.SingleOrDefault(s=>s.Type== System.Security.Claims.ClaimTypes.Sid).Value可以獲取用戶名或角色。
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a asp-area="" asp-controller="Home" asp-action="Index" class="navbar-brand">RolePrivilegeManagement</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li><a asp-area="" asp-controller="Home" asp-action="Index">Home</a></li>
<li><a asp-area="" asp-controller="Home" asp-action="About">About</a></li>
<li><a asp-area="" asp-controller="Home" asp-action="Contact">Contact</a></li>
</ul>
<ul class="" style="float:right; margin:0;">
<li style="overflow:hidden;">
<div style="float:left;line-height:50px;margin-right:10px;">
<span style="color:#ffffff">當前用戶:@User.Identity.Name</span>
</div>
<div style="float:left;line-height:50px;">
<a asp-area="" asp-controller="Home" asp-action="Logout">注銷</a>
</div>
</li>
</ul>
</div>
</div>
</nav>
現在可以用chrome運行了,進行登錄頁后F12,查看Network—Cookies,可以看到有一個Cookie,這個是記錄returnUrl的Cookie,是否記得HomeController.cs中的Login Get的Action中代碼:TempData["returnUrl"] = returnUrl;這個TempData最后轉成了一個Cookie返回到客戶端了,如下圖:
輸入用戶名,密碼登錄,再次查看Cookies,發現多了一個.AspNetCore.Cookies,即把用戶驗證信息加密碼保存在了這個Cookie中,當跳轉到別的頁面時,這兩個Cookie會繼續在客戶端和服務傳送,用以驗證用戶角色。
二、自定義角色
系統的角色可以自定義,用戶是自寫到義,權限是固定的,角色對應權限可以自定義,用戶對應角色也是自定義的,如下圖:
項目代碼:
https://github.com/axzxs2001/Asp.NetCoreExperiment/tree/master/Asp.NetCoreExperiment/%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86/PrivilegeManagement
始於startup.cs
自定義角色與固定角色不同之處在於多了一個中間件(關於中間件學習參看:https://docs.microsoft.com/en-us/aspnet/core/fundamentals/middleware),即在Configure方法中,一定要在app.UseAuthentication下面添加驗證權限的中間件,因為UseAuthentication要從Cookie中加載通過驗證的用戶信息到Context.User中,所以一定放在加載完后才能去驗用戶信息(當然自己讀取Cookie也可以)
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Http;
using PrivilegeManagement.Middleware;
namespace PrivilegeManagement
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.LoginPath = new PathString("/login");
options.AccessDeniedPath = new PathString("/denied");
}
);
services.AddMvc();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseBrowserLink();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
//驗證中間件
app.UseAuthentication();
////添加權限中間件, 一定要放在app.UseAuthentication后
app.UsePermission(new PermissionMiddlewareOption()
{
LoginAction = @"/login",
NoPermissionAction = @"/denied",
//這個集合從數據庫中查出所有用戶的全部權限
UserPerssions = new List<UserPermission>()
{
new UserPermission { Url="/", UserName="gsw"},
new UserPermission { Url="/home/contact", UserName="gsw"},
new UserPermission { Url="/home/about", UserName="aaa"},
new UserPermission { Url="/", UserName="aaa"}
}
});
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
}
}
下面看看中間件PermissionMiddleware.cs,在Invoke中用了context.User,如上面所述,首先要調用app.UseAuthentication加載用戶信息后才能在這里使用,這個中間件邏輯較簡單,如果沒有驗證的一律放過去,不作處理,如果驗證過(登錄成功了),就要查看本次請求的url和這個用戶可以訪問的權限是否匹配,如不匹配,就跳轉到拒絕頁面(這個是在Startup.cs中添加中間件時,用NoPermissionAction = @"/denied"設置的)
using Microsoft.AspNetCore.Http;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Reflection;
using System.Security.Claims;
using System.Threading.Tasks;
namespace PrivilegeManagement.Middleware
{
/// <summary>
/// 權限中間件
/// </summary>
public class PermissionMiddleware
{
/// <summary>
/// 管道代理對象
/// </summary>
private readonly RequestDelegate _next;
/// <summary>
/// 權限中間件的配置選項
/// </summary>
private readonly PermissionMiddlewareOption _option;
/// <summary>
/// 用戶權限集合
/// </summary>
internal static List<UserPermission> _userPermissions;
/// <summary>
/// 權限中間件構造
/// </summary>
/// <param name="next">管道代理對象</param>
/// <param name="permissionResitory">權限倉儲對象</param>
/// <param name="option">權限中間件配置選項</param>
public PermissionMiddleware(RequestDelegate next, PermissionMiddlewareOption option)
{
_option = option;
_next = next;
_userPermissions = option.UserPerssions;
}
/// <summary>
/// 調用管道
/// </summary>
/// <param name="context">請求上下文</param>
/// <returns></returns>
public Task Invoke(HttpContext context)
{
//請求Url
var questUrl = context.Request.Path.Value.ToLower();
//是否經過驗證
var isAuthenticated = context.User.Identity.IsAuthenticated;
if (isAuthenticated)
{
if (_userPermissions.GroupBy(g=>g.Url).Where(w => w.Key.ToLower() == questUrl).Count() > 0)
{
//用戶名
var userName = context.User.Claims.SingleOrDefault(s => s.Type == ClaimTypes.Sid).Value;
if (_userPermissions.Where(w => w.UserName == userName&&w.Url.ToLower()==questUrl).Count() > 0)
