/// <summary> /// 自定义此特性用于接口的身份验证 /// </summary> public class RequestAuthorizeAttribute : AuthorizeAttribute { static readonly ILog log = LogManager.GetLogger(typeof(RequestAuthorizeAttribute)); //重写基类的验证方式,加入我们自定义的Ticket验证 public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext) { //从http请求的头里面获取身份验证信息,验证是否是请求发起方的ticket var authorization = actionContext.Request.Headers.Authorization; if ((authorization != null)) { //解密用户ticket,并校验用户名密码是否匹配 var encryptTicket = authorization.Scheme; log.Debug("Authorization:" + encryptTicket); if (ValidateTicket(encryptTicket)) { base.IsAuthorized(actionContext); } else { HandleUnauthorizedRequest(actionContext); } } //如果取不到身份验证信息,并且不允许匿名访问,则返回未验证401 else { var attributes = actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().OfType<AllowAnonymousAttribute>(); bool isAnonymous = attributes.Any(a => a is AllowAnonymousAttribute); if (isAnonymous) base.OnAuthorization(actionContext); else HandleUnauthorizedRequest(actionContext); } } protected override void HandleUnauthorizedRequest(HttpActionContext actioncontext) { base.HandleUnauthorizedRequest(actioncontext); var response = actioncontext.Response = actioncontext.Response ?? new HttpResponseMessage(); response.StatusCode = HttpStatusCode.Forbidden; var content = new { code = -1, success = false, errs = new[] { "服务端拒绝访问:你没有权限,或者掉线了" } }; response.Content = new StringContent(Json.Encode(content), Encoding.UTF8, "application/json"); } //校验用户名密码(正式环境中应该是数据库校验) private bool ValidateTicket(string encryptTicket) { if (encryptTicket.ToLower() == Config.Authorization.ToLower()) { return true; } else { return false; } //解密Ticket var strTicket = FormsAuthentication.Decrypt(encryptTicket).UserData; //从Ticket里面获取用户名和密码 var index = strTicket.IndexOf("&"); string strUser = strTicket.Substring(0, index); string strPwd = strTicket.Substring(index + 1); if (strUser == "admin" && strPwd == "123456") { return true; } else { return false; } } }
方法或者控制器加上属性
[RequestAuthorize]