asp.net core 2.0 web api基于JWT自定义策略受权

2020年01月16日 阅读数:82
这篇文章主要向大家介绍asp.net core 2.0 web api基于JWT自定义策略受权,主要内容包括基础应用、实用技巧、原理机制等方面,希望对大家有所帮助。

JWT(json web token)是一种基于json的身份验证机制,流程以下:html

 

 

经过登陆,来获取Token,再在以后每次请求的Header中追加Authorization为Token的凭据,服务端验证经过便可能获取想要访问的资源。关于JWT的技术,可参考网络上文章,这里不做详细说明,git

这篇博文,主要说明在asp.net core 2.0中,基于jwt的web api的权限设置,即在asp.net core中怎么用JWT,再次就是不一样用户或角色由于权限问题,即便援用Token,也不能访问不应访问的资源。github

基本思路是咱们自定义一个策略,来验证用户,和验证用户受权,PermissionRequirement是验证传输受权的参数。在Startup的ConfigureServices注入验证(Authentication),受权(Authorization),和JWT(JwtBearer)web

自定义策略:数据库

已封闭成AuthorizeRolicy.JWT nuget包,并发布到nuget上:json

https://www.nuget.org/packages/AuthorizePolicy.JWT/api

源码以下:微信

JwtToken.cs网络


/// <summary>
/// 获取基于JWT的Token
/// </summary>
/// <param name="username"></param>
/// <returns></returns>
public  static  dynamic BuildJwtToken(Claim[] claims, PermissionRequirement permissionRequirement)
{
     var  now = DateTime.UtcNow;
     var  jwt =  new  JwtSecurityToken(
         issuer: permissionRequirement.Issuer,
         audience: permissionRequirement.Audience,
         claims: claims,
         notBefore: now,
         expires: now.Add(permissionRequirement.Expiration),
         signingCredentials: permissionRequirement.SigningCredentials
     );
     var  encodedJwt =  new  JwtSecurityTokenHandler().WriteToken(jwt);
     var  response =  new
     {
         Status =  true ,
         access_token = encodedJwt,
         expires_in = permissionRequirement.Expiration.TotalMilliseconds,
         token_type =  "Bearer"
     };
     return  response;
}

  

Permission.cs并发


/// <summary>
/// 用户或角色或其余凭据实体
/// </summary>
public  class  Permission
{
     /// <summary>
     /// 用户或角色或其余凭据名称
     /// </summary>
     public  virtual  string  Name
     get set ; }
     /// <summary>
     /// 请求Url
     /// </summary>
     public  virtual  string  Url
     get set ; }
}

  PermissionRequirement.cs


/// <summary>
/// 必要参数类
/// </summary>
public  class  PermissionRequirement : IAuthorizationRequirement
{
     /// <summary>
     /// 用户权限集合
     /// </summary>
     public  List<Permission> Permissions {  get private  set ; }
     /// <summary>
     /// 无权限action
     /// </summary>
     public  string  DeniedAction {  get set ; }
 
     /// <summary>
     /// 认证受权类型
     /// </summary>
     public  string  ClaimType {  internal  get set ; }
     /// <summary>
     /// 请求路径
     /// </summary>
     public  string  LoginPath {  get set ; } =  "/Api/Login" ;
     /// <summary>
     /// 发行人
     /// </summary>
     public  string  Issuer {  get set ; }
     /// <summary>
     /// 订阅人
     /// </summary>
     public  string  Audience {  get set ; }
     /// <summary>
     /// 过时时间
     /// </summary>
     public  TimeSpan Expiration {  get set ; } = TimeSpan.FromMinutes(5000);
     /// <summary>
     /// 签名验证
     /// </summary>
     public  SigningCredentials SigningCredentials {  get set ; }
 
     /// <summary>
     /// 构造
     /// </summary>
     /// <param name="deniedAction">无权限action</param>
     /// <param name="userPermissions">用户权限集合</param>
 
