前面有写过关于token认证的,这里写一篇关于表单认证的,也有说是票据认证的,由于用到是mvc就不用继承父类控制器,在父类控制器中做使用验证方法了,我们是用mvc很好的东西filter过滤!
1,写过滤器的代码,一看就知道作用
/// <summary>
/// 表示需要用户登录才可以使用的特性
/// 如果不需要处理用户登录,则请指定AllowAnonymousAttribute属性
/// </summary>
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
public class AuthenAdminAttribute : ActionFilterAttribute, IAuthorizationFilter //继承这两个
{
//下面连个方法都可以用作验证,只不过执行顺序不同
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
//RequestContext requestContext = new RequestContext();
//if (filterContext.HttpContext.Session[LoginUserInfo.uid.ToString()] == null)
// //filterContext.Result = new RedirectToRouteResult("Login", new RouteValueDictionary { { "from", Request.Url.ToString() } });
// filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { action = "Login", controller = "Home" }));
//base.OnActionExecuting(filterContext);
}
public void OnAuthorization(AuthorizationContext filterContext)
{
//RouteValueDictionary res = filterContext.RouteData.Values;
//string ViewName = res.Values.ToList()[1].ToString();
bool isLogin = Authentication.isLogin();
if (!isLogin)
{
filterContext.Result = new RedirectResult("/admin/home/login");
// filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { action = "home", controller = "login" }));
}
}
}
在过滤配置中添加过滤类
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new AuthenAdminAttribute()); //同时在这里添加
}
}
同时有个验证的帮助类,别忘记添加,当然方法里有用的一些信息怎么存储,因人而异
public class Authentication
{
/// <summary>
/// 设置用户登陆成功凭据(Cookie存储)
/// </summary>
/// <param name="UserName">用户名</param>
/// <param name="PassWord">密码</param>
/// <param name="Rights">权限</param>
public static void SetCookie(string UserName, string PassWord, string Rights)
{
//
//String PassWord="test";
//
String UserData = UserName + "#" + PassWord + "#" + Rights;
if (true)
{
//数据放入ticket
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, UserName, DateTime.Now, DateTime.Now.AddMinutes(60), false, UserData); //失效为60分钟
//数据加密
string enyTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, enyTicket);
HttpContext.Current.Response.Cookies.Add(cookie);
}
}
/// <summary>
/// 判断用户是否登陆
/// </summary>
/// <returns>True,Fales</returns>
public static bool isLogin()
{
return HttpContext.Current.User.Identity.IsAuthenticated;
}
/// <summary>
/// 注销登陆
/// </summary>
public static void logOut()
{
FormsAuthentication.SignOut();
}
/// <summary>
/// 获取凭据中的用户名
/// </summary>
/// <returns>用户名</returns>
public static string getUserName()
{
if (isLogin())
{
string strUserData = ((FormsIdentity)(HttpContext.Current.User.Identity)).Ticket.UserData;
string[] UserData = strUserData.Split('#');
if (UserData.Length != 0)
{
return UserData[0].ToString();
}
else
{
return "";
}
}
else
{
return "";
}
}
/// <summary>
/// 获取凭据中的密码
/// </summary>
/// <returns>密码</returns>
public static string getPassWord()
{
if (isLogin())
{
string strUserData = ((FormsIdentity)(HttpContext.Current.User.Identity)).Ticket.UserData;
string[] UserData = strUserData.Split('#');
if (UserData.Length != 0)
{
return UserData[1].ToString();
}
else
{
return "";
}
}
else
{
return "";
}
}
/// <summary>
/// 获取凭据中的用户权限
/// </summary>
/// <returns>用户权限</returns>
public static string getRights()
{
if (isLogin())
{
string strUserData = ((FormsIdentity)(HttpContext.Current.User.Identity)).Ticket.UserData;
string[] UserData = strUserData.Split('#');
if (UserData.Length != 0)
{
return UserData[2].ToString();
}
else
{
return "";
}
}
else
{
return "";
}
}
}
到这里就结束了?还需要使用验证的特性,这里涉及过滤器的使用
public class HomeController : Controller
{
[AuthenAdmin]
public ActionResult Index()
{
return View();
}
}
那么在访问到 home/Index 很久就会判断是否登陆,没有登陆这跳转登录页
值得注意的是,用户的一些重要信息放到了cookie里面,虽然加密了, 但是也容易被获取篡改,有必要的话,获取到信息之后去数据库校验一下,或其他办法增加安全性
这里说一下AuthenAdmin 的验证范围:
1,在Action 上,那么对这个Action 起到作用
2,在Controller,那么对这个 整个控制器的Action 都 起到作用
3,全局配置文件(Global.asax)中注册,那么多所用的 Controller 起到过滤作用
注册代码: FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); //对整个MVC项目的所有Action都使用此过滤器
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
}
顺便多写一点,如果webform 玩的很好,应该知道 Global.asax 有些方法是很实用的,比如:Application_BeginRequest , Session_End 等等,可以去查一下!
就写到这里吧,希望对他人有用!