{
return this._next(context);
}
else
{
//無權限跳轉到拒絕頁面
context.Response.Redirect(_option.NoPermissionAction);
}
}
}
return this._next(context);
}
}
}
擴展中間件類PermissionMiddlewareExtensions.cs
using Microsoft.AspNetCore.Builder;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
namespace PrivilegeManagement.Middleware
{
/// <summary>
/// 擴展權限中間件
/// </summary>
public static class PermissionMiddlewareExtensions
{
/// <summary>
/// 引入權限中間件
/// </summary>
/// <param name="builder">擴展類型</param>
/// <param name="option">權限中間件配置選項</param>
/// <returns></returns>
public static IApplicationBuilder UsePermission(
this IApplicationBuilder builder, PermissionMiddlewareOption option)
{
return builder.UseMiddleware<PermissionMiddleware>(option);
}
}
}
中間件屬性PermissionMiddlewareOption.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
namespace PrivilegeManagement.Middleware
{
/// <summary>
/// 權限中間件選項
/// </summary>
public class PermissionMiddlewareOption
{
/// <summary>
/// 登錄action
/// </summary>
public string LoginAction
{ get; set; }
/// <summary>
/// 無權限導航action
/// </summary>
public string NoPermissionAction
{ get; set; }
/// <summary>
/// 用戶權限集合
/// </summary>
public List<UserPermission> UserPerssions
{ get; set; } = new List<UserPermission>();
}
}
中間件實體類UserPermission.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
namespace PrivilegeManagement.Middleware
{
/// <summary>
/// 用戶權限
/// </summary>
public class UserPermission
{
/// <summary>
/// 用戶名
/// </summary>
public string UserName
{ get; set; }
/// <summary>
/// 請求Url
/// </summary>
public string Url
{ get; set; }
}
}
關於自定義角色,因為不需要授權時帶上角色,所以可以定義一個基Controller類BaseController.cs,其他的Controller都繼承BaseController,這樣所有的action都可以通過中間件來驗證,當然像登錄,無權限提示頁面還是在Action上加[AllowAnomymous]
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
namespace PrivilegeManagement.Controllers
{
[Authorize]
public class BaseController:Controller
{
}
}
HomeController.cs如下,與固定角色的HomeController.cs差異只在Controller和Action上的Authorize特性。
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using PrivilegeManagement.Models;
using Microsoft.AspNetCore.Authorization;
using System.Security.Claims;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication;
namespace PrivilegeManagement.Controllers
{
public class HomeController : BaseController
{
public IActionResult Index()
{
return View();
}
public IActionResult About()
{
ViewData["Message"] = "Your application description page.";
return View();
}
public IActionResult Contact()
{
ViewData["Message"] = "Your contact page.";
return View();
}
public IActionResult Error()
{
return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
}
[AllowAnonymous]
[HttpGet("login")]
public IActionResult Login(string returnUrl = null)
{
TempData["returnUrl"] = returnUrl;
return View();
}
[AllowAnonymous]
[HttpPost("login")]
public async Task<IActionResult> Login(string userName,string password, string returnUrl = null)
{
var list = new List<dynamic> {
new { UserName = "gsw", Password = "111111", Role = "admin",Name="桂素偉" },
new { UserName = "aaa", Password = "222222", Role = "system",Name="測試A" }
};
var user = list.SingleOrDefault(s => s.UserName == userName && s.Password == password);
if (user != null)
{
//用戶標識
var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);
identity.AddClaim(new Claim(ClaimTypes.Sid, userName));
identity.AddClaim(new Claim(ClaimTypes.Name, user.Name));
identity.AddClaim(new Claim(ClaimTypes.Role, user.Role));
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity));
if (returnUrl == null)
{
returnUrl = TempData["returnUrl"]?.ToString();
}
if (returnUrl != null)
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction(nameof(HomeController.Index), "Home");
}
}
else
{
const string badUserNameOrPasswordMessage = "用戶名或密碼錯誤!";
return BadRequest(badUserNameOrPasswordMessage);
}
}
[HttpGet("logout")]
public async Task<IActionResult> Logout()
{
await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
return RedirectToAction("Index", "Home");
}
[HttpGet("denied")]
public IActionResult Denied()
{
return View();
}
}
}
全部代碼:https://github.com/axzxs2001/Asp.NetCoreExperiment/tree/master/Asp.NetCoreExperiment/%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86
原文地址:https://www.cnblogs.com/axzxs2001/p/7482771.html
