asp.net MVC之AuthorizeAttribute浅析
2021-06-07 07:04
YPE html>
标签:wan nocache 编译 sources wrap login cte direct title
AuthorizeAttribute是asp.net MVC的几大过滤器之一,俗称认证和授权过滤器,也就是判断登录与否,授权与否。当为某一个Controller或Action附加该特性时,没有登录或授权的账户是不能访问这些Controller或Action的。
在进入一个附加了Authorize特性的Controller或Action之前,首先执行的是AuthorizeAttribute类的OnAuthorization(AuthorizationContext filterContext)方法,接着OnAuthorization方法会去调用其他的诸如AuthorizeCore方法。
在将AuthorizeAttribute类反编译之后得到如下代码,一看就清晰明了:
using System; using System.Collections.Generic; using System.Linq; using System.Security.Principal; using System.Web.Mvc.Properties; namespace System.Web.Mvc { ///Specifies that access to a controller or action method is restricted to users who meet the authorization requirement. [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)] public class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter { private static readonly char[] _splitParameter = new char[] { ‘,‘ }; private readonly object _typeId = new object(); private string _roles; private string[] _rolesSplit = new string[0]; private string _users; private string[] _usersSplit = new string[0]; /// Gets or sets the user roles that are authorized to access the controller or action method. /// The user roles that are authorized to access the controller or action method. public string Roles { get { return this._roles ?? string.Empty; } set { this._roles = value; this._rolesSplit = AuthorizeAttribute.SplitString(value); } } /// Gets the unique identifier for this attribute. /// The unique identifier for this attribute. public override object TypeId { get { return this._typeId; } } /// Gets or sets the users that are authorized to access the controller or action method. /// The users that are authorized to access the controller or action method. public string Users { get { return this._users ?? string.Empty; } set { this._users = value; this._usersSplit = AuthorizeAttribute.SplitString(value); } } /// When overridden, provides an entry point for custom authorization checks. /// true if the user is authorized; otherwise, false. /// The HTTP context, which encapsulates all HTTP-specific information about an individual HTTP request. /// The parameter is null. protected virtual bool AuthorizeCore(HttpContextBase httpContext) { if (httpContext == null) { throw new ArgumentNullException("httpContext"); } IPrincipal user = httpContext.User; return user.Identity.IsAuthenticated && (this._usersSplit.Length 0 || this._usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase)) && (this._rolesSplit.Length 0 || this._rolesSplit.Any(new Funcstring, bool>(user.IsInRole))); } private void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus) { validationStatus = this.OnCacheAuthorization(new HttpContextWrapper(context)); } /// Called when a process requests authorization. /// The filter context, which encapsulates information for using . /// The parameter is null. public virtual void OnAuthorization(AuthorizationContext filterContext) { if (filterContext == null) { throw new ArgumentNullException("filterContext"); } if (OutputCacheAttribute.IsChildActionCacheActive(filterContext)) { throw new InvalidOperationException(MvcResources.AuthorizeAttribute_CannotUseWithinChildActionCache); } bool flag = filterContext.ActionDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true) || filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true); if (flag) { return; } if (this.AuthorizeCore(filterContext.HttpContext)) { HttpCachePolicyBase