Web用户的身份验证及WebApi权限验证流程的设计和实现(尾)
5. WebApi 服务端代码示例
5.1 控制器基类ApiControllerBase
- ///
- /// Controller的基类,用于实现适合业务场景的基础功能
- ///
- ///
- [BasicAuthentication]
- public abstract class ApiControllerBase : ApiController
- {
- }
5.2 权限属性BaseAuthenticationAttribute
- ///
- /// 基本验证Attribtue,用以Action的权限处理
- ///
- public class BasicAuthenticationAttribute : ActionFilterAttribute
- {
- ///
- /// 检查用户是否有该Action执行的操作权限
- ///
- ///
- public override void OnActionExecuting(HttpActionContext actionContext)
- {
- //检验用户ticket信息,用户ticket信息来自调用发起方
- if (actionContext.Request.Headers.Authorization != null)
- {
- //解密用户ticket,并校验用户名密码是否匹配
- var encryptTicket = actionContext.Request.Headers.Authorization.Parameter;
- if (ValidateUserTicket(encryptTicket))
- base.OnActionExecuting(actionContext);
- else
- actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
- }
- else
- {
- //检查web.config配置是否要求权限校验
- bool isRquired = (WebConfigurationManager.AppSettings["WebApiAuthenticatedFlag"].ToString() == "true");
- if (isRquired)
- {
- //如果请求Header不包含ticket,则判断是否是匿名调用
- var attr = actionContext.ActionDescriptor.GetCustomAttributes().OfType();
- bool isAnonymous = attr.Any(a => a is AllowAnonymousAttribute);
- //是匿名用户,则继续执行;非匿名用户,抛出“未授权访问”信息
- if (isAnonymous)
- base.OnActionExecuting(actionContext);
- else
- actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
- }
- else
- {
- base.OnActionExecuting(actionContext);
- }
- }
- }
- ///
- /// 校验用户ticket信息
- ///
- ///
- ///
- private bool ValidateUserTicket(string encryptTicket)
- {
- var userTicket = FormsAuthentication.Decrypt(encryptTicket);
- var userTicketData = userTicket.UserData;
- string userName = userTicketData.Substring(0, userTicketData.IndexOf(":"));
- string password = userTicketData.Substring(userTicketData.IndexOf(":") + 1);
- //检查用户名、密码是否正确,验证是合法用户
- //var isQuilified = CheckUser(userName, password);
- return true;
- }
- }
5.3 api服务Controller实例
- public class ProductController : ApiControllerBase
- {
- [HttpGet]
- public object Find(string id)
- {
- return ProductServiceInstance.Find(2);
- }
- // GET api/product/5
- [HttpGet]
- [AllowAnonymous]
- public Product Get(string id)
- {
- var headers = Request.Headers;
- var p = ProductServiceInstance.GetById(long.Parse(id));
- if (p == null)
- {
- throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.BadRequest)
- Content = new StringContent("id3 not found"), ReasonPhrase = "product id not exist." });
- }
- return p;
- }
- }
6. 其它配置说明
6.1 Mvc前端Web.Config 配置
- <</SPAN>system.web>
- <</SPAN>compilation debug="true" targetFramework="4.5">
- <</SPAN>assemblies>
- <</SPAN>add assembly="System.Web.Http.Data.Helpers, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
- </</SPAN>assemblies>
- </</SPAN>compilation>
- <</SPAN>httpRuntime targetFramework="4.5" />
- <</SPAN>authentication mode="Forms">
- <</SPAN>forms loginUrl="~/Account/Login" defaultUrl="~/Home/Index" protection="All"timeout="90" name=".AuthCookie"></</SPAN>forms>
- </</SPAN>authentication>
- <</SPAN>machineKey validationKey="3FFA12388DDF585BA5D35E7BC87E3F0AB47FBBEBD12240DD3BEA2BEAEC4ABA213F22AD27E8FAD77DCFEE306219691434908D193A17C1FC8DCE51B71A4AE54920"decryptionKey="ECB6A3AF9ABBF3F16E80685ED68DC74B0B13CCEE538EBBA97D0B893139683B3B"validation="SHA1" decryption="AES" />
- </</SPAN>system.web>
machineKey节点配置,是应用于对用户ticket数据加密和解密。
6.2 WebApi服务端Web.Config配置
- <</SPAN>system.web>
- <</SPAN>machineKey validationKey="3FF112388DDF585BA5D35E7BC87E3F0AB47FBBEBD12240DD3BEA2BEAEC4ABA213F22AD27E8FAD77DCFEE306219691434908D193A17C1FC8DCE51B71A4AE54920"decryptionKey="ECB6A3AF9ABBF3F16E80685ED68DC74B0B13CCEE538EBBA97D0B893139683B3B"validation="SHA1" decryption="AES" />
- </</SPAN>system.web>
machineKey节点配置,是应用于对用户ticket数据加密和解密。
7. 总结
Web系统的用户登录及页面操作权限验证在处理逻辑上比较复杂,需要考虑到Form认证、匿名访问,Session和Cookie存储,以及Session和Cookie的过期处理,本文实现了整个权限验证框架的基本功能,供系统架构设计人员以及Web开发人员参考。
Demo项目代码地址:
https://github.com/lgsky/DemoUserAuthorization/