     /// <summary>
     /// 构造
     /// </summary>
     /// <param name="deniedAction">拒约请求的url</param>
     /// <param name="permissions">权限集合</param>
     /// <param name="claimType">声明类型</param>
     /// <param name="issuer">发行人</param>
     /// <param name="audience">订阅人</param>
     /// <param name="signingCredentials">签名验证明体</param>
     public  PermissionRequirement( string  deniedAction, List<Permission> permissions,  string  claimType,  string  issuer,  string  audience, SigningCredentials signingCredentials)
     {
         ClaimType = claimType;
         DeniedAction = deniedAction;
         Permissions = permissions;
         Issuer = issuer;
         Audience = audience;
         SigningCredentials = signingCredentials;
     }
}

 自定义策略类PermissionHandler.cs


/// <summary>
/// 权限受权Handler
/// </summary>
public  class  PermissionHandler : AuthorizationHandler<PermissionRequirement>
{   
     /// <summary>
     /// 验证方案提供对象
     /// </summary>
     public  IAuthenticationSchemeProvider Schemes {  get set ; }
     /// <summary>
     /// 自定义策略参数
     /// </summary>
     public  PermissionRequirement Requirement
     get set ; }
     /// <summary>
     /// 构造
     /// </summary>
     /// <param name="schemes"></param>
     public  PermissionHandler(IAuthenticationSchemeProvider schemes)
     {
         Schemes = schemes;
     }  
 
     protected  override  async Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement)
     {
         ////赋值用户权限      
         Requirement = requirement;
         //从AuthorizationHandlerContext转成HttpContext,以便取出表求信息
         var  httpContext = (context.Resource  as  Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext).HttpContext;
         //请求Url
         var  questUrl = httpContext.Request.Path.Value.ToLower(); 
         //判断请求是否中止
         var  handlers = httpContext.RequestServices.GetRequiredService<IAuthenticationHandlerProvider>();
         foreach  ( var  scheme  in  await Schemes.GetRequestHandlerSchemesAsync())
         {
             var  handler = await handlers.GetHandlerAsync(httpContext, scheme.Name)  as  IAuthenticationRequestHandler;
             if  (handler !=  null  && await handler.HandleRequestAsync())
             {
                 context.Fail();
                 return ;
             }
         }
         //判断请求是否拥有凭据,即有没有登陆
         var  defaultAuthenticate = await Schemes.GetDefaultAuthenticateSchemeAsync();
         if  (defaultAuthenticate !=  null )
         {
             var  result = await httpContext.AuthenticateAsync(defaultAuthenticate.Name);
             //result?.Principal不为空即登陆成功
             if  (result?.Principal !=  null )
             {
                 httpContext.User = result.Principal;
                 //权限中是否存在请求的url
                 if  (Requirement.Permissions.GroupBy(g => g.Url).Where(w => w.Key.ToLower() == questUrl).Count() > 0)
                 {
                     var  name = httpContext.User.Claims.SingleOrDefault(s => s.Type == requirement.ClaimType).Value;
                     //验证权限
                     if  (Requirement.Permissions.Where(w => w.Name == name && w.Url.ToLower() == questUrl).Count() <= 0)
                     {
                         //无权限跳转到拒绝页面
                         httpContext.Response.Redirect(requirement.DeniedAction);
                     }
                 }
                 context.Succeed(requirement);
                 return ;
             }
         }
         //判断没有登陆时,是否访问登陆的url,而且是Post请求,并助是form表单提交类型,不然为失败
         if  (!questUrl.Equals(Requirement.LoginPath.ToLower(), StringComparison.Ordinal) && (!httpContext.Request.Method.Equals( "POST" )
            || !httpContext.Request.HasFormContentType))
         {
             context.Fail();
             return ;
         }
         context.Succeed(requirement);    
     }
}

  

新建asp.net core 2.0的web api项目,并在项目添加AuthorizePolicy.JWT如图

先设置配置文件,用户能够定义密匙和发生人,订阅人

  "Audience": {

    "Secret": "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890",

    "Issuer": "gsw",

    "Audience": "everone"

  }

在ConfigureServices中注入验证(Authentication),受权(Authorization),和JWT(JwtBearer)

