MVC Dynamic Authorization--示例市在Action前进行的验证,应提前到Auth过滤器
2014-04-14 10:06
316 查看
Introduction
In MVC the default method to perform authorization is hard coding the "Authorize" attribute in the controllers, for each action, in this article I will explain a simple way to implement "Dynamic Authorization" with the ability to assign permissions for actions to roles or users.Using the code
First I will explain my user authentication and role assigning model, I have used Forms Authentication this scenario, here is my sample login action:![](http://www.codeproject.com/images/minus.gif)
Collapse | Copy Code
[HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public ActionResult Login(LoginModel model, string returnUrl) { //sample data Dictionary<string, string> users = new Dictionary<string, string>(); users.Add("admin", "admin-pass"); string roles; if (users[model.UserName] == model.Password) { Session["User"] = model.UserName; roles = "admin;customer"; // put the roles of the user in the Session Session["Roles"] = roles; HttpContext.Items.Add("roles", roles); //Let us now set the authentication cookie so that we can use that later. FormsAuthentication.SetAuthCookie(model.UserName, false); //Login successful lets put him to requested page string returnUrl = Request.QueryString["ReturnUrl"] as string; return RedirectToLocal(returnUrl); if (returnUrl != null) { Response.Redirect(returnUrl); } else { //no return URL specified so lets kick him to home page Response.Redirect("Default.aspx"); } } else { // If we got this far, something failed, redisplay form ModelState.AddModelError("", "The user name or password provided is incorrect"); return View(model); } }
All the actions that need authentication have to be loaded in a list, and also all of the roles and actions that each role has access to, I have put some sample code to simulate them "AllRoles" and "NeedAuthenticationActions". Then we need to create a base class for controllers in which I have overridden the
OnActionExecutingmethod, in which the user will be authorized based on its current role and whether he/she has logged in or not, the action may also has no need to be authorized.
![](http://www.codeproject.com/images/minus.gif)
Collapse | Copy Code
public class ControllerBase : Controller { private string ActionKey; //sample data for the roles of the application Dictionary<string, List<string>> AllRoles = new Dictionary<string, List<string>>(); protected void initRoles() { AllRoles.Add("role1", new List<string>() { "Controller1-View", "Controller1-Create", "Controller1-Edit", "Controller1-Delete" }); AllRoles.Add("role2", new List<string>() { "Controller1-View", "Controller1-Create" }); AllRoles.Add("role3", new List<string>() { "Controller1-View" }); } //sample data for the pages that need authorization List<string> NeedAuthenticationActions = new List<string>() { "Controller1-Edit", "Controller1-Delete"}; protected override void OnActionExecuting(ActionExecutingContext filterContext) { ActionKey = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName + "-" + filterContext.ActionDescriptor.ActionName; string role = Session["Roles"].ToString();//getting the current role if (NeedAuthenticationActions.Any(s => s.Equals(ActionKey, StringComparison.OrdinalIgnoreCase))) { if (!filterContext.HttpContext.User.Identity.IsAuthenticated) { string redirectUrl = string.Format("?returnUrl={0}", filterContext.HttpContext.Request.Url.PathAndQuery); filterContext.HttpContext.Response.Redirect(FormsAuthentication.LoginUrl + redirectUrl, true); } else //check role { if (!AllRoles[role].Contains(ActionKey)) { filterContext.HttpContext.Response.Redirect("~/NoAccess", true); } } } }
Points of Interest
相关文章推荐
- mvc 过滤器验证身份 排除指定不验证action
- mvc 4 ActionFilterAttribute 特性,进行权限验证
- Mvc示例之三——用Filter进行简单身份验证
- 使用Mosquitto-Auth-Plugin对mqtt客户端进行验证
- ASP.NET MVC 不同的 ActionResult 小示例
- MVC客户端验证的小示例
- Asp.net MVC 示例项目"Suteki.Shop"分析之---数据验证
- mvc中的action验证登录(ActionFilterAttribute)
- Mvc全局过滤器与Action排除
- 在MVC过滤器中获取触发的Controller、Action、参数 等
- 使用 PHP 过滤器(Filter)进行严格表单验证
- ASP.NET MVC使用过滤器进行权限控制
- asp.net mvc 3.0详细笔记__17__使用 DataAnnotations 进行模型验证
- JSP之应用Servlet过滤器进行身份验证
- ASP.NET MVC笔记 之 Action 过滤器
- MVC权限验证之ActionFilterAttribute
- 如何利用扩展方法来链式的对MVC 3中的页面进行验证
- 转:ASP.NET MVC:窗体身份验证及角色权限管理示例
- 在Asp.Net MVC中实现CompareValues标签对Model中的属性进行验证