public override void OnActionExecuting(ActionExecutingContext filterContext) { try { string authorityUrl = filterContext.HttpContext.Request.Url.LocalPath; Int64 userId = Convert.ToInt64(filterContext.ActionParameters["userId"]); var havePermission = _permissionManage.HaveAuthority(userId, authorityUrl); if (havePermission == false) { //未授权的访问 filterContext.Result = new AccessFailResult(); } } catch (Exception) { var accessFailResult = new AccessFailResult(); accessFailResult.AuthorizedFailedMessage = "系统处理异常!"; filterContext.Result = accessFailResult; } // base.OnActionExecuting(filterContext); }
public override void OnActionExecuting(ActionExecutingContext filterContext) { string strController = filterContext.RouteData.Values["controller"].ToString(); string strAction = filterContext.RouteData.Values["action"].ToString(); //免验证url数组 string[] NotValidUrlArray = { "/account/register", "/account/login", "/account/logout", "/account/sendcode", "/account/validcode", "/account/updpas", "/common/getvalidatecode", "/common/appversion", "/common/checkvalidatecodestate", "/common/savevalidatecodesendrecord", "/common/carouselpictures", "/common/check_cas_displaystate", "/notification/mymessage", "/notification/registertoken", "/account/sociallogin", "/farmerrequirement/publishedforoperatorandbusiness", //ww增加未登录的大农户发布给产业商和农机手的需求列表 "/business/publishedforfarmerbytime", //ww增加未登录产业商发布给大农户的需求列表 //"/common/getdictionaryitems",//ww增加未登录根据父节点获取子节点字典数据 //"/farmerrequirement/requirementdetail", //ww增加未登录查看需求详情 "/question/list", //ww增加未登录查看专业咨询列表 "/question/carouselpictures", //ww增加未登录查看问题列表轮播图接口 "/question/detail", //ww增加未登录查看问题详情 "/question/replylist", //ww增加未登录回复列表 "/notification/notificationmessage", //ww增加推送 "/farmerrequirement/returnordermodel", //ww增加返回订单整理后的数据(E田需要的) "/operator/acceptorder", //ww增加返回更新订单数据(E田需要的) "/operator/replyfarmerrequirement", //ww增加靠谱作业农机手接订单数据(E田需要的) "/operator/etcommentrequirement", //ww增加农机手对大农户评价(E田调用时) "/account/gettoken", //ww增加E田登录返回token "/farmerrequirement/commentorderforoperator", //ww返回靠谱作业农机手数据(传E田使用) "/account/updatefarmerrequirementstate", //定时任务 "/account/updatebusinessrequirementstate", //定时任务 "/operator/cancelfarmerrequirement", //ww增加靠谱作业农机手取消订单数据(E田需要的) "/common/getmodlist", //ww 增加玉米列表 "/common/getmoddatalist", //ww 增加玉米价格表 "/common/getcornprices", //ww 增加保存玉米价格json文件 "/common/getmodpriceurl", //ww 增加玉米获取数据抓取地址 }; string urlstring = @"/" + strController + "/" + strAction; //免过滤列表 if (NotValidUrlArray.Contains(urlstring.ToLower()) || urlstring.ToLower() == "/common/checkdeployment" || urlstring.ToLower() == "/common/charu" || urlstring.ToLower().StartsWith("/learningworld/")) { return; } //接口协议验证 string keyString = string.Empty; IEnumerable <string> keys = null; //上传图片接口特殊处理 if (urlstring.ToLower() == "/common/uploadpicture") { keys = filterContext.HttpContext.Request.Form.AllKeys .Where(k => k != "encrypt" && k != "GUserId" && k != "Pic" && k != "Path" ).OrderBy(k => k).ToList(); } else { keys = filterContext.HttpContext.Request.Form.AllKeys.Where(k => { var lowerKey = k.ToLower(); var isNotEncryptString = lowerKey != "encrypt"; var isNotGUserId = lowerKey != "guserid"; return(isNotEncryptString && isNotGUserId); }).OrderBy(k => k).ToList(); } if (keys.Count() == 0) { var actionResult = new AccessFailResult(); actionResult.AuthorizedFailedMessage = ResponseStatusCode.BadRequest.GetDescription(); actionResult.responseResult.State.Id = (int)ResponseStatusCode.BadRequest; actionResult.responseResult.State.Description = actionResult.AuthorizedFailedMessage; filterContext.Result = actionResult; } else { var formKeys = filterContext.HttpContext.Request.Form.AllKeys; var isMissParameter = false; var missParameterErrorMessage = string.Empty; ////对必要的验证参数进行判断 //if (!formKeys.Contains("GUserId")) //{ // missParameterErrorMessage = "参数GUserId不能为空!"; // isMissParameter = true; //} //else if (!formKeys.Contains("Token")) { missParameterErrorMessage = "参数Token不能为空!"; isMissParameter = true; } else if (!formKeys.Contains("encrypt")) { missParameterErrorMessage = "参数encrypt不能为空!"; isMissParameter = true; } else if (!formKeys.Contains("cur_time")) { missParameterErrorMessage = "参数cur_time不能为空!"; isMissParameter = true; } if (isMissParameter) { var actionResult = new AccessFailResult(); actionResult.AuthorizedFailedMessage = missParameterErrorMessage; actionResult.responseResult.State.Id = (int)ResponseStatusCode.NotLogin; actionResult.responseResult.State.Description = actionResult.AuthorizedFailedMessage; filterContext.Result = actionResult; return; } //登陆者id long