在我的MVC 5应用程序中,我按如下方式装饰我的控制器:
[Authorize]
public class Controller
{
..
但是,我有一个要求是使用令牌来授权操作而无需进入登录屏幕。即:http://{website}/Action?token={/* token for this user */}
因此,如何开发接受登录(默认行为)或令牌(自定义,必需行为)的自定义AuthorizeAttribute?
换句话说,如果我使用http://{website}/Action
,我将被重定向到登录屏幕(如果我没有被授权),但如果我使用http://{website}/Action?token={/* token for this user */}
,我将被授权并重定向到所述行动。
[TokenAuthorize]
类
public class TokenAuthorize : AuthorizeAttribute
{
private const string SecureToken = "token";
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (Authorize(filterContext))
{
return;
}
HandleUnauthorizedRequest(filterContext);
}
private bool Authorize(AuthorizationContext actionContext)
{
try
{
HttpRequestBase request = actionContext.RequestContext.HttpContext.Request;
string token = request.Params[SecureToken];
return SecurityManager.IsTokenValid(token);
}
catch (Exception)
{
return false;
}
}
}
如果我装饰我的控制器:
[Authorize]
[TokenAuthorize]
public class Controller
{
..
它被处理为Authorize
和TokenAuthorize
(1)。我需要开发一种处理方法,如Authorize
或TokenAuthorize
如果没有令牌存在,如何仅使用TokenAuthorize
进行装饰然后再回到默认行为?
TokenAuthorize.cs
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool isTokenAuthorized = HasValidToken(...);
if(isTokenAuthorized) return true;
bool isDefaultAuthorized = base.AuthorizeCore(httpContext);
if(isDefaultAuthorized) return true;
return false;
}
MyController.cs
[TokenAuthorize]
public class MyController
{
...
}
Shoe的answer带领我走上正轨。
我实施了他的建议并在我的Authorize
函数中做了以下事情:
private bool Authorize(AuthorizationContext actionContext)
{
try
{
HttpContextBase context = actionContext.RequestContext.HttpContext;
string token = context.Request.Params[SecurityToken];
bool isTokenAuthorized = SecurityManager.IsTokenValid(token);
if (isTokenAuthorized) return true;
bool isDefaultAuthorized = AuthorizeCore(context);
return isDefaultAuthorized;
}
catch (Exception)
{
return false;
}
}
使用[TokenAuthorize]
进行装饰,我可以通过登录(默认)或通过令牌授权操作。
public class TokenAuthorize : AuthorizeAttribute
{
string _connectionString;
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (Authorize(filterContext))
{
return;
}
HandleUnauthorizedRequest(filterContext);
}
protected bool Authorize(AuthorizationContext httpContext)
{
bool isTokenAuthorized = HasValidToken();
if(isTokenAuthorized) return true;
return false;
}
protected bool HasValidToken()
{
string token = string.Empty;
token = HttpContext.Current.Request.Params["token"];
_connectionString = WebConfigurationManager.ConnectionStrings["SqlConnectionString"].ConnectionString;
SqlTransaction txn = null;
using (SqlConnection conn = new SqlConnection(_connectionString))
{
conn.Open();
txn = conn.BeginTransaction();
List<SqlParameter> parameters = new List<SqlParameter>();
SqlParameter parameter = new SqlParameter();
parameters.Add(new SqlParameter("@token", token));
parameter = new SqlParameter("@return_ops", 0);
parameter.Direction = ParameterDirection.Output;
parameters.Add(parameter);
SqlHelper.ExecuteNonQuery(txn, CommandType.StoredProcedure, "[master_LoggedInUsers]", parameters.ToArray());
int result = Convert.ToInt32(parameters[1].Value);
if (result <= 0)
{
return false;
}
else return true;
}
}
}
[TokenAuthorize]公共类MasterController:Controller {}