webapi 权限控制解决方案

随着移动互联网的发展，webapi的应用越来越广泛，本文是笔者总结的webapi的认证校验案例，欢迎指出

案例分为两个功能：

　　1、用户登录，传入账号和密码到api服务器，然后服务器使用FormsAuthenticationTicket作为身份令牌处理

　　2、正式操作数据，传入登录是服务器返回的令牌数据到api服务器，服务器对令牌进行校验返回结果信息

FormsAuthenticationTicket是微软提供给我们开发人员使用，做身份认证使用的，通过认证，我们可以把关键信息存储到服务器。

具体案例

　　一、api.html页面，用于测试调用api接口

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8" />
    <title></title>
    <script src="Scripts/jquery-1.10.2.min.js"></script>
    <script>
        function Login() {
            alert("数据获取中")
            $.ajax({
                cache: true,
                type: "POST",
                url: "/api/Account/Login",
                data: $('#formLogin').serialize(),// 你的formid
                async: false,
                beforeSend: function (request) {
                    request.setRequestHeader("token", $("#token").val());
                },
                error: function (request) {
                    alert("Connection error");
                },
                success: function (data) {
                    alert("数据获取成功" + data["token"])
                    $("#token").val(data["token"]);

                    alert($("#token").val())
                }
            });
        }
        function Work() {
            alert("数据获取中")
            alert($("#token").val());
            $.ajax({
                cache: true,
                type: "POST",
                url: "/api/Work/GetData",
                data: $('#formWork').serialize(),// 你的formid
                async: false,
                beforeSend: function (request) {
                    request.setRequestHeader("token", $("#token").val());
                },
                error: function (request) {
                    alert(" ");
                },
                success: function (data) {
                    alert("数据获取成功")
                    alert(data["state"])
                }
            });


        }
    </script>
</head>
<body>
    <div id="token"></div>
    登录测试(Account)
    <form id="formLogin" method="post">
        <table>
            <tr><td> loginName： </td><td><input type="text" name="loginName" /></td></tr>
            <tr><td>password：</td><td><input type="text" name="password" /></td></tr>
        </table>
        <input type="button" onclick="Login()" value="登录" />
    </form>
    登录测试(Account)
    <form id="formWork" method="post">
        <table>
            <tr><td> loginName： </td><td><input type="text" name="loginName" /></td></tr>
          
        </table>
        <input type="button" onclick="Work()" value="登录" />
    </form>
</body>
</html>

二、登录控制器

　　

namespace _01WebApi.Controllers
{
    public class AccountController : ApiController
    {
        [AcceptVerbs("POST", "GET")]
        public HttpResponseMessage Login([FromBody]GetDataModel getData)
        {
            HttpResponseMessage result;
            string returnValue = "";
            try
            { 
                //生成票据
                string loginName =getData.loginName;
                string password = getData.password;
                FormsAuthenticationTicket token = new FormsAuthenticationTicket(0, loginName, DateTime.Now,
                              DateTime.Now.AddHours(1), true, string.Format("{0}&{1}", loginName, password),
                              FormsAuthentication.FormsCookiePath);
                //返回登录结果、用户信息、用户验证票据信息
                var Token = FormsAuthentication.Encrypt(token);


                File.WriteAllText("d:/loginName" + "_Login.txt", Token);

                returnValue = "{"token":"" + Token + ""}";

                result = new HttpResponseMessage { Content = new StringContent(returnValue, Encoding.GetEncoding("UTF-8"), "application/json") };//这里是去掉反斜杠再放回出去，json就只剩下双引号。
                return result;

            }
            catch (Exception ex)
            {
                returnValue = ex.Message.ToString().Replace("
", "").Replace("
", "");
            }
            //这里是去掉反斜杠再放回出去，json就只剩下双引号。
            result = new HttpResponseMessage { Content = new StringContent(CreateMessage(0, returnValue), Encoding.GetEncoding("UTF-8"), "application/json") };
            return result;
        }
        /// <summary>
        /// 返回参数
        /// </summary>
        /// <param name="State">状态 0 失败  1 成功</param>
        /// <param name="Msg">信息</param>
        /// <returns></returns>
        public static string CreateMessage(int State, string Msg)
        {
            string str = "{"state":"" + State + "","msg":"" + Msg + ""}";
            return str;
        }
    }
    public class GetDataModel
    {

        public string loginName { get; set; }
        public string password { get; set; }
       

    }

}

三、获取数据控制器

namespace _01WebApi.Controllers
{
    public class WorkController : ApiController
    {
        [AcceptVerbs("POST", "GET")]
        [SupportFilter]
        public HttpResponseMessage GetData([FromBody]GetDataModel getData)
        {
            HttpResponseMessage result;
            string returnValue = "";
            try
            {
                
                returnValue = "{"state":"获取数据成功"}";

                result = new HttpResponseMessage { Content = new StringContent(returnValue, Encoding.GetEncoding("UTF-8"), "application/json") };//这里是去掉反斜杠再放回出去，json就只剩下双引号。
                return result;

            }
            catch (Exception ex)
            {
                returnValue = ex.Message.ToString().Replace("
", "").Replace("
", "");
            }
            //这里是去掉反斜杠再放回出去，json就只剩下双引号。
            result = new HttpResponseMessage { Content = new StringContent(CreateMessage(0, returnValue), Encoding.GetEncoding("UTF-8"), "application/json") };
            return result;
        }
        /// <summary>
        /// 返回参数
        /// </summary>
        /// <param name="State">状态 0 失败  1 成功</param>
        /// <param name="Msg">信息</param>
        /// <returns></returns>
        public static string CreateMessage(int State, string Msg)
        {
            string str = "{"state":"" + State + "","msg":"" + Msg + ""}";
            return str;
        }
    }
}

四、在控制器上增加自定义特性来校验令牌数据

namespace _01WebApi.Common
{
    public class SupportFilter : AuthorizeAttribute
    {
        //重写基类的验证方式，加入我们自定义的Ticket验证
        public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)

        {
            //url获取token
            var content = actionContext.Request.Properties["MS_HttpContext"] as HttpContextBase;
            //获取用户提交的token数据，用于和服务器数据进行对比，来判定用户是否有效
            string token = content.Request.Headers["token"].ToString();
          
            if (!string.IsNullOrEmpty(token))
            {
                //解密用户ticket,并校验用户名密码是否匹配
                if (ValidateTicket(token))
                {
                    base.IsAuthorized(actionContext);
                }
                else
                {
                    HandleUnauthorizedRequest(actionContext);
                }
            }
            //如果取不到身份验证信息，并且不允许匿名访问，则返回未验证401
            else
            {
                var attributes = actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().OfType<AllowAnonymousAttribute>();
                bool isAnonymous = attributes.Any(a => a is AllowAnonymousAttribute);
                if (isAnonymous) base.OnAuthorization(actionContext);
                else HandleUnauthorizedRequest(actionContext);
            }
        }

        //校验用户名密码（对Session匹配，或数据库数据匹配）
        private bool ValidateTicket(string encryptToken)
        {
            //解密Ticket,并且获取UserData的值
            var strTicket = FormsAuthentication.Decrypt(encryptToken).UserData;

            //从Ticket里面获取用户名和密码
            var index = strTicket.IndexOf("&");
            string loginName = strTicket.Substring(0, index);
            string password = strTicket.Substring(index + 1);
        
           //获取存储在服务器上面的token数据
            string token = File.ReadAllText("d:/loginName" + "_Login.txt");
            if (token == null)
            {
                return false;
            }
            //对比服务器中的令牌和传入的是否相等
            if (token.ToString() == encryptToken)
            {
                return true;
            }

            return false;

        }
    }
}