guserid = Convert.ToInt64(filterContext.HttpContext.Request.Form["GUserId"] ?? "0"); foreach (var key in keys) { if (key == "Token" && guserid != 0 && guserid != -1) { var user = repository.GetByKey(guserid); //判断当前用户是否登录 if (user == null || string.IsNullOrEmpty(user.LoginToken)) { var actionResult = new AccessFailResult(); actionResult.AuthorizedFailedMessage = ResponseStatusCode.NotLogin.GetDescription(); actionResult.responseResult.State.Id = (int)ResponseStatusCode.NotLogin; actionResult.responseResult.State.Description = actionResult.AuthorizedFailedMessage; filterContext.Result = actionResult; return; } else if (user.IsDeleted) { var actionResult = new AccessFailResult(); actionResult.AuthorizedFailedMessage = ResponseStatusCode.UserIsLock.GetDescription(); actionResult.responseResult.State.Id = (int)ResponseStatusCode.UserIsLock; actionResult.responseResult.State.Description = actionResult.AuthorizedFailedMessage; filterContext.Result = actionResult; return; } //[已废弃]检测用户的登录时间--2016-03-07 //int validLoginDays = int.Parse(ConfigHelper.GetAppSetting(DataKey.SaveValidLoginDays)); //if (!user.LastLoginTime.HasValue || (DateTime.Now - user.LastLoginTime.Value).TotalDays > validLoginDays) //{ // //提示用户重新登录 // var actionResult = new AccessFailResult(); // actionResult.AuthorizedFailedMessage = ResponseStatusCode.PleaseReLogin.GetDescription(); // actionResult.responseResult.State.Id = (int)ResponseStatusCode.PleaseReLogin; // actionResult.responseResult.State.Description = actionResult.AuthorizedFailedMessage; // filterContext.Result = actionResult; // return; //} //只对手机号码注册用户检测密码设定有效时间 if (user.Type == 0) { int validPasswordDays = int.Parse(ConfigHelper.GetAppSetting(DataKey.SaveValidUserPasswordDays)); //检查用户的密码有效时间 if (!user.LastUpdatePwdTime.HasValue || (DateTime.Now - user.LastUpdatePwdTime.Value).TotalDays > validPasswordDays) { //提示用户修改密码 var actionResult = new AccessFailResult(); actionResult.AuthorizedFailedMessage = ResponseStatusCode.PleaseUpdatePassword.GetDescription(); actionResult.responseResult.State.Id = (int)ResponseStatusCode.PleaseUpdatePassword; actionResult.responseResult.State.Description = actionResult.AuthorizedFailedMessage; filterContext.Result = actionResult; return; } } keyString += user.LoginToken; } else { keyString += filterContext.HttpContext.Request.Form[key]; } } var privateKey = System.Configuration.ConfigurationManager.AppSettings["encryptKey"]; keyString += privateKey; keyString = keyString.ToLower(); //对服务器端token做加密处理 var encryptedAuthorizedStr = Encrypt.MD5EncryptWithoutKey(keyString); //获取客户端token var encrypt = filterContext.HttpContext.Request.Form["encrypt"]; //将服务端token和客户端token进行比较 bool isEquals = encryptedAuthorizedStr.Equals(encrypt, StringComparison.CurrentCultureIgnoreCase); if (isEquals == false) { var actionResult = new AccessFailResult(); actionResult.AuthorizedFailedMessage = ResponseStatusCode.LoginoutByOtherDevice.GetDescription(); actionResult.responseResult.State.Id = (int)ResponseStatusCode.LoginoutByOtherDevice; actionResult.responseResult.State.Description = actionResult.AuthorizedFailedMessage; filterContext.Result = actionResult; } } }
public override void OnActionExecuting(ActionExecutingContext filterContext) { string strController = filterContext.RouteData.Values["controller"].ToString(); string strAction = filterContext.RouteData.Values["action"].ToString(); //接口协议验证 string keyString = string.Empty; IEnumerable <string> keys = null; keys = filterContext.HttpContext.Request.Form.AllKeys.Where(k => { var lowerKey = k.ToLower(); var isNotEncryptString = lowerKey != "encrypt"; var isNotGUserId = lowerKey != "guserid"; return(isNotEncryptString && isNotGUserId); }).OrderBy(k => k).ToList(); if (keys.Count() == 0) { var actionResult = new AccessFailResult(); actionResult.AuthorizedFailedMessage = ResponseStatusCode.BadRequest.GetDescription(); actionResult.responseResult.State.Id = (int)ResponseStatusCode.BadRequest; actionResult.responseResult.State.Description = actionResult.AuthorizedFailedMessage; filterContext.Result = actionResult; } else { var formKeys = filterContext.HttpContext.Request.Form.AllKeys; var isMissParameter = false; var missParameterErrorMessage = string.Empty; if (!formKeys.Contains("Token")) { missParameterErrorMessage = "参数Token不能为空!"; isMissParameter = true; } else if (!formKeys.Contains("encrypt")) { missParameterErrorMessage = "参数encrypt不能为空!"; isMissParameter = true; } else if (!formKeys.Contains("cur_time")) { missParameterErrorMessage = "参数cur_time不能为空!"; isMissParameter = true; } if (isMissