asp.net core 2.0的認證和受權

在asp.net core中，微軟提供了基於認證（Authentication）和受權（Authorization）的方式，來實現權限管理的，本篇博文，介紹基於固定角色的權限管理和自定義角色權限管理，本文內容，更適合傳統行業的BS應用，而非互聯網應用。

在asp.net core中，咱們認證（Authentication）一般是在Login的Post Action中進行用戶名或密碼來驗證用戶是否正確，若是經過驗證，即該用戶就會得到一個或幾個特定的角色，經過ClaimTypes.Role來存儲角色，從而當一個請求到達時，用這個角色和Controller或Action上加的特性 [Authorize(Roles = "admin,system")]來受權是否有權訪問該Action。本文中的自定義角色，會把驗證放在中間件中進行處理。

 1、固定角色：

即把角色與具體的Controller或Action直接關聯起來，整個系統中的角色是固定的，每種角色能夠訪問那些Controller或Action也是固定的，這作法比較適合小型項目，角色分工很是明確的項目。

項目代碼：

https://github.com/axzxs2001/Asp.NetCoreExperiment/tree/master/Asp.NetCoreExperiment/%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86/RolePrivilegeManagement

始於startup.cs

須要在ConfigureServices中注入Cookie的相關信息，options是CookieAuthenticationOptions，關於這個類型提供以下屬性，可參考：https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?tabs=aspnetcore2x

 

它提供了登陸的一些信息，或登陸生成Cookie的一些信息，用之後

 1         public void ConfigureServices(IServiceCollection services)
 2         {
 3             services.AddMvc();
 4             //添加認證Cookie信息
 5             services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
 6              .AddCookie(options =>
 7              {
 8                  options.LoginPath = new PathString("/login");
 9                  options.AccessDeniedPath = new PathString("/denied");
10              });
11         }
12 
13         public void Configure(IApplicationBuilder app, IHostingEnvironment env)
14         {
15             if (env.IsDevelopment())
16             {
17                 app.UseDeveloperExceptionPage();
18                 app.UseBrowserLink();
19             }
20             else
21             {
22                 app.UseExceptionHandler("/Home/Error");
23             }
24             app.UseStaticFiles();
25             //驗證中間件
26             app.UseAuthentication();
27             app.UseMvc(routes =>
28             {
29                 routes.MapRoute(
30                     name: "default",
31                     template: "{controller=Home}/{action=Index}/{id?}");
32             });
33         }

HomeController.cs

對於Login Get的Action，把returnUrl用戶想要訪問的地址（有可能用戶記錄下想要訪問的url了，但系統會轉到登陸頁，登陸成功後直接跳轉到想要訪問的returnUrl頁）

對於Login Post的Action，驗證用戶密和密碼，成功能，定義一個ClaimsIdentity，把用戶名和角色，和用戶姓名的聲明都添回進來（這個角色，就是用來驗證可訪問action的角色 ）做來該用戶標識，接下來調用HttpContext.SignInAsync進行登陸，注意此方法的第一個參數，必需與StartUp.cs中services.AddAuthentication的參數相同，AddAuthentication是設置登陸，SigninAsync是按設置參數進行登陸

對於Logout Get的Action，是退出登陸

HomeController上的[Authorize(Roles=」admin,system」)]角色和權限的關係時，全部Action只有admin和system兩個角色能訪問到，About上的[Authorize(Roles=」admin」)]聲明這個action只能admin角色訪問，Contact上的[Authorize(Roles=」system」)]聲明這個action只能system角色訪問，若是action上聲明的是[AllowAnomymous]，說明不受受權管理，能夠直接訪問。

