在asp.net core中,微軟提供了基於認證(Authentication)和受權(Authorization)的方式,來實現權限管理的,本篇博文,介紹基於固定角色的權限管理和自定義角色權限管理,本文內容,更適合傳統行業的BS應用,而非互聯網應用。html
在asp.net core中,咱們認證(Authentication)一般是在Login的Post Action中進行用戶名或密碼來驗證用戶是否正確,若是經過驗證,即該用戶就會得到一個或幾個特定的角色,經過ClaimTypes.Role來存儲角色,從而當一個請求到達時,用這個角色和Controller或Action上加的特性 [Authorize(Roles = "admin,system")]來受權是否有權訪問該Action。本文中的自定義角色,會把驗證放在中間件中進行處理。前端
1、固定角色:git
即把角色與具體的Controller或Action直接關聯起來,整個系統中的角色是固定的,每種角色能夠訪問那些Controller或Action也是固定的,這作法比較適合小型項目,角色分工很是明確的項目。github
項目代碼:chrome
始於startup.cscookie
須要在ConfigureServices中注入Cookie的相關信息,options是CookieAuthenticationOptions,關於這個類型提供以下屬性,可參考:https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?tabs=aspnetcore2xapp
它提供了登陸的一些信息,或登陸生成Cookie的一些信息,用之後asp.net
1 public void ConfigureServices(IServiceCollection services) 2 { 3 services.AddMvc(); 4 //添加認證Cookie信息 5 services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme) 6 .AddCookie(options => 7 { 8 options.LoginPath = new PathString("/login"); 9 options.AccessDeniedPath = new PathString("/denied"); 10 }); 11 } 12 13 public void Configure(IApplicationBuilder app, IHostingEnvironment env) 14 { 15 if (env.IsDevelopment()) 16 { 17 app.UseDeveloperExceptionPage(); 18 app.UseBrowserLink(); 19 } 20 else 21 { 22 app.UseExceptionHandler("/Home/Error"); 23 } 24 app.UseStaticFiles(); 25 //驗證中間件 26 app.UseAuthentication(); 27 app.UseMvc(routes => 28 { 29 routes.MapRoute( 30 name: "default", 31 template: "{controller=Home}/{action=Index}/{id?}"); 32 }); 33 }
HomeController.csasync
對於Login Get的Action,把returnUrl用戶想要訪問的地址(有可能用戶記錄下想要訪問的url了,但系統會轉到登陸頁,登陸成功後直接跳轉到想要訪問的returnUrl頁)
對於Login Post的Action,驗證用戶密和密碼,成功能,定義一個ClaimsIdentity,把用戶名和角色,和用戶姓名的聲明都添回進來(這個角色,就是用來驗證可訪問action的角色 )做來該用戶標識,接下來調用HttpContext.SignInAsync進行登陸,注意此方法的第一個參數,必需與StartUp.cs中services.AddAuthentication的參數相同,AddAuthentication是設置登陸,SigninAsync是按設置參數進行登陸
對於Logout Get的Action,是退出登陸
HomeController上的[Authorize(Roles=」admin,system」)]角色和權限的關係時,全部Action只有admin和system兩個角色能訪問到,About上的[Authorize(Roles=」admin」)]聲明這個action只能admin角色訪問,Contact上的[Authorize(Roles=」system」)]聲明這個action只能system角色訪問,若是action上聲明的是[AllowAnomymous],說明不受受權管理,能夠直接訪問。
1 using System; 2 using System.Collections.Generic; 3 using System.Diagnostics; 4 using System.Linq; 5 using System.Threading.Tasks; 6 using Microsoft.AspNetCore.Mvc; 7 using RolePrivilegeManagement.Models; 8 using System.Security.Claims; 9 using Microsoft.AspNetCore.Authentication; 10 using Microsoft.AspNetCore.Authentication.Cookies; 11 using Microsoft.AspNetCore.Authorization; 12 13 namespace RolePrivilegeManagement.Controllers 14 { 15 [Authorize(Roles = "admin,system")] 16 public class HomeController : Controller 17 { 18 public IActionResult Index() 19 { 20 return View(); 21 } 22 [Authorize(Roles = "admin")] 23 public IActionResult About() 24 { 25 ViewData["Message"] = "Your application description page."; 26 return View(); 27 } 28 [Authorize(Roles = "system")] 29 public IActionResult Contact() 30 { 31 ViewData["Message"] = "Your contact page."; 32 return View(); 33 } 34 public IActionResult Error() 35 { 36 return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier }); 37 } 38 [AllowAnonymous] 39 [HttpGet("login")] 40 public IActionResult Login(string returnUrl = null) 41 { 42 TempData["returnUrl"] = returnUrl; 43 return View(); 44 } 45 [AllowAnonymous] 46 [HttpPost("login")] 47 public async Task<IActionResult> Login(string userName, string password, string returnUrl = null) 48 { 49 var list = new List<dynamic> { 50 new { UserName = "gsw", Password = "111111", Role = "admin" }, 51 new { UserName = "aaa", Password = "222222", Role = "system" } 52 }; 53 var user = list.SingleOrDefault(s => s.UserName == userName && s.Password == password); 54 if (user!=null) 55 { 56 //用戶標識 57 var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme); 58 identity.AddClaim(new Claim(ClaimTypes.Sid, userName)); 59 identity.AddClaim(new Claim(ClaimTypes.Name, user.Name)); 60 identity.AddClaim(new Claim(ClaimTypes.Role, user.Role)); 61 await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity)); 62 if (returnUrl == null) 63 { 64 returnUrl = TempData["returnUrl"]?.ToString(); 65 } 66 if (returnUrl != null) 67 { 68 return Redirect(returnUrl); 69 } 70 else 71 { 72 return RedirectToAction(nameof(HomeController.Index), "Home"); 73 } 74 } 75 else 76 { 77 const string badUserNameOrPasswordMessage = "用戶名或密碼錯誤!"; 78 return BadRequest(badUserNameOrPasswordMessage); 79 } 80 } 81 [HttpGet("logout")] 82 public async Task<IActionResult> Logout() 83 { 84 await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); 85 return RedirectToAction("Index", "Home"); 86 } 87 [AllowAnonymous] 88 [HttpGet("denied")] 89 public IActionResult Denied() 90 { 91 return View(); 92 } 93 } 94 }
前端_Layout.cshtml佈局頁,在登陸成功後的任何頁面均可以用@User.Identity.Name就能夠獲取用戶姓名,同時用@User.Claims.SingleOrDefault(s=>s.Type== System.Security.Claims.ClaimTypes.Sid).Value能夠獲取用戶名或角色。
1 <nav class="navbar navbar-inverse navbar-fixed-top"> 2 <div class="container"> 3 <div class="navbar-header"> 4 <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> 5 <span class="sr-only">Toggle navigation</span> 6 <span class="icon-bar"></span> 7 <span class="icon-bar"></span> 8 <span class="icon-bar"></span> 9 </button> 10 <a asp-area="" asp-controller="Home" asp-action="Index" class="navbar-brand">RolePrivilegeManagement</a> 11 </div> 12 <div class="navbar-collapse collapse"> 13 <ul class="nav navbar-nav"> 14 <li><a asp-area="" asp-controller="Home" asp-action="Index">Home</a></li> 15 <li><a asp-area="" asp-controller="Home" asp-action="About">About</a></li> 16 <li><a asp-area="" asp-controller="Home" asp-action="Contact">Contact</a></li> 17 </ul> 18 <ul class="" style="float:right; margin:0;"> 19 <li style="overflow:hidden;"> 20 <div style="float:left;line-height:50px;margin-right:10px;"> 21 <span style="color:#ffffff">當前用戶:@User.Identity.Name</span> 22 </div> 23 <div style="float:left;line-height:50px;"> 24 <a asp-area="" asp-controller="Home" asp-action="Logout">註銷</a> 25 </div> 26 </li> 27 </ul> 28 </div> 29 </div> 30 </nav>
如今能夠用chrome運行了,進行登陸頁後F12,查看Network—Cookies,能夠看到有一個Cookie,這個是記錄returnUrl的Cookie,是否記得HomeController.cs中的Login Get的Action中代碼:TempData["returnUrl"] = returnUrl;這個TempData最後轉成了一個Cookie返回到客戶端了,以下圖:
