Web用户的身份验证及WebApi权限验证流程的设计和实现(续)

4.4 权限属性RequireAuthorizationAttribute

[csharp] view plaincopy

 

1. "font-size:14px;">///
2. /// 权限验证属性类
3. ///
4. public class RequireAuthorizeAttribute : AuthorizeAttribute
5. {
6. ///
7. /// 用户权限列表
8. ///
9. public UserAuthModel[] UserAuthList
10. {
11. get
12. {
13. return AuthorizedUser.Current.UserAuthList;
14. }
15. }
16. ///
17. /// 登录用户票据
18. ///
19. public string UserLoginTicket
20. {
21. get
22. {
23. return AuthorizedUser.Current.UserLoginTicket;
24. }
25. }
26. public override void OnAuthorization(AuthorizationContext filterContext)
27. {
28. base.OnAuthorization(filterContext);
29. ////验证是否是登录用户
30. var identity = filterContext.HttpContext.User.Identity;
31. if (identity.IsAuthenticated)
32. {
33. var actionName = filterContext.ActionDescriptor.ActionName;
34. var controllerName = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;
35. //验证用户操作是否在权限列表中
36. if (HasActionQulification(actionName, controllerName, identity.Name))
37. if (!string.IsNullOrEmpty(UserLoginTicket))
38. //有效登录用户，有权限访问此Action，则写入Cookie信息
39. filterContext.HttpContext.Response.Cookies[FormsAuthentication.FormsCookieName].Value = UserLoginTicket;
40. else
41. //用户的Session, Cookie都过期，需要重新登录
42. filterContext.HttpContext.Response.Redirect("~/Account/Login", false);
43. else
44. //虽然是登录用户，但没有该Action的权限，跳转到“未授权访问”页面
45. filterContext.HttpContext.Response.Redirect("~/Home/UnAuthorized", true);
46. }
47. else
48. {
49. //未登录用户，则判断是否是匿名访问
50. var attr = filterContext.ActionDescriptor.GetCustomAttributes(true).OfType();
51. bool isAnonymous = attr.Any(a => a is AllowAnonymousAttribute);
52. if (!isAnonymous)
53. //未验证（登录）的用户, 而且是非匿名访问，则转向登录页面
54. filterContext.HttpContext.Response.Redirect("~/Account/Login", true);
55. }
56. }
57. ///
58. /// 从权限列表验证用户是否有权访问Action
59. ///
60. ///
61. ///
62. ///
63. private bool HasActionQulification(string actionName, string controllerName, stringuserName)
64. {
65. //从该用户的权限数据列表中查找是否有当前Controller和Action的item
66. var auth = UserAuthList.FirstOrDefault(a =>
67. {
68. bool rightAction = false;
69. bool rightController = a.Controller == controllerName;
70. if (rightController)
71. {
72. string[] actions = a.Actions.Split(',');
73. rightAction = actions.Contains(actionName);
74. }
75. return rightAction;
76. });
77. //此处可以校验用户的其它权限条件
78. //var notAllowed = HasOtherLimition(userName);
79. //var result = (auth != null) && notAllowed;
80. //return result;
81. return (auth != null);
82. }
83. }

 

4.5 业务Controller示例

[csharp] view plaincopy

 

1. 1. "font-size:14px;">public class ProductController : WebControllerBase
   2. {
   3. [AllowAnonymous]
   4. public ActionResult Query()
   5. {
   6. return View("ProductQuery");
   7. }
   8. [HttpGet]
   9. //[AllowAnonymous]
   10. [RequireAuthorize]
   11. public ActionResult Detail(string id)
   12. {
   13. var cookie = HttpContext.Request.Cookies;
   14. string url = base.ApiUrl + "/Get/" + id;
   15. HttpClient httpClient = HttpClientHelper.Create(url, base.UserLoginTicket);
   16. string result = httpClient.GetString();
   17. var model = JsonSerializer.DeserializeFromString(result);
   18. ViewData["PRODUCT_ADD_OR_EDIT"] = "E";
   19. return View("ProductForm", model);
   20. }
   21. }