anglarjs1.6.3+owin 实现验证之一:统一拒绝非登陆访问。
一、anglarjs端在app.js(即anglar的入口js),注册.factory("messageService",使得每次来自html客户端的请求都能带有一个值,如AKey:html
var chars = ['0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'];
function generateMixed(n) {
var res = "";
for(var i = 0; i < n ; i ++) {
var id = Math.ceil(Math.random()*35);
res += chars[id];
}
return res;
}var ClientID=generateMixed(6);
var Akey='ccc'; expressApp.factory('authInterceptor', function($rootScope){ return { request: function(config){ config.headers = config.headers || {}; config.headers.authorization = Akey; return config; }, responseError: function(response){ if(response.status==403) { debugger location.href="./E403.html" } } }; }) expressApp.config(function ($locationProvider, $routeProvider,$httpProvider) { $httpProvider.interceptors.push('authInterceptor'); }二、html客户端作一个403页面,页面带一个链接,链接跳转到登陆页redis
<li> 使用具备访问权限的帐户从新登陆系统,点击: <a href="./index.html#/login">此处</a>。 </li>
三、客户端包含一个登陆页login.html,对应的关键js以下:express
$http({ method: 'post', url: baseUrl+'account/login', data: { LoginName: $scope.LoginName, Password:$scope.Password, ClientID:ClientID } }).then(function (response) { Akey=response.data.LogonUser.SessionKey; }, function (response) { } );
这里面最重要的一句话,就是Akey=response.data.LogonUser.SessionKey; 由于Aky是在app.js里面定义的全局变量,因此登陆以前是一个错误值,在服务端限定之后,不能访问任何常规的action,可是只能访问服务端的account/login这个action。缓存
四、下来看看服务端的login这个actionsession
[Route("express/account/login")] public HttpResponseMessage Login(Users user) { if (string.IsNullOrEmpty(user.LoginName)) return Request.CreateResponse(HttpStatusCode.Forbidden); if (string.IsNullOrEmpty(user.Password)) return Request.CreateResponse(HttpStatusCode.Forbidden); var nowUser = auS.GetUserByUserId(user.LoginName); if (nowUser == null) return Request.CreateResponse(HttpStatusCode.Forbidden); #region 验证密码
if (!string.Equals(nowUser.Password, user.Password)) { return Request.CreateResponse(HttpStatusCode.Forbidden); } #endregion
if (nowUser.IsDelete) return Request.CreateResponse(HttpStatusCode.Forbidden); var existsDevice = auS.GetClientUser(nowUser.LoginName); if (existsDevice == null) { string passkey = auS.ComputeHash(nowUser.LoginName + nowUser.ClientID + DateTime.UtcNow + Guid.NewGuid()); existsDevice = new Users() { LoginName = nowUser.LoginName, SessionKey = passkey, ClientID = user.ClientID }; auS.AddClientUser(existsDevice); } else { auS.UpdateUserDevice(existsDevice); } existsDevice.Password = ""; return Request.CreateResponse(HttpStatusCode.OK, new SessionObject() { SessionKey = existsDevice.SessionKey, LogonUser = existsDevice }); }
这里面最关键的一个就是这两句话,当客户端发来一个clientID之后,使用必定的规则合成一个会话ID,存到内存中一个静态列表里面,以实现只要登陆一次且不超时,就缓存这我的的登陆信息,至关于session同样的效果。app
string passkey = auS.ComputeHash(nowUser.LoginName + nowUser.ClientID + DateTime.UtcNow + Guid.NewGuid()); ClientID = user.ClientID
那么在来看看app.js里面的这个ClientID:dom
var chars = ['0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z']; function generateMixed(n) { var res = ""; for(var i = 0; i < n ; i ++) { var id = Math.ceil(Math.random()*35); res += chars[id]; } return res; } var ClientID=generateMixed(6);
五、来看看AuthenticationService.cs的一些关键代码:这里也能够用字典,甚至能够把列表迁移到redis上面去均可以。ide
public string ComputeHash(string input) { byte[] data = Md5.ComputeHash(Encoding.Unicode.GetBytes(input)); var sBuilder = new StringBuilder(); foreach (byte t in data) sBuilder.Append(t.ToString("X")); return sBuilder.ToString(); } /// <summary>
/// 使用惟一标识得到登陆用户 /// </summary>
/// <param name="Akey"></param>
/// <returns></returns>
public Users GetClientUserByAkey(string Akey) { //headers.Authorization.Scheme
var ul = ClientUser.Where(_ => { return _.SessionKey == Akey; }); if (ul != null && ul.Count() > 0) { var u = ul.FirstOrDefault(); if (u.ExpiredTime < DateTime.Now) { return u; } else { ClientUser.Remove(u); } } return null; }
public Users GetUserByUserId(string loginName)
{post
//Accessor是我写的一个ORM的访问器
var ul = Accessor.GetList<Users>(new { LoginName = loginName });
return ul.FirstOrDefault();
}ui
首先BaseController继承自ApiController,并且用于登陆的那个Controller也就是AccountController必须继承自 ApiController
AccountController : ApiController
BaseController: ApiController
再来看看BaseController的关键代码,这样咱们写业务Controller(非登陆AccountController)的时候,好比ProductController,让ProductController:BaseController便可
public Express.Entity.Users currentUser = null; public override Task<HttpResponseMessage> ExecuteAsync(HttpControllerContext controllerContext, CancellationToken cancellationToken) { if (controllerContext.Request.Headers.Authorization != null
&& !string.IsNullOrWhiteSpace(controllerContext.Request.Headers.Authorization.Scheme)) { currentUser = new AuthenticationService().GetClientUserByAkey(controllerContext.Request.Headers.Authorization.Scheme); if (currentUser == null) { var response = new HttpResponseMessage(HttpStatusCode.Forbidden); var tsc = new TaskCompletionSource<HttpResponseMessage>(); tsc.SetResult(response); return tsc.Task; } } else { var response = new HttpResponseMessage(HttpStatusCode.Forbidden); var tsc = new TaskCompletionSource<HttpResponseMessage>(); tsc.SetResult(response); return tsc.Task; } return base.ExecuteAsync(controllerContext, cancellationToken); }
好了,下一篇讲述,若是实现粒度到action级别的权限控制。
相关文章
- 1. ASP.NET MVC 实现统一登陆验证
- 2. 一个登陆框实现不一样的登陆验证
- 3. C#实现AD域验证登陆(一)
- 4. Win7:登陆系统提示group policy client服务未能登陆 拒绝访问
- 5. Python 之 pip拒绝访问
- 6. 登陆之验证码相关实现
- 7. 【JS】用JS实现系统登陆页的登陆和验证
- 8. java.io.FileNotFoundException: ……(拒绝访问。)
- 9. java.io.FileNotFoundException (拒绝访问。)
- 10. 如何 Windows10 出现硬盘拒绝访问 例如D盘拒绝访问
- 更多相关文章...
- • XML 验证 - XML 教程
- • DTD 验证 - DTD 教程
- • RxJava操作符(一)Creating Observables
- • Docker容器实战(一) - 封神Server端技术
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
欢迎关注本站公众号,获取更多信息