 1 using System;
 2 using System.Collections.Generic;
 3 using System.Diagnostics;
 4 using System.Linq;
 5 using System.Threading.Tasks;
 6 using Microsoft.AspNetCore.Mvc;
 7 using RolePrivilegeManagement.Models;
 8 using System.Security.Claims;
 9 using Microsoft.AspNetCore.Authentication;
10 using Microsoft.AspNetCore.Authentication.Cookies;
11 using Microsoft.AspNetCore.Authorization;
12 
13 namespace RolePrivilegeManagement.Controllers
14 {
15     [Authorize(Roles = "admin,system")]
16     public class HomeController : Controller
17     {
18         public IActionResult Index()
19         {
20             return View();
21         }
22         [Authorize(Roles = "admin")]
23         public IActionResult About()
24         {
25             ViewData["Message"] = "Your application description page.";
26             return View();
27         }
28         [Authorize(Roles = "system")]
29         public IActionResult Contact()
30         {
31             ViewData["Message"] = "Your contact page.";
32             return View();
33         }
34         public IActionResult Error()
35         {
36             return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
37         }
38         [AllowAnonymous]
39         [HttpGet("login")]
40         public IActionResult Login(string returnUrl = null)
41         {
42             TempData["returnUrl"] = returnUrl;
43             return View();
44         }
45         [AllowAnonymous]
46         [HttpPost("login")]
47         public async Task<IActionResult> Login(string userName, string password, string returnUrl = null)
48         {
49             var list = new List<dynamic> {
50                 new { UserName = "gsw", Password = "111111", Role = "admin" },
51                 new { UserName = "aaa", Password = "222222", Role = "system" }
52             };
53             var user = list.SingleOrDefault(s => s.UserName == userName && s.Password == password);
54             if (user!=null)
55             {
56                 //用戶標識
57                 var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);
58                 identity.AddClaim(new Claim(ClaimTypes.Sid, userName));
59                 identity.AddClaim(new Claim(ClaimTypes.Name, user.Name));
60                 identity.AddClaim(new Claim(ClaimTypes.Role, user.Role));
61                 await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity));
62                 if (returnUrl == null)
63                 {
64                     returnUrl = TempData["returnUrl"]?.ToString();
65                 }
66                 if (returnUrl != null)
67                 {
68                     return Redirect(returnUrl);
69                 }
70                 else
71                 {
72                     return RedirectToAction(nameof(HomeController.Index), "Home");
73                 }
74             }
75             else
76             {
77                 const string badUserNameOrPasswordMessage = "用戶名或密碼錯誤！";
78                 return BadRequest(badUserNameOrPasswordMessage);
79             }
80         }
81         [HttpGet("logout")]
82         public async Task<IActionResult> Logout()
83         {
84             await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
85             return RedirectToAction("Index", "Home");
86         }
87         [AllowAnonymous]
88         [HttpGet("denied")]
89         public IActionResult Denied()
90         {
91             return View();
92         }
93     }
94 }

前端_Layout.cshtml佈局頁，在登陸成功後的任何頁面均可以用@User.Identity.Name就能夠獲取用戶姓名，同時用@User.Claims.SingleOrDefault(s=>s.Type== System.Security.Claims.ClaimTypes.Sid).Value能夠獲取用戶名或角色。

 1    <nav class="navbar navbar-inverse navbar-fixed-top">
 2         <div class="container">
 3             <div class="navbar-header">
 4                 <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
 5                     <span class="sr-only">Toggle navigation</span>
 6                     <span class="icon-bar"></span>
 7                     <span class="icon-bar"></span>
 8                     <span class="icon-bar"></span>
 9                 </button>
10                 <a asp-area="" asp-controller="Home" asp-action="Index" class="navbar-brand">RolePrivilegeManagement</a>
11             </div>
12             <div class="navbar-collapse collapse">
13                 <ul class="nav navbar-nav">
14                     <li><a asp-area="" asp-controller="Home" asp-action="Index">Home</a></li>
15                     <li><a asp-area="" asp-controller="Home" asp-action="About">About</a></li>
16                     <li><a asp-area="" asp-controller="Home" asp-action="Contact">Contact</a></li>
17                 </ul>
18                 <ul class="" style="float:right; margin:0;">
19                     <li style="overflow:hidden;">
20                         <div style="float:left;line-height:50px;margin-right:10px;">
21                             <span style="color:#ffffff">當前用戶：@User.Identity.Name</span>
22                         </div>
23                         <div style="float:left;line-height:50px;">
24                             <a asp-area="" asp-controller="Home" asp-action="Logout">註銷</a>
25                         </div>
26                     </li>
27                 </ul>
28             </div>
29         </div>
30     </nav>

