随笔 - 290  文章 - 10  评论 - 85  2

我们要实现下面的效果,某个controller,只允许某几个角色访问(admin,user,document controller)

[MyAuthorize(Roles = "Admin,User,Document Controller")]
    public class ClassController : Controller

 

首先, 登录的时候,要把用户的角色从DB拿出来,放到FormsAuthenticationTicketUserData里. (假设我们使用Form认证)

 var roles = db.TN_Role.Where(t => t.User_Code.Equals(UserCode)).ToList();
                        if (roles == null)
                            return false;
                        else
                        {
                            foreach (var role in roles)
                            {
                                if (role.Company_ID.Equals(CompanyId) || role.Company_ID == null)
                                {
                                    Session["Role"] = role.Role;
                                    var authTicket = new FormsAuthenticationTicket(
                                                        1,
                                                        UserCode,
                                                        DateTime.Now,
                                                        DateTime.Now.AddMinutes(30), // expiry
                                                        false,
                                                        role.Role,
                                                        "/");
                                    var cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
                                                                FormsAuthentication.Encrypt(authTicket));
                                    Response.Cookies.Add(cookie);
                                    Response.Cookies.Set(new HttpCookie("Company", CompanyId.ToString()));

                                    return true;
                                }
                            }
                            return false;
                        }

重写AuthorizeAttribute

    [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
    public class MyAuthorizeAttribute : AuthorizeAttribute
    {
        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            string cookieName = FormsAuthentication.FormsCookieName;

            if (!filterContext.HttpContext.User.Identity.IsAuthenticated ||
                filterContext.HttpContext.Request.Cookies == null ||
                filterContext.HttpContext.Request.Cookies[cookieName] == null
            )
            {
                HandleUnauthorizedRequest(filterContext);
                return;
            }

            var authCookie = filterContext.HttpContext.Request.Cookies[cookieName];
            var authTicket = FormsAuthentication.Decrypt(authCookie.Value);
            string[] roles = authTicket.UserData.Split(',');

            var userIdentity = new GenericIdentity(authTicket.Name);
            var userPrincipal = new GenericPrincipal(userIdentity, roles);

            filterContext.HttpContext.User = userPrincipal;
            base.OnAuthorization(filterContext);
        }
    }

 

这个方法的缺陷: 只适合权限比较简单的情况. 当新增角色或者角色改变时,只能修改每个Action对应的特性,当项目较大时工作量也很大.

 

posted on 2017-02-28 11:05  Gu  阅读(...)  评论(...编辑  收藏