輸入用戶名,密碼登陸,再次查看Cookies,發現多了一個.AspNetCore.Cookies,即把用戶驗證信息加密碼保存在了這個Cookie中,當跳轉到別的頁面時,這兩個Cookie會繼續在客戶端和服務傳送,用以驗證用戶角色。
2、自定義角色
系統的角色能夠自定義,用戶是自寫到義,權限是固定的,角色對應權限能夠自定義,用戶對應角色也是自定義的,以下圖:
項目代碼:
始於startup.cs
自定義角色與固定角色不一樣之處在於多了一箇中間件(關於中間件學習參看:https://docs.microsoft.com/en-us/aspnet/core/fundamentals/middleware),即在Configure方法中,必定要在app.UseAuthentication下面添加驗證權限的中間件,由於UseAuthentication要從Cookie中加載經過驗證的用戶信息到Context.User中,因此必定放在加載完後才能去驗用戶信息(固然本身讀取Cookie也能夠)
1 using System; 2 using System.Collections.Generic; 3 using System.Linq; 4 using System.Threading.Tasks; 5 using Microsoft.AspNetCore.Builder; 6 using Microsoft.AspNetCore.Hosting; 7 using Microsoft.Extensions.Configuration; 8 using Microsoft.Extensions.DependencyInjection; 9 using Microsoft.AspNetCore.Authentication.Cookies; 10 using Microsoft.AspNetCore.Http; 11 using PrivilegeManagement.Middleware; 12 13 namespace PrivilegeManagement 14 { 15 public class Startup 16 { 17 public Startup(IConfiguration configuration) 18 { 19 Configuration = configuration; 20 } 21 public IConfiguration Configuration { get; } 22 23 public void ConfigureServices(IServiceCollection services) 24 { 25 services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme) 26 .AddCookie(options => 27 { 28 options.LoginPath = new PathString("/login"); 29 options.AccessDeniedPath = new PathString("/denied"); 30 } 31 ); 32 services.AddMvc(); 33 } 34 35 public void Configure(IApplicationBuilder app, IHostingEnvironment env) 36 { 37 if (env.IsDevelopment()) 38 { 39 app.UseDeveloperExceptionPage(); 40 app.UseBrowserLink(); 41 } 42 else 43 { 44 app.UseExceptionHandler("/Home/Error"); 45 } 46 47 app.UseStaticFiles(); 48 //驗證中間件 49 app.UseAuthentication(); 50 ////添加權限中間件, 必定要放在app.UseAuthentication後 51 app.UsePermission(new PermissionMiddlewareOption() 52 { 53 LoginAction = @"/login", 54 NoPermissionAction = @"/denied", 55 //這個集合從數據庫中查出全部用戶的所有權限 56 UserPerssions = new List<UserPermission>() 57 { 58 new UserPermission { Url="/", UserName="gsw"}, 59 new UserPermission { Url="/home/contact", UserName="gsw"}, 60 new UserPermission { Url="/home/about", UserName="aaa"}, 61 new UserPermission { Url="/", UserName="aaa"} 62 } 63 }); 64 app.UseMvc(routes => 65 { 66 routes.MapRoute( 67 name: "default", 68 template: "{controller=Home}/{action=Index}/{id?}"); 69 }); 70 } 71 } 72 }
下面看看中間件PermissionMiddleware.cs,在Invoke中用了context.User,如上面所述,首先要調用app.UseAuthentication加載用戶信息後才能在這裏使用,這個中間件邏輯較簡單,若是沒有驗證的一概放過去,不做處理,若是驗證過(登陸成功了),就要查看本次請求的url和這個用戶能夠訪問的權限是否匹配,如不匹配,就跳轉到拒絕頁面(這個是在Startup.cs中添加中間件時,用NoPermissionAction = @"/denied"設置的)
1 using Microsoft.AspNetCore.Http; 2 using System; 3 using System.Collections.Generic; 4 using System.IO; 5 using System.Linq; 6 using System.Reflection; 7 using System.Security.Claims; 8 using System.Threading.Tasks; 9 10 namespace PrivilegeManagement.Middleware 11 { 12 /// <summary> 13 /// 權限中間件 14 /// </summary> 15 public class PermissionMiddleware 16 { 17 /// <summary> 18 /// 管道代理對象 19 /// </summary> 20 private readonly RequestDelegate _next; 21 /// <summary> 22 /// 權限中間件的配置選項 23 /// </summary> 24 private readonly PermissionMiddlewareOption _option; 25 26 /// <summary> 27 /// 用戶權限集合 28 /// </summary> 29 internal static List<UserPermission> _userPermissions; 30 31 /// <summary> 32 /// 權限中間件構造 33 /// </summary> 34 /// <param name="next">管道代理對象</param> 35 /// <param name="permissionResitory">權限倉儲對象</param> 36 /// <param name="option">權限中間件配置選項</param> 37 public PermissionMiddleware(RequestDelegate next, PermissionMiddlewareOption option) 38 { 39 _option = option; 40 _next = next; 41 _userPermissions = option.UserPerssions; 42 } 43 /// <summary> 44 /// 調用管道 45 /// </summary> 46 /// <param name="context">請求上下文</param> 47 /// <returns></returns> 48 public Task Invoke(HttpContext context) 49 { 50 //請求Url 51 var questUrl = context.Request.Path.Value.ToLower(); 52 53 //是否通過驗證 54 var isAuthenticated = context.User.Identity.IsAuthenticated; 55 if (isAuthenticated) 56 { 57 if (_userPermissions.GroupBy(g=>g.Url).Where(w => w.Key.ToLower() == questUrl).Count() > 0) 58 { 59 //用戶名 60 var userName = context.User.Claims.SingleOrDefault(s => s.Type == ClaimTypes.Sid).Value; 61 if (_userPermissions.Where(w => w.UserName == userName&&w.Url.ToLower()==questUrl).Count() > 0) 62 { 63 return this._next(context); 64 } 65 else 66 { 67 //無權限跳轉到拒絕頁面 68 context.Response.Redirect(_option.NoPermissionAction); 69 } 70 } 71 } 72 return this._next(context); 73 } 74 } 75 }
擴展中間件類PermissionMiddlewareExtensions.cs
1 using Microsoft.AspNetCore.Builder; 2 using System; 3 using System.Collections.Generic; 4 using System.Linq; 5 using System.Threading.Tasks; 6 7 namespace PrivilegeManagement.Middleware 8 { 9 /// <summary> 10 /// 擴展權限中間件 11 /// </summary> 12 public static class PermissionMiddlewareExtensions 13 { 14 /// <summary> 15 /// 引入權限中間件 16 /// </summary> 17 /// <param name="builder">擴展類型</param> 18 /// <param name="option">權限中間件配置選項</param> 19 /// <returns></returns> 20 public static IApplicationBuilder UsePermission( 21 this IApplicationBuilder builder, PermissionMiddlewareOption option) 22 { 23 return builder.UseMiddleware<PermissionMiddleware>(option); 24 } 25 } 26 }
中間件屬性PermissionMiddlewareOption.cs
1 using System; 2 using System.Collections.Generic; 3 using System.Linq; 4 using System.Threading.Tasks; 5 6 namespace PrivilegeManagement.Middleware 7 { 8 /// <summary> 9 /// 權限中間件選項 10 /// </summary> 11 public class PermissionMiddlewareOption 12 { 13 /// <summary> 14 /// 登陸action 15 /// </summary> 16 public string LoginAction 17 { get; set; } 18 /// <summary> 19 /// 無權限導航action 20 /// </summary> 21 public string NoPermissionAction 22 { get; set; } 23 24 /// <summary> 25 /// 用戶權限集合 26 /// </summary> 27 public List<UserPermission> UserPerssions 28 { get; set; } = new List<UserPermission>(); 29 } 30 }
中間件實體類UserPermission.cs
1 using System; 2 using System.Collections.Generic; 3 using System.Linq; 4 using System.Threading.Tasks; 5 6 namespace PrivilegeManagement.Middleware 7 { 8 /// <summary> 9 /// 用戶權限 10 /// </summary> 11 public class UserPermission 12 { 13 /// <summary> 14 /// 用戶名 15 /// </summary> 16 public string UserName 17 { get; set; } 18 /// <summary> 19 /// 請求Url 20 /// </summary> 21 public string Url 22 { get; set; } 23 } 24 }
