Web用戶的身份驗證及WebApi權限驗證流程的設計和實現

時間 2019-11-17

標籤 web 用戶身份驗證 webapi 權限流程設計實現欄目 HTML 简体版

原文原文鏈接

5. WebApi 服務端代碼示例html

5.1 控制器基類ApiControllerBase前端

[csharp]view plaincopy
       
   
 /// 
 /// Controller的基類，用於實現適合業務場景的基礎功能 
 /// 
 /// 
 [BasicAuthentication]
 public abstract class  ApiControllerBase : ApiController
 {
 }

5.2 權限屬性BaseAuthenticationAttributegit

[csharp]view plaincopy
       
   
 /// 
  /// 基本驗證Attribtue，用以Action的權限處理 
 /// 
  public class  BasicAuthenticationAttribute : ActionFilterAttribute
 {
  /// 
 /// 檢查用戶是否有該Action執行的操做權限 
  /// 
 /// 
  public override void  OnActionExecuting(HttpActionContext actionContext)
 {
  //檢驗用戶ticket信息，用戶ticket信息來自調用發起方 
 if  (actionContext.Request.Headers.Authorization != null)
  {
 //解密用戶ticket,並校驗用戶名密碼是否匹配 
  var encryptTicket = actionContext.Request.Headers.Authorization.Parameter;
 if  (ValidateUserTicket(encryptTicket))
  base.OnActionExecuting(actionContext);
 else 
  actionContext.Response = new  HttpResponseMessage(HttpStatusCode.Unauthorized);
 }
  else 
 {
  //檢查web.config配置是否要求權限校驗 
 bool  isRquired = (WebConfigurationManager.AppSettings["WebApiAuthenticatedFlag"].ToString() == "true");
  if  (isRquired)
 {
  //若是請求Header不包含ticket，則判斷是不是匿名調用 
 var attr = actionContext.ActionDescriptor.GetCustomAttributes().OfType();
  bool  isAnonymous = attr.Any(a => a is  AllowAnonymousAttribute);
  //是匿名用戶，則繼續執行；非匿名用戶，拋出「未受權訪問」信息 
 if  (isAnonymous)
  base.OnActionExecuting(actionContext);
 else 
  actionContext.Response = new  HttpResponseMessage(HttpStatusCode.Unauthorized);
 }
  else 
 {
  base.OnActionExecuting(actionContext);
 }
  }
 }
 /// 
  /// 校驗用戶ticket信息 
 /// 
  /// 
 /// 
  private bool  ValidateUserTicket(string  encryptTicket)
 {
  var userTicket = FormsAuthentication.Decrypt(encryptTicket);
 var userTicketData = userTicket.UserData;
 string  userName = userTicketData.Substring(0, userTicketData.IndexOf(":"));
  string  password = userTicketData.Substring(userTicketData.IndexOf(":") + 1);
  //檢查用戶名、密碼是否正確，驗證是合法用戶 
 //var isQuilified = CheckUser(userName, password); 
  return true;
 }
  }

5.3 api服務Controller實例github

[csharp]view plaincopy
       
   
 public class  ProductController : ApiControllerBase
  {
  [HttpGet]
 public object  Find(string  id)
  {
 return  ProductServiceInstance.Find(2);
  }
  // GET api/product/5 
 [HttpGet]
  [AllowAnonymous]
 public  Product Get(string  id)
  {
 var headers = Request.Headers;
  var p = ProductServiceInstance.GetById(long.Parse(id));
 if  (p == null)
  {
 throw new  HttpResponseException(new  HttpResponseMessage(HttpStatusCode.BadRequest)
  Content = new  StringContent("id3 not found"), ReasonPhrase = "product id not exist."  });
 }
  return  p;
 }
  }

6. 其它配置說明web

6.1 Mvc前端Web.Config 配置api

[html]view plaincopy
       
   
 <</SPAN>system.web> 
  <</SPAN>compilation debug="true" targetFramework="4.5"> 
 <</SPAN>assemblies> 
  <</SPAN>add assembly="System.Web.Http.Data.Helpers, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> 
 </</SPAN>assemblies> 
  </</SPAN>compilation> 
 <</SPAN>httpRuntime targetFramework="4.5" /> 
  <</SPAN>authentication mode="Forms"> 
 <</SPAN>forms loginUrl="~/Account/Login" defaultUrl="~/Home/Index" protection="All" timeout="90" name=".AuthCookie"></</SPAN>forms> 
  </</SPAN>authentication> 
 <</SPAN>machineKey validationKey="3FFA12388DDF585BA5D35E7BC87E3F0AB47FBBEBD12240DD3BEA2BEAEC4ABA213F22AD27E8FAD77DCFEE306219691434908D193A17C1FC8DCE51B71A4AE54920" decryptionKey="ECB6A3AF9ABBF3F16E80685ED68DC74B0B13CCEE538EBBA97D0B893139683B3B" validation="SHA1" decryption="AES" /> 
  </</SPAN>system.web> 

machineKey節點配置，是應用於對用戶ticket數據加密和解密。架構

6.2 WebApi服務端Web.Config配置框架

[html]view plaincopy
       
   
 <</SPAN>system.web> 
  <</SPAN>machineKey validationKey="3FF112388DDF585BA5D35E7BC87E3F0AB47FBBEBD12240DD3BEA2BEAEC4ABA213F22AD27E8FAD77DCFEE306219691434908D193A17C1FC8DCE51B71A4AE54920" decryptionKey="ECB6A3AF9ABBF3F16E80685ED68DC74B0B13CCEE538EBBA97D0B893139683B3B" validation="SHA1" decryption="AES" /> 
 </</SPAN>system.web> 