ASP.NET MVC SSO單點登陸設計與實現
實驗環境配置
HOST文件配置以下:
127.0.0.1 app.com
127.0.0.1 sso.comgit
IIS配置以下:
應用程序池採用.Net Framework 4.0github
注意IIS綁定的域名,兩個徹底不一樣域的域名。數據庫
app.com網站配置以下:
sso.com網站配置以下:
memcached緩存:
數據庫配置:
數據庫採用EntityFramework 6.0.0,首次運行會自動建立相應的數據庫和表結構。api
受權驗證過程演示:
在瀏覽器地址欄中訪問:http://app.com,若是用戶還未登錄則網站會自動重定向至:http://sso.com/passport,同時經過QueryString傳參數的方式將對應的AppKey應用標識傳遞過來,運行截圖以下:瀏覽器
URL地址:http://sso.com/passport?appkey=670b14728ad9902aecba32e22fa4f6bd&username=緩存
輸入正確的登錄帳號和密碼後,點擊登錄按鈕系統自動301重定向至應用會掉首頁,毀掉成功後以下所示:安全
因爲在不一樣的域下進行SSO受權登錄,因此採用QueryString方式返回受權標識。同域網站下可採用Cookie方式。因爲301重定向請求是由瀏覽器發送的,因此在若是受權標識放入Handers中的話,瀏覽器重定向的時候會丟失。重定向成功後,程序自動將受權標識寫入到Cookie中,點擊其餘頁面地址時,URL地址欄中將再也不會看到受權標示信息。Cookie設置以下:服務器
登錄成功後的後續受權驗證(訪問其餘須要受權訪問的頁面):cookie
校驗地址:http://sso.com/api/passport?sessionkey=xxxxxx&remark=xxxxxxsession
返回結果:true,false
客戶端能夠根據實際業務狀況,選擇提示用戶受權已丟失,須要從新得到受權。默認自動重定向至SSO登錄頁面,即:http://sso.com/passport?appkey=670b14728ad9902aecba32e22fa4f6bd&username=seo@ljja.cn 同時登錄頁面郵箱地址文本框會自定補全用戶的登錄帳號,用戶只需輸入登錄密碼便可,受權成功後會話有效期自動延長一年時間。
SSO數據庫驗證日誌:
用戶受權驗證日誌:
用戶受權會話Session:
數據庫用戶帳號和應用信息:
應用受權登錄驗證頁面核心代碼:
1 /// <summary> 2 /// 公鑰:AppKey 3 /// 私鑰:AppSecret 4 /// 會話:SessionKey 5 /// </summary> 6 public class PassportController : Controller 7 { 8 private readonly IAppInfoService _appInfoService = new AppInfoService(); 9 private readonly IAppUserService _appUserService = new AppUserService(); 10 private readonly IUserAuthSessionService _authSessionService = new UserAuthSessionService(); 11 private readonly IUserAuthOperateService _userAuthOperateService = new UserAuthOperateService(); 12 13 private const string AppInfo = "AppInfo"; 14 private const string SessionKey = "SessionKey"; 15 private const string SessionUserName = "SessionUserName"; 16 17 //默認登陸界面 18 public ActionResult Index(string appKey = "", string username = "") 19 { 20 TempData[AppInfo] = _appInfoService.Get(appKey); 21 22 var viewModel = new PassportLoginRequest 23 { 24 AppKey = appKey, 25 UserName = username 26 }; 27 28 return View(viewModel); 29 } 30 31 //受權登陸 32 [HttpPost] 33 public ActionResult Index(PassportLoginRequest model) 34 { 35 //獲取應用信息 36 var appInfo = _appInfoService.Get(model.AppKey); 37 if (appInfo == null) 38 { 39 //應用不存在 40 return View(model); 41 } 42 43 TempData[AppInfo] = appInfo; 44 45 if (ModelState.IsValid == false) 46 { 47 //實體驗證失敗 48 return View(model); 49 } 50 51 //過濾字段無效字符 52 model.Trim(); 53 54 //獲取用戶信息 55 var userInfo = _appUserService.Get(model.UserName); 56 if (userInfo == null) 57 { 58 //用戶不存在 59 return View(model); 60 } 61 62 if (userInfo.UserPwd != model.Password.ToMd5()) 63 { 64 //密碼不正確 65 return View(model); 66 } 67 68 //獲取當前未到期的Session 69 var currentSession = _authSessionService.ExistsByValid(appInfo.AppKey, userInfo.UserName); 70 if (currentSession == null) 71 { 72 //構建Session 73 currentSession = new UserAuthSession 74 { 75 AppKey = appInfo.AppKey, 76 CreateTime = DateTime.Now, 77 InvalidTime = DateTime.Now.AddYears(1), 78 IpAddress = Request.UserHostAddress, 79 SessionKey = Guid.NewGuid().ToString().ToMd5(), 80 UserName = userInfo.UserName 81 }; 82 83 //建立Session 84 _authSessionService.Create(currentSession); 85 } 86 else 87 { 88 //延長有效期,默認一年 89 _authSessionService.ExtendValid(currentSession.SessionKey); 90 } 91 92 //記錄用戶受權日誌 93 _userAuthOperateService.Create(new UserAuthOperate 94 { 95 CreateTime = DateTime.Now, 96 IpAddress = Request.UserHostAddress, 97 Remark = string.Format("{0} 登陸 {1} 受權成功", currentSession.UserName, appInfo.Title), 98 SessionKey = currentSession.SessionKey 99 }); 104 105 var redirectUrl = string.Format("{0}?SessionKey={1}&SessionUserName={2}", 106 appInfo.ReturnUrl, 107 currentSession.SessionKey, 108 userInfo.UserName); 109 110 //跳轉默認回調頁面 111 return Redirect(redirectUrl); 112 } 113 }
Memcached會話標識驗證核心代碼:
public class PassportController : ApiController { private readonly IUserAuthSessionService _authSessionService = new UserAuthSessionService(); private readonly IUserAuthOperateService _userAuthOperateService = new UserAuthOperateService(); public bool Get(string sessionKey = "", string remark = "") { if (_authSessionService.GetCache(sessionKey)) { _userAuthOperateService.Create(new UserAuthOperate { CreateTime = DateTime.Now, IpAddress = Request.RequestUri.Host, Remark = string.Format("驗證成功-{0}", remark), SessionKey = sessionKey }); return true; } _userAuthOperateService.Create(new UserAuthOperate { CreateTime = DateTime.Now, IpAddress = Request.RequestUri.Host, Remark = string.Format("驗證失敗-{0}", remark), SessionKey = sessionKey }); return false; } }
Client受權驗證Filters Attribute
public class SSOAuthAttribute : ActionFilterAttribute { public const string SessionKey = "SessionKey"; public const string SessionUserName = "SessionUserName"; public override void OnActionExecuting(ActionExecutingContext filterContext) { var cookieSessionkey = ""; var cookieSessionUserName = ""; //SessionKey by QueryString if (filterContext.HttpContext.Request.QueryString[SessionKey] != null) { cookieSessionkey = filterContext.HttpContext.Request.QueryString[SessionKey]; filterContext.HttpContext.Response.Cookies.Add(new HttpCookie(SessionKey, cookieSessionkey)); } //SessionUserName by QueryString if (filterContext.HttpContext.Request.QueryString[SessionUserName] != null) { cookieSessionUserName = filterContext.HttpContext.Request.QueryString[SessionUserName]; filterContext.HttpContext.Response.Cookies.Add(new HttpCookie(SessionUserName, cookieSessionUserName)); } //從Cookie讀取SessionKey if (filterContext.HttpContext.Request.Cookies[SessionKey] != null) { cookieSessionkey = filterContext.HttpContext.Request.Cookies[SessionKey].Value; } //從Cookie讀取SessionUserName if (filterContext.HttpContext.Request.Cookies[SessionUserName] != null) { cookieSessionUserName = filterContext.HttpContext.Request.Cookies[SessionUserName].Value; } if (string.IsNullOrEmpty(cookieSessionkey) || string.IsNullOrEmpty(cookieSessionUserName)) { //直接登陸 filterContext.Result = SsoLoginResult(cookieSessionUserName); } else { //驗證 if (CheckLogin(cookieSessionkey, filterContext.HttpContext.Request.RawUrl) == false) { //會話丟失,跳轉到登陸頁面 filterContext.Result = SsoLoginResult(cookieSessionUserName); } } base.OnActionExecuting(filterContext); } public static bool CheckLogin(string sessionKey, string remark = "") { var httpClient = new HttpClient { BaseAddress = new Uri(ConfigurationManager.AppSettings["SSOPassport"]) }; var requestUri = string.Format("api/Passport?sessionKey={0}&remark={1}", sessionKey, remark); try { var resp = httpClient.GetAsync(requestUri).Result; resp.EnsureSuccessStatusCode(); return resp.Content.ReadAsAsync<bool>().Result; } catch (Exception ex) { throw ex; } } private static ActionResult SsoLoginResult(string username) { return new RedirectResult(string.Format("{0}/passport?appkey={1}&username={2}", ConfigurationManager.AppSettings["SSOPassport"], ConfigurationManager.AppSettings["SSOAppKey"], username)); } }
示例SSO驗證特性使用方法:
[SSOAuth] public class HomeController : Controller { public ActionResult Index() { return View(); } public ActionResult About() { ViewBag.Message = "Your application description page."; return View(); } public ActionResult Contact() { ViewBag.Message = "Your contact page."; return View(); } }
總結:
從草稿示例代碼中能夠看到代碼性能上還有不少優化的地方,還有SSO應用受權登錄頁面的用戶帳號不存在、密碼錯誤等一系列的提示信息等。在業務代碼運行基本正確的後期,能夠考慮往更多的安全性層面優化,好比啓用AppSecret私鑰簽名驗證,IP範圍驗證,固定會話請求攻擊、SSO受權登錄界面的驗證碼、會話緩存自動重建、SSo服務器、緩存的水平擴展等。
源碼地址:https://github.com/smartbooks/SmartSSO
相關文章
- 1. ASP.NET MVC SSO單點登錄設計與實現
- 2. ASP.NET MVC實現單點登陸(SSO)小Demo
- 3. SSO-單點統一登陸系統的設計與實現
- 4. C#實現 單點登陸(SSO)
- 5. SSO單點登陸
- 6. 單點登陸 SSO
- 7. 實現 OAuth2 單點登陸SSO—單點登陸和OAuth2概述
- 8. 多系統實現單點登陸方案:SSO 單點登陸
- 9. SSO單點登陸實例
- 10. sso單點登陸
- 更多相關文章...
- • Web 創建設計 - 網站建設指南
- • 移動設備 統計 - 瀏覽器信息
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • ☆基於Java Instrument的Agent實現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章