如今能夠用chrome運行了，進行登陸頁後F12，查看Network—Cookies，能夠看到有一個Cookie，這個是記錄returnUrl的Cookie，是否記得HomeController.cs中的Login Get的Action中代碼：TempData["returnUrl"] = returnUrl;這個TempData最後轉成了一個Cookie返回到客戶端了，以下圖：

輸入用戶名，密碼登陸，再次查看Cookies，發現多了一個.AspNetCore.Cookies，即把用戶驗證信息加密碼保存在了這個Cookie中，當跳轉到別的頁面時，這兩個Cookie會繼續在客戶端和服務傳送，用以驗證用戶角色。

2、自定義角色

系統的角色能夠自定義，用戶是自寫到義，權限是固定的，角色對應權限能夠自定義，用戶對應角色也是自定義的，以下圖：

項目代碼：

https://github.com/axzxs2001/Asp.NetCoreExperiment/tree/master/Asp.NetCoreExperiment/%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86/PrivilegeManagement

始於startup.cs

自定義角色與固定角色不一樣之處在於多了一箇中間件（關於中間件學習參看：https://docs.microsoft.com/en-us/aspnet/core/fundamentals/middleware），即在Configure方法中，必定要在app.UseAuthentication下面添加驗證權限的中間件，由於UseAuthentication要從Cookie中加載經過驗證的用戶信息到Context.User中，因此必定放在加載完後才能去驗用戶信息（固然本身讀取Cookie也能夠）

 1 using System;
 2 using System.Collections.Generic;
 3 using System.Linq;
 4 using System.Threading.Tasks;
 5 using Microsoft.AspNetCore.Builder;
 6 using Microsoft.AspNetCore.Hosting;
 7 using Microsoft.Extensions.Configuration;
 8 using Microsoft.Extensions.DependencyInjection;
 9 using Microsoft.AspNetCore.Authentication.Cookies;
10 using Microsoft.AspNetCore.Http;
11 using PrivilegeManagement.Middleware;
12 
13 namespace PrivilegeManagement
14 {
15     public class Startup
16     {
17         public Startup(IConfiguration configuration)
18         {
19             Configuration = configuration;
20         }
21         public IConfiguration Configuration { get; }
22 
23         public void ConfigureServices(IServiceCollection services)
24         {
25             services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
26            .AddCookie(options =>
27            {
28                options.LoginPath = new PathString("/login");
29                options.AccessDeniedPath = new PathString("/denied");
30            }
31            );
32             services.AddMvc();
33         }
34 
35         public void Configure(IApplicationBuilder app, IHostingEnvironment env)
36         {
37             if (env.IsDevelopment())
38             {
39                 app.UseDeveloperExceptionPage();
40                 app.UseBrowserLink();
41             }
42             else
43             {
44                 app.UseExceptionHandler("/Home/Error");
45             }
46 
47             app.UseStaticFiles();
48             //驗證中間件
49             app.UseAuthentication();
50             ////添加權限中間件, 必定要放在app.UseAuthentication後
51             app.UsePermission(new PermissionMiddlewareOption()
52             {
53                 LoginAction = @"/login",
54                 NoPermissionAction = @"/denied",
55                 //這個集合從數據庫中查出全部用戶的所有權限
56                 UserPerssions = new List<UserPermission>()
57                  {
58                      new UserPermission { Url="/", UserName="gsw"},
59                      new UserPermission { Url="/home/contact", UserName="gsw"},
60                      new UserPermission { Url="/home/about", UserName="aaa"},
61                      new UserPermission { Url="/", UserName="aaa"}
62                  }
63             });
64             app.UseMvc(routes =>
65             {
66                 routes.MapRoute(
67                     name: "default",
68                     template: "{controller=Home}/{action=Index}/{id?}");
69             });
70         }
71     }
72 }

下面看看中間件PermissionMiddleware.cs，在Invoke中用了context.User，如上面所述，首先要調用app.UseAuthentication加載用戶信息後才能在這裏使用，這個中間件邏輯較簡單，若是沒有驗證的一概放過去，不做處理，若是驗證過（登陸成功了），就要查看本次請求的url和這個用戶能夠訪問的權限是否匹配，如不匹配，就跳轉到拒絕頁面（這個是在Startup.cs中添加中間件時，用NoPermissionAction = @"/denied"設置的）