cache = filterContext.HttpContext.Response.Cache; cache.SetProxyMaxAge(new TimeSpan(0L)); cache.AddValidationCallback(new HttpCacheValidateHandler(this.CacheValidateHandler), null); return; } this.HandleUnauthorizedRequest(filterContext); } /// Processes HTTP requests that fail authorization. /// Encapsulates the information for using . The object contains the controller, HTTP context, request context, action result, and route data. protected virtual void HandleUnauthorizedRequest(AuthorizationContext filterContext) { filterContext.Result = new HttpUnauthorizedResult(); } /// Called when the caching module requests authorization. /// A reference to the validation status. /// The HTTP context, which encapsulates all HTTP-specific information about an individual HTTP request. /// The parameter is null. protected virtual HttpValidationStatus OnCacheAuthorization(HttpContextBase httpContext) { if (httpContext == null) { throw new ArgumentNullException("httpContext"); } if (!this.AuthorizeCore(httpContext)) { return HttpValidationStatus.IgnoreThisRequest; } return HttpValidationStatus.Valid; } internal static string[] SplitString(string original) { if (string.IsNullOrEmpty(original)) { return new string[0]; } IEnumerablestring> source = from piece in original.Split(AuthorizeAttribute._splitParameter) let trimmed = piece.Trim() where !string.IsNullOrEmpty(trimmed) select trimmed; return source.ToArraystring>(); } } }
通过以上描述,我们可以在自己的MVC程序中使用AuthorizeAttribute类或者其派生的子类来达到用户认证和授权的目的。
一、新建一个MVC项目
新建一个MVC项目,选择不用身份验证。
二、添加Model
为了达到演示目的,添加了一个简单的StudentViewModel,用来显示业务数据:
public class StudentViewModel { public int ID { get; set; } public string Name { get; set; } public string Tel { get; set; } }
添加一个UserViewModel,用来进行登录和角色授权:
public class UserViewModel { [DisplayName("用户名")] public string UserName { get; set; } [DisplayName("密 码")] public string Pwd { get; set; } public Role Role { get; set; } } public enum Role { Admin=1, Normal=2, System=3 }
OK,本篇讲述就不去访问数据库了,直接用业务数据。然后我们再新建一个Data类,存放业务数据:
public class Data { public static Liststudents = new List { new StudentViewModel { ID=1, Name="张三", Tel="15808038502" }, new StudentViewModel { ID=2, Name="李四", Tel="15708032302" }, new StudentViewModel { ID=3, Name="王五", Tel="15562438502" }, new StudentViewModel { ID=4, Name="赵六", Tel="15064534502" }, new StudentViewModel { ID=5, Name="孙琦", Tel="15185465402" } }; public static List users = new List { new UserViewModel { UserName="admin", Pwd="1", Role=Role.Admin }, new UserViewModel { UserName="normal", Pwd="1", Role=Role.Normal}, new UserViewModel { UserName="system", Pwd="1", Role=Role.System} }; }
三、创建Controller控制器和视图
1、新建StudentController
Index视图是显示全部的Student数据,FindOne是显示一条Student数据。:
public class StudentController : Controller { public ActionResult Index() { return View(Data.Data.students); } public ActionResult FindOne(int? id) { return View("Index", Data.Data.students.Where(s => s.ID == id)); } }
现在没有对Student控制器做任何的身份和授权访问限制。接下来我们创建一个登陆用的控制器。
2、新建AccountController
public class AccountController : Controller { //用于获取登录页面 [HttpGet] public ActionResult Login() { return View(); } //用于登录验证 [HttpPost] public ActionResult Login(LoginViewModel login) { if (ModelState.IsValid) { UserViewModel clogin = Data.Data.users.Where(u => u.UserName == login.UserName && u.Pwd == login.Pwd).FirstOrDefault(); if (clogin != null) { //FormsAuthentication.SetAuthCookie有两个参数 //第一个参数:设置当前登录用户的标识,可以自定义 //第二个参数: //true:设置永久的。可以在web.config中设置过期时间,喏,下面的timeout就是过期时间,以分钟为单位。如下所示: // // // // authentication > // system.web > //false:设置当前会话时间为有效时间,浏览器或页面已关闭就需要重新登录。 FormsAuthentication.SetAuthCookie(clogin.UserName, false); return RedirectToAction("FindOne", "Student", new { id = 1 }); } } return View(); } //用于注销登录 [Authorize] [NoCache] public ActionResult LoginOut() { FormsAuthentication.SignOut(); return RedirectToAction("Login", "Account"); } //用于显示无权限消息 public ActionResult NoPemission() { return View(); } }
登陆页面如下:
@model MVCDemo2.ViewModels.UserViewModel @{ Layout = null; } "viewport" content="width=device-width" />Login "~/Content/w3.css" rel="stylesheet" />class="main">@**@class="w3-teal w3-center w3-margin-0" style="width:100%;">权限管理系统
@using (Html.BeginForm("Login", "Account", FormMethod.Post, new { @class = "w3-container w3-card-4 w3-light-grey", style = "width:100%;" })) {class="w3-table">
}"width:20%; vertical-align:middle;text-align:right;">@Html.LabelFor(x => x.UserName) "width:80%;">@Html.TextBoxFor(x => x.UserName, new { @class = "w3-input w3-border", placeholder = "用户名" }) class="w3-padding"> "vertical-align:middle;text-align:right;">@Html.LabelFor(x => x.Pwd) @Html.PasswordFor(x => x.Pwd, new { @class = "w3-input w3-border", placeholder = "密 码" }) "display:none;"> "text" id="returnUrl" name="returnUrl" value="@Url.Encode(Request.Url.ToString())"/> "text-align:left;"> "width:30%;">
无权限提示页面如下,也就是NoPemission:
@{ Layout = null; } "viewport" content="width=device-width" />NoPemission 您无权限操作该页面!
四、创建MyAuthorizeAttribute权限验证类
创建MyAuthorizeAttribute类的目的是需要做身份验证和权限验证所用,通过继承AuthorizeAttribute类来达到目的:
public class MyAuthorizeAttribute : AuthorizeAttribute { //设置是否拥有某些权限的状态码 private int _status = 0; protected override bool AuthorizeCore(HttpContextBase httpContext) { //判断当前登录的用户 是否已经登录过且身份认证被通过 if (httpContext.User.Identity.IsAuthenticated) { //判断当前的Roles字段是否是空,是空的,则说明该控制器或Action不需要角色权限控制 if (string.IsNullOrWhiteSpace(Roles)) return true; //通过半角逗号去获取一个权限数组 string[] roles = Roles.Split(new string[] { "," }, StringSplitOptions.RemoveEmptyEntries); if (roles.Length 0) return true; //找到当前登录的用户 //httpContext.User.Identity.Name就是我们在Login验证登录时候设置的clogin.UserName。设置代码为FormsAuthentication.SetAuthCookie(clogin.UserName, false); UserViewModel user = Data.Data.users.Where(u => u.UserName == httpContext.User.Identity.Name).SingleOrDefault(); //判断当前登录用户是否拥有访问该控制器或Action的权限,如果有,则返回true,可以访问;如果没有,则返回false,需要在OnAuthorization方法中设置该滤过器的Result。 if (roles.Contains(((int)user.Role).ToString())) return true; else { //无角色权限 通过设置_status,可以在OnAuthorization方法中做出相应的判断,并设置相应的filterContext.Result _status = 10; //授权失败 return false; } } //没有登录,则返回false,表明身份认证未通过,程序直接会跳转到登录页面,登录页面可在web.config中设置 // // // // authentication > // system.web > else return false; } public override void OnAuthorization(AuthorizationContext filterContext) { //执行父类的OnAuthorization方法 base.OnAuthorization(filterContext); //如果当前的_status有状态变化,则返回相应的ActionResult。当前返回的是无权限查看的提示界面。 if (_status == 10) filterContext.Result = new RedirectToRouteResult(new System.Web.Routing.RouteValueDictionary(new { //需要跳转的Controller controller = "Account", //需要跳转的Action action = "NoPemission", //返回的字段说明 returnUrl = filterContext.HttpContext.Request.Url, returnMessage = "您无权限查看!" })); } }
asp.net MVC之AuthorizeAttribute浅析
标签:wan nocache 编译 sources wrap login cte direct title
原文地址:http://www.cnblogs.com/williamwsj/p/7327214.html
文章标题:asp.net MVC之AuthorizeAttribute浅析
文章链接:http://soscw.com/index.php/essay/91642.html