關於自定義角色,由於不須要受權時帶上角色,因此能夠定義一個基Controller類BaseController.cs,其餘的Controller都繼承BaseController,這樣全部的action均可以經過中間件來驗證,固然像登陸,無權限提示頁面仍是在Action上加[AllowAnomymous]
1 using Microsoft.AspNetCore.Authorization; 2 using Microsoft.AspNetCore.Mvc; 3 namespace PrivilegeManagement.Controllers 4 { 5 [Authorize] 6 public class BaseController:Controller 7 { 8 } 9 }
HomeController.cs以下,與固定角色的HomeController.cs差別只在Controller和Action上的Authorize特性。
1 using System; 2 using System.Collections.Generic; 3 using System.Diagnostics; 4 using System.Linq; 5 using System.Threading.Tasks; 6 using Microsoft.AspNetCore.Mvc; 7 using PrivilegeManagement.Models; 8 using Microsoft.AspNetCore.Authorization; 9 using System.Security.Claims; 10 using Microsoft.AspNetCore.Authentication.Cookies; 11 using Microsoft.AspNetCore.Authentication; 12 13 namespace PrivilegeManagement.Controllers 14 { 15 16 public class HomeController : BaseController 17 { 18 public IActionResult Index() 19 { 20 return View(); 21 } 22 23 public IActionResult About() 24 { 25 ViewData["Message"] = "Your application description page."; 26 27 return View(); 28 } 29 30 public IActionResult Contact() 31 { 32 ViewData["Message"] = "Your contact page."; 33 34 return View(); 35 } 36 37 public IActionResult Error() 38 { 39 return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier }); 40 } 41 [AllowAnonymous] 42 [HttpGet("login")] 43 public IActionResult Login(string returnUrl = null) 44 { 45 TempData["returnUrl"] = returnUrl; 46 return View(); 47 } 48 [AllowAnonymous] 49 [HttpPost("login")] 50 public async Task<IActionResult> Login(string userName,string password, string returnUrl = null) 51 { 52 var list = new List<dynamic> { 53 new { UserName = "gsw", Password = "111111", Role = "admin",Name="桂素偉" }, 54 new { UserName = "aaa", Password = "222222", Role = "system",Name="測試A" } 55 }; 56 var user = list.SingleOrDefault(s => s.UserName == userName && s.Password == password); 57 if (user != null) 58 { 59 //用戶標識 60 var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme); 61 identity.AddClaim(new Claim(ClaimTypes.Sid, userName)); 62 identity.AddClaim(new Claim(ClaimTypes.Name, user.Name)); 63 identity.AddClaim(new Claim(ClaimTypes.Role, user.Role)); 64 65 await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity)); 66 if (returnUrl == null) 67 { 68 returnUrl = TempData["returnUrl"]?.ToString(); 69 } 70 if (returnUrl != null) 71 { 72 return Redirect(returnUrl); 73 } 74 else 75 { 76 return RedirectToAction(nameof(HomeController.Index), "Home"); 77 } 78 } 79 else 80 { 81 const string badUserNameOrPasswordMessage = "用戶名或密碼錯誤!"; 82 return BadRequest(badUserNameOrPasswordMessage); 83 } 84 } 85 [HttpGet("logout")] 86 public async Task<IActionResult> Logout() 87 { 88 await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); 89 return RedirectToAction("Index", "Home"); 90 } 91 [HttpGet("denied")] 92 public IActionResult Denied() 93 { 94 return View(); 95 } 96 } 97 }
所有代碼:https://github.com/axzxs2001/Asp.NetCoreExperiment/tree/master/Asp.NetCoreExperiment/%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86