 1 using Microsoft.AspNetCore.Http;
 2 using System;
 3 using System.Collections.Generic;
 4 using System.IO;
 5 using System.Linq;
 6 using System.Reflection;
 7 using System.Security.Claims;
 8 using System.Threading.Tasks;
 9 
10 namespace PrivilegeManagement.Middleware
11 {
12     /// <summary>
13     /// 權限中間件
14     /// </summary>
15     public class PermissionMiddleware
16     {
17         /// <summary>
18         /// 管道代理對象
19         /// </summary>
20         private readonly RequestDelegate _next;
21         /// <summary>
22         /// 權限中間件的配置選項
23         /// </summary>
24         private readonly PermissionMiddlewareOption _option;
25 
26         /// <summary>
27         /// 用戶權限集合
28         /// </summary>
29         internal static List<UserPermission> _userPermissions;
30 
31         /// <summary>
32         /// 權限中間件構造
33         /// </summary>
34         /// <param name="next">管道代理對象</param>
35         /// <param name="permissionResitory">權限倉儲對象</param>
36         /// <param name="option">權限中間件配置選項</param>
37         public PermissionMiddleware(RequestDelegate next, PermissionMiddlewareOption option)
38         {
39             _option = option;
40             _next = next;
41             _userPermissions = option.UserPerssions;
42         }       
43         /// <summary>
44         /// 調用管道
45         /// </summary>
46         /// <param name="context">請求上下文</param>
47         /// <returns></returns>
48         public Task Invoke(HttpContext context)
49         {
50             //請求Url
51             var questUrl = context.Request.Path.Value.ToLower();
52        
53             //是否通過驗證
54             var isAuthenticated = context.User.Identity.IsAuthenticated;
55             if (isAuthenticated)
56             {
57                 if (_userPermissions.GroupBy(g=>g.Url).Where(w => w.Key.ToLower() == questUrl).Count() > 0)
58                 {
59                     //用戶名
60                     var userName = context.User.Claims.SingleOrDefault(s => s.Type == ClaimTypes.Sid).Value;
61                     if (_userPermissions.Where(w => w.UserName == userName&&w.Url.ToLower()==questUrl).Count() > 0)
62                     {
63                         return this._next(context);
64                     }
65                     else
66                     {
67                         //無權限跳轉到拒絕頁面
68                         context.Response.Redirect(_option.NoPermissionAction);
69                     }
70                 }
71             }
72             return this._next(context);
73         }
74     }
75 }

擴展中間件類PermissionMiddlewareExtensions.cs

 1 using Microsoft.AspNetCore.Builder;
 2 using System;
 3 using System.Collections.Generic;
 4 using System.Linq;
 5 using System.Threading.Tasks;
 6 
 7 namespace PrivilegeManagement.Middleware
 8 {
 9     /// <summary>
10     /// 擴展權限中間件
11     /// </summary>
12     public static class PermissionMiddlewareExtensions
13     {
14         /// <summary>
15         /// 引入權限中間件
16         /// </summary>
17         /// <param name="builder">擴展類型</param>
18         /// <param name="option">權限中間件配置選項</param>
19         /// <returns></returns>
20         public static IApplicationBuilder UsePermission(
21               this IApplicationBuilder builder, PermissionMiddlewareOption option)
22         {
23             return builder.UseMiddleware<PermissionMiddleware>(option);
24         }
25     }
26 }

中間件屬性PermissionMiddlewareOption.cs

 1 using System;
 2 using System.Collections.Generic;
 3 using System.Linq;
 4 using System.Threading.Tasks;
 5 
 6 namespace PrivilegeManagement.Middleware
 7 {
 8     /// <summary>
 9     /// 權限中間件選項
10     /// </summary>
11     public class PermissionMiddlewareOption
12     {
13         /// <summary>
14         /// 登陸action
15         /// </summary>
16         public string LoginAction
17         { get; set; }
18         /// <summary>
19         /// 無權限導航action
20         /// </summary>
21         public string NoPermissionAction
22         { get; set; }
23 
24         /// <summary>
25         /// 用戶權限集合
26         /// </summary>
27         public List<UserPermission> UserPerssions
28         { get; set; } = new List<UserPermission>();
29     }
30 }

中間件實體類UserPermission.cs

 1 using System;
 2 using System.Collections.Generic;
 3 using System.Linq;
 4 using System.Threading.Tasks;
 5 
 6 namespace PrivilegeManagement.Middleware
 7 {
 8     /// <summary>
 9     /// 用戶權限
10     /// </summary>
11     public class UserPermission
12     {
13         /// <summary>
14         /// 用戶名
15         /// </summary>
16         public string UserName
17         { get; set; }
18         /// <summary>
19         /// 請求Url
20         /// </summary>
21         public string Url
22         { get; set; }
23     }
24 }

關於自定義角色，由於不須要受權時帶上角色，因此能夠定義一個基Controller類BaseController.cs，其餘的Controller都繼承BaseController，這樣全部的action均可以經過中間件來驗證，固然像登陸，無權限提示頁面仍是在Action上加[AllowAnomymous]

1 using Microsoft.AspNetCore.Authorization;
2 using Microsoft.AspNetCore.Mvc;
3 namespace PrivilegeManagement.Controllers
4 {
5     [Authorize]
6     public class BaseController:Controller
7     {
8     }
9 }

HomeController.cs以下，與固定角色的HomeController.cs差別只在Controller和Action上的Authorize特性。

 1 using System;
 2 using System.Collections.Generic;
 3 using System.Diagnostics;
 4 using System.Linq;
 5 using System.Threading.Tasks;
 6 using Microsoft.AspNetCore.Mvc;
 7 using PrivilegeManagement.Models;
 8 using Microsoft.AspNetCore.Authorization;
 9 using System.Security.Claims;
10 using Microsoft.AspNetCore.Authentication.Cookies;
11 using Microsoft.AspNetCore.Authentication;
12 
13 namespace PrivilegeManagement.Controllers
14 {
15  
16     public class HomeController : BaseController
17     {
18         public IActionResult Index()
19         {
20             return View();
21         }
22 
23         public IActionResult About()
24         {
25             ViewData["Message"] = "Your application description page.";
26             
27             return View();
28         }
29 
30         public IActionResult Contact()
31         {
32             ViewData["Message"] = "Your contact page.";
33 
34             return View();
35         }
36 
37         public IActionResult Error()
38         {
39             return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
40         }
41         [AllowAnonymous]
42         [HttpGet("login")]
43         public IActionResult Login(string returnUrl = null)
44         {
45             TempData["returnUrl"] = returnUrl;
46             return View();
47         }
48         [AllowAnonymous]
49         [HttpPost("login")]
50         public async Task<IActionResult> Login(string userName,string password, string returnUrl = null)
51         {
52             var list = new List<dynamic> {
53                 new { UserName = "gsw", Password = "111111", Role = "admin",Name="桂素偉" },
54                 new { UserName = "aaa", Password = "222222", Role = "system",Name="測試A" }
55             };
56             var user = list.SingleOrDefault(s => s.UserName == userName && s.Password == password);
57             if (user != null)
58             {
59                 //用戶標識
60                 var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);
61                 identity.AddClaim(new Claim(ClaimTypes.Sid, userName));
62                 identity.AddClaim(new Claim(ClaimTypes.Name, user.Name));
63                 identity.AddClaim(new Claim(ClaimTypes.Role, user.Role));
64 
65                 await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity));
66                 if (returnUrl == null)
67                 {
68                     returnUrl = TempData["returnUrl"]?.ToString();
69                 }
70                 if (returnUrl != null)
71                 {
72                     return Redirect(returnUrl);
73                 }
74                 else
75                 {
76                     return RedirectToAction(nameof(HomeController.Index), "Home");
77                 }
78             }
79             else
80             {
81                 const string badUserNameOrPasswordMessage = "用戶名或密碼錯誤！";
82                 return BadRequest(badUserNameOrPasswordMessage);
83             }
84         }
85         [HttpGet("logout")]
86         public async Task<IActionResult> Logout()
87         {
88             await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
89             return RedirectToAction("Index", "Home");
90         }
91         [HttpGet("denied")]
92         public IActionResult Denied()
93         {
94             return View();
95         }
96     } 
97 }

 所有代碼：https://github.com/axzxs2001/Asp.NetCoreExperiment/tree/master/Asp.NetCoreExperiment/%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86