/// <summary> /// 验证权限 /// </summary> /// <param name="filterContext"></param> public override void OnActionExecuting(ActionExecutingContext filterContext) { var request = filterContext.HttpContext.Request; var session = filterContext.HttpContext.Session; //如果存在身份信息 if (Common.CurrentUser == null) { if (Code == AuthCodeEnum.Public) { return; } string reqToken = request["Token"]; string ticket = request["Ticket"]; Cache cache = HttpContext.Current.Cache; //每次刷新页面的时候首先删除Token if (string.IsNullOrEmpty(reqToken) || string.IsNullOrEmpty(ticket)) { cache.Remove(ConstantHelper.TOKEN_KEY); } //没有获取到Token或者Token验证不通过或者没有取到从P回调的ticket 都进行再次请求P TokenModel tokenModel = cache.Get(ConstantHelper.TOKEN_KEY) == null?null:(TokenModel)cache.Get(ConstantHelper.TOKEN_KEY); if (string.IsNullOrEmpty(reqToken) || tokenModel == null || tokenModel.Token != reqToken || string.IsNullOrEmpty(ticket)) { DateTime timestamp = DateTime.Now; string returnUrl = request.Url.AbsoluteUri; tokenModel = new TokenModel { TimeStamp = timestamp, Token = AuthernUtil.CreateToken(timestamp) }; //Token加入缓存中,设计过期时间为20分钟 cache.Add(ConstantHelper.TOKEN_KEY, tokenModel, null, DateTime.Now.AddMinutes(20), Cache.NoSlidingExpiration, CacheItemPriority.Default, null); filterContext.Result = new ContentResult { Content = GetAuthernScript(AuthernUtil.GetAutherUrl(tokenModel.Token, timestamp), returnUrl) }; return; } LoginService service = new LoginService(); var userinfo = service.GetUserInfo(ticket); session[ConstantHelper.USER_SESSION_KEY] = userinfo; //验证通过,cache中去掉Token,保证每个token只能使用一次 cache.Remove(ConstantHelper.TOKEN_KEY); } }
/// <summary> /// 验证令牌 /// </summary> /// <param name="token">令牌</param> /// <param name="timestamp">时间戳</param> /// <returns></returns> public bool AuthernVertify(string token, DateTime timestamp) { return(AuthernUtil.CreateToken(timestamp) == token); }
/// <summary> /// 验证令牌 /// </summary> /// <param name="token">令牌</param> /// <param name="timestamp">时间戳</param> /// <returns></returns> public static bool AuthernVertify(string token, DateTime timestamp) => AuthernUtil.CreateToken(timestamp) == token;
/// <summary> /// 验证权限 /// </summary> /// <param name="filterContext"></param> public override void OnActionExecuting(ActionExecutingContext filterContext) { if (filterContext.ActionDescriptor.GetCustomAttributes(typeof(AllowAnonymousAttribute), true).Length > 0) { filterContext.HttpContext.SkipAuthorization = true; return; } if (Code is AuthCodeEnum.Login) { var request = filterContext.HttpContext.Request; var session = filterContext.HttpContext.Session; //如果不存在身份信息 if (AuthernUtil.CurrentUser == null) { string reqToken = request["token"]; string ticket = request["ticket"] ?? request.Headers["Authorization"]; Cache cache = HttpContext.Current.Cache; //每次刷新页面的时候首先删除Token if (string.IsNullOrEmpty(reqToken) || string.IsNullOrEmpty(ticket)) { cache.Remove(Constants.TOKEN_KEY); } //没有获取到Token或者Token验证不通过或者没有取到从P回调的ticket 都进行再次请求P TokenModel tokenModel = cache.Get(Constants.TOKEN_KEY) == null ? null : (TokenModel)cache.Get(Constants.TOKEN_KEY); if (string.IsNullOrEmpty(reqToken) || tokenModel == null || tokenModel.Token != reqToken || string.IsNullOrEmpty(ticket)) { DateTime timestamp = DateTime.Now; string returnUrl = request.Url.AbsoluteUri; tokenModel = new TokenModel { TimeStamp = timestamp, Token = AuthernUtil.CreateToken(timestamp) }; //Token加入缓存中,设计过期时间为20分钟,这里为了方便设置Token的过期时间,所以使用Cache来存取Token,设定Token的失效时间为20分钟,当验证成功则从cache中移除Token。 cache.Add(Constants.TOKEN_KEY, tokenModel, null, DateTime.Now.AddMinutes(20), Cache.NoSlidingExpiration, CacheItemPriority.Default, null); filterContext.Result = new ContentResult { Content = GetAuthernScript(AuthernUtil.GetAuthorityUrl(tokenModel.Token, timestamp), returnUrl) }; return; } session.SetByRedis(LoginService.GetUserInfo(ticket), Constants.USER_SESSION_KEY); //验证通过,cache中去掉Token,保证每个token只能使用一次 cache.Remove(Constants.TOKEN_KEY); } } else if (Code is AuthCodeEnum.HashCheck) { var sec = DateTime.Now.GetTotalSeconds(); //获取当前的时间戳 var isGet = filterContext.RequestContext.HttpContext.Request.HttpMethod.ToLower().Equals("get"); //判断请求方式 var time = isGet ? filterContext.HttpContext.Request["time"] ?? String.Empty : filterContext.Controller.ValueProvider.GetValue("time").AttemptedValue; //获取请求参数带过来的时间戳 var hash = isGet ? filterContext.HttpContext.Request["hash"] ?? String.Empty : filterContext.Controller.ValueProvider.GetValue("hash").AttemptedValue; //获取请求参数的hash值 if (string.IsNullOrEmpty(time) || string.IsNullOrEmpty(hash)) //先判空,若空则截断本次请求 { filterContext.Result = new JsonResult() { Data = new { Success = false, Message = "URL参数不完整!" }, JsonRequestBehavior = JsonRequestBehavior.AllowGet, ContentEncoding = Encoding.UTF8, ContentType = "application/json" }; } else if (sec - time.ToInt32() > 43200) //然后时效性检查,URL在12h内有效,若超时,则截断本次请求 { filterContext.Result = new JsonResult() { Data = new { Success = false, Message = "该URL已经失效!" }, JsonRequestBehavior = JsonRequestBehavior.AllowGet, ContentEncoding = Encoding.UTF8, ContentType = "application/json" }; } else //最后URL有效的执行逻辑 { string salt = ConfigurationManager.AppSettings["encryptSalt"] ?? "masuit".DesEncrypt(); //获取加密盐 string hash2 = (time + salt).MDString(); //将请求参数的时间戳与加密盐一起进行hash if (!hash.Equals(hash2, StringComparison.InvariantCultureIgnoreCase)) //对比服务器计算的hash与请求参数带过来的hash是否一致,忽略大小写 { //如果不一致,也截断本次请求 filterContext.Result = new JsonResult() { Data = new { Success = false, Message = "URL无效!" }, JsonRequestBehavior = JsonRequestBehavior.AllowGet, ContentEncoding = Encoding.UTF8, ContentType = "application/json" }; } } //如果hash一致,则放行 } }