Startup.cs


public  void  ConfigureServices(IServiceCollection services)
{
     //读取配置文件
     var  audienceConfig = Configuration.GetSection( "Audience" );
     var  symmetricKeyAsBase64 = audienceConfig[ "Secret" ];
     var  keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);
     var  signingKey =  new  SymmetricSecurityKey(keyByteArray);
 
     var  tokenValidationParameters =  new  TokenValidationParameters
     {
         ValidateIssuerSigningKey =  true ,
         IssuerSigningKey = signingKey,
         ValidateIssuer =  true ,
         ValidIssuer = audienceConfig[ "Issuer" ],
         ValidateAudience =  true ,
         ValidAudience = audienceConfig[ "Audience" ],
         ValidateLifetime =  true ,
         ClockSkew = TimeSpan.Zero
     };
     var  signingCredentials =  new  SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
     services.AddAuthorization(options =>
     {
         //这个集合模拟用户权限表,可从数据库中查询出来
         var  permission =  new  List<Permission> {
                       new  Permission {  Url= "/" , Name= "admin" },
                       new  Permission {  Url= "/api/values" , Name= "admin" },
                       new  Permission {  Url= "/" , Name= "system" },
                       new  Permission {  Url= "/api/values1" , Name= "system" }
                   };
         //若是第三个参数,是ClaimTypes.Role,上面集合的每一个元素的Name为角色名称,若是ClaimTypes.Name,即上面集合的每一个元素的Name为用户名
         var  permissionRequirement =  new  PermissionRequirement( "/api/denied" , permission, ClaimTypes.Role, audienceConfig[ "Issuer" ], audienceConfig[ "Audience" ], signingCredentials);
         options.AddPolicy( "Permission" ,
                   policy => policy.Requirements.Add(permissionRequirement));
     }).AddAuthentication(options =>
     {
         options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
         options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
     })
     .AddJwtBearer(o =>
     {
         //不使用https
         o.RequireHttpsMetadata =  false ;
         o.TokenValidationParameters = tokenValidationParameters;
     });
     //注入受权Handler
     services.AddSingleton<IAuthorizationHandler, PermissionHandler>();
     services.AddMvc();
}

  

在须要授的Controller上添加受权特性

    [Authorize("Permission")]

 

PermissionController类有两个方法,一个是登陆,验证用户名和密码是否正确,若是正确就发放Token,若是失败,验证失败,别一个成功登后的无权限导航action。


[Authorize( "Permission" )]
public  class  PermissionController : Controller
{
     /// <summary>
     /// 自定义策略参数
     /// </summary>
     PermissionRequirement _requirement;
     public  PermissionController(IAuthorizationHandler authorizationHander)
     {
         _requirement = (authorizationHander  as  PermissionHandler).Requirement;
     }
     [AllowAnonymous]
     [HttpPost( "/api/login" )]
     public  IActionResult Login( string  username, string  password, string  role)
     {
         var  isValidated = username ==  "gsw"  && password ==  "111111" ;
         if  (!isValidated)
         {
             return  new  JsonResult( new
             {
                 Status =  false ,
                 Message =  "认证失败"
             });
         }
         else
         {
             //若是是基于角色的受权策略,这里要添加用户;若是是基于角色的受权策略,这里要添加角色
             var  claims = new  Claim[]{  new  Claim(ClaimTypes.Name, username), new  Claim(ClaimTypes.Role, role) };
             //用户标识
             var  identity =  new  ClaimsIdentity(JwtBearerDefaults.AuthenticationScheme);
             identity.AddClaims(claims);
             //登陆
             HttpContext.SignInAsync(JwtBearerDefaults.AuthenticationScheme,  new  ClaimsPrincipal(identity));
             var  token = JwtToken.BuildJwtToken(claims, _requirement);
             return  new  JsonResult(token);
         }
     }
     [AllowAnonymous]
     [HttpGet( "/api/denied" )]
     public  IActionResult Denied()
     {
         return  new  JsonResult( new
         {
             Status =  false ,
             Message =  "你无权限访问"
         });
     }
}

  

下面定义一个控制台(.NetFramewrok)程序,用RestSharp来访问咱们定义的web api,其中1为admin角色登陆,2为system角色登陆,3为错误用户密码登陆,4是一个查询功能,在startup.cs中,admin角色是具备查询/api/values的权限的,因此用admin登陆是能正常访问的,用system登陆,能成功登陆,但没有权限访问/api/values,用户名密码错误,访问/aip/values,直接是没有受权的


class  Program
   {
       /// <summary>
       /// 访问Url
       /// </summary>
       static  string  _url =  "http://localhost:39286" ;
       static  void  Main( string [] args)
       {
           dynamic token =  null ;
           while  ( true )
           {
               Console.WriteLine( "一、登陆【admin】 二、登陆【system】 三、登陆【错误用户名密码】 四、查询数据 " );
               var  mark = Console.ReadLine();
               var  stopwatch =  new  Stopwatch();
               stopwatch.Start();
               switch  (mark)
               {
                   case  "1" :
                       token = AdminLogin();
                       break ;
                   case  "2" :
                       token = SystemLogin();
                       break ;
                   case  "3" :
                       token = NullLogin();
                       break ;
                   case  "4" :
                       AdminInvock(token);
                       break ;
               }
               stopwatch.Stop();
               TimeSpan timespan = stopwatch.Elapsed;
               Console.WriteLine($ "间隔时间:{timespan.TotalSeconds}" );
           }
       }
       static  dynamic NullLogin()
       {
           var  loginClient =  new  RestClient(_url);
           var  loginRequest =  new  RestRequest( "/api/login" , Method.POST);
           loginRequest.AddParameter( "username" "gswaa" );
           loginRequest.AddParameter( "password" "111111" );
           //或用用户名密码查询对应角色
           loginRequest.AddParameter( "role" "system" );
           IRestResponse loginResponse = loginClient.Execute(loginRequest);
           var  loginContent = loginResponse.Content;
           Console.WriteLine(loginContent);
           return  Newtonsoft.Json.JsonConvert.DeserializeObject(loginContent);
       }
       static  dynamic SystemLogin()
       {
           var  loginClient =  new  RestClient(_url);
           var  loginRequest =  new  RestRequest( "/api/login" , Method.POST);
           loginRequest.AddParameter( "username" "gsw" );
           loginRequest.AddParameter( "password" "111111" );
           //或用用户名密码查询对应角色
           loginRequest.AddParameter( "role" "system" );
           IRestResponse loginResponse = loginClient.Execute(loginRequest);
           var  loginContent = loginResponse.Content;
           Console.WriteLine(loginContent);
           return  Newtonsoft.Json.JsonConvert.DeserializeObject(loginContent);
       }
       static  dynamic AdminLogin()
       {
           var  loginClient =  new  RestClient(_url);
           var  loginRequest =  new  RestRequest( "/api/login" , Method.POST);
           loginRequest.AddParameter( "username" "gsw" );
           loginRequest.AddParameter( "password" "111111" );
           //或用用户名密码查询对应角色
           loginRequest.AddParameter( "role" "admin" );
           IRestResponse loginResponse = loginClient.Execute(loginRequest);
           var  loginContent = loginResponse.Content;
           Console.WriteLine(loginContent);
           return  Newtonsoft.Json.JsonConvert.DeserializeObject(loginContent);
       }
       static  void  AdminInvock(dynamic token)
       {
           var  client =  new  RestClient(_url);
           //这里要在获取的令牌字符串前加Bearer
           string  tk =  "Bearer "  + Convert.ToString(token?.access_token);
           client.AddDefaultHeader( "Authorization" , tk);
           var  request =  new  RestRequest( "/api/values" , Method.GET);
           IRestResponse response = client.Execute(request);
           var  content = response.Content;
           Console.WriteLine($ "状态:{response.StatusCode}  返回结果:{content}" );
       }
   }

  

运行结果:

 

源码:https://github.com/axzxs2001/AuthorizePolicy.JWT

原文地址:http://www.cnblogs.com/axzxs2001/p/7530929.html


.NET社区新闻,深度好文,微信中搜索dotNET跨平台或扫描二维码关注