用户登录之后,需要将其基本身份信息和关联的角色或权限数据存储下来。而且作为前后端分离的系统,服务端需要使用这些票据数据,前端也需要通过Cookie对象访问用户信息,作为权限控制的审核来源。
//create form ticket
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, loginName, DateTime.Now, DateTime.Now.AddMinutes(240),
true, userDataContent, FormsAuthentication.FormsCookiePath);
string ticString = FormsAuthentication.Encrypt(ticket);
//write cookies in response
//SetAuthCookie mark identity status true
HttpContext.Current.Response.Cookies.Add(new HttpCookie("SlickOneWebCookie", ticString));
页面控制器统一继承于页面基类,基类中重载方法OnActionExecuting(),读取用户身份信息,并存储到Session对象,如果是非授权用户,则跳转到登录页面。代码示例如下:
/// <summary>
/// Authentication Verify When Action Executing
/// </summary>
/// <param name="filterContext"></param>
protected override void OnActionExecuting(ActionExecutingContext filterContext)
{
var attr = filterContext.ActionDescriptor.GetCustomAttributes(typeof(AllowAnonymousAttribute), true);
bool isAnonymous = attr.Any(a => a is AllowAnonymousAttribute);
if (isAnonymous == false)
{
var session = filterContext.HttpContext.Session;
this.SessionManager.SetSession(session);
var user = this.SessionManager.GetLogonUser() as WebLogonUser;
if (user == null)
{
var webCookie = base.Request.Cookies["SlickOneWebCookie"];
if (webCookie != null && !string.IsNullOrEmpty(webCookie.Value))
{
var encryptTicket = webCookie.Value;
SaveUserSession(encryptTicket);
}
else
{
//Not a Valid Logon User, Need To Be Login Agagin
var formRedirectUrl = WebConfigurationManager.AppSettings["FormAuthenticationRedirectUrl"].ToString();
string url = string.Format("{0}?ReturnUrl={1}", formRedirectUrl, Request.RawUrl);
filterContext.HttpContext.Response.Redirect(url, true);
}
}
}
base.OnActionExecuting(filterContext);
}
/// <summary>
/// check authorizaton information when action executing
/// </summary>
/// <param name="actionContext"></param>
public override void OnActionExecuting(HttpActionContext actionContext)
{
//get authentication cookie from request
var authCookie = actionContext.Request.GetCookie("SlickOneWebCookie");
if (!String.IsNullOrEmpty(authCookie))
{
//decrypted user ticket information
if (ValidateUserTicket(authCookie))
base.OnActionExecuting(actionContext);
else
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
else
{
//verify webapi security setting
bool isRquired = (WebConfigurationManager.AppSettings["WebApiSecurityEnabled"].ToString() == "true");
if (isRquired)
{
//check anonymous attribute
var attr = actionContext.ActionDescriptor.GetCusto