Web用户的身份验证及WebApi权限验证流程的设计和实现

5. WebApi 服务端代码示例

5.1 控制器基类ApiControllerBase

[csharp] view plain copy

///
/// Controller的基类，用于实现适合业务场景的基础功能
///
///
[BasicAuthentication]
public abstract class ApiControllerBase : ApiController
{
}

5.2
权限属性BaseAuthenticationAttribute

[csharp] view
plain copy

///
/// 基本验证Attribtue，用以Action的权限处理
///
public class
BasicAuthenticationAttribute :
ActionFilterAttribute
{
///
/// 检查用户是否有该Action执行的操作权限
///
///
public override void
OnActionExecuting(HttpActionContext
actionContext)
{
//检验用户ticket信息，用户ticket信息来自调用发起方
if
(actionContext.Request.Headers.Authorization != null)
{
//解密用户ticket,并校验用户名密码是否匹配
var encryptTicket =
actionContext.Request.Headers.Authorization.Parameter;
if
(ValidateUserTicket(encryptTicket))
base.OnActionExecuting(actionContext);
else
actionContext.Response = new
HttpResponseMessage(HttpStatusCode.Unauthorized);
}
else
{
//检查web.config配置是否要求权限校验
bool
isRquired =
(WebConfigurationManager.AppSettings["WebApiAuthenticatedFlag"].ToString()
== "true");
if
(isRquired)
{
//如果请求Header不包含ticket，则判断是否是匿名调用
var attr =
actionContext.ActionDescriptor.GetCustomAttributes().OfType();
bool
isAnonymous = attr.Any(a => a is
AllowAnonymousAttribute);
//是匿名用户，则继续执行；非匿名用户，抛出“未授权访问”信息
if
(isAnonymous)
base.OnActionExecuting(actionContext);
else
actionContext.Response = new
HttpResponseMessage(HttpStatusCode.Unauthorized);
}
else
{
base.OnActionExecuting(actionContext);
}
}
}
///
/// 校验用户ticket信息
///
///
///
private bool
ValidateUserTicket(string
encryptTicket)
{
var userTicket =
FormsAuthentication.Decrypt(encryptTicket);
var userTicketData =
userTicket.UserData;
string
userName = userTicketData.Substring(0,
userTicketData.IndexOf(":"));
string
password =
userTicketData.Substring(userTicketData.IndexOf(":")
+ 1);
//检查用户名、密码是否正确，验证是合法用户
//var isQuilified = CheckUser(userName,
password);
return true;
}
}

5.3
api服务Controller实例

[csharp] view
plain copy

public class
ProductController : ApiControllerBase
{
[HttpGet]
public object
Find(string
id)
{
return
ProductServiceInstance.Find(2);
}
// GET api/product/5
[HttpGet]
[AllowAnonymous]
public
Product Get(string
id)
{
var headers =
Request.Headers;
var p =
ProductServiceInstance.GetById(long.Parse(id));
if
(p == null)
{
throw new
HttpResponseException(new
HttpResponseMessage(HttpStatusCode.BadRequest)
Content = new
StringContent("id3 not found"),
ReasonPhrase = "product id not exist."
});
}
return
p;
}
}

6.
其它配置说明

6.1
Mvc前端Web.Config 配置

[html] view
plain copy

<system.web>
<compilation debug="true" targetFramework="4.5">
<assemblies>
<add assembly="System.Web.Http.Data.Helpers,
Version=4.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" defaultUrl="~/Home/Index" protection="All" timeout="90" name=".AuthCookie"></forms>
</authentication>
<machineKey validationKey="3FFA12388DDF585BA5D35E7BC87E3F0AB47FBBEBD12240DD3BEA2BEAEC4ABA213F22AD27E8FAD77DCFEE306219691434908D193A17C1FC8DCE51B71A4AE54920"
decryptionKey="ECB6A3AF9ABBF3F16E80685ED68DC74B0B13CCEE538EBBA97D0B893139683B3B"
validation="SHA1" decryption="AES" />
</system.web>

machineKey节点配置，是应用于对用户ticket数据加密和解密。

6.2
WebApi服务端Web.Config配置

[html] view
plain copy

<system.web>
<machineKey validationKey="3FF112388DDF585BA5D35E7BC87E3F0AB47FBBEBD12240DD3BEA2BEAEC4ABA213F22AD27E8FAD77DCFEE306219691434908D193A17C1FC8DCE51B71A4AE54920"
decryptionKey="ECB6A3AF9ABBF3F16E80685ED68DC74B0B13CCEE538EBBA97D0B893139683B3B"
validation="SHA1" decryption="AES" />
</system.web>

machineKey节点配置，是应用于对用户ticket数据加密和解密。

7.
总结

Web系统的用户登录及页面操作权限验证在处理逻辑上比较复杂，需要考虑到Form认证、匿名访问，Session和Cookie存储，以及Session和Cookie的过期处理，本文实现了整个权限验证框架的基本功能，供系统架构设计人员以及Web开发人员参考。

Demo项目代码地址：
https://github.com/lgsky/DemoUserAuthorization/

秒客网

Web用户的身份验证及WebApi权限验证流程的设计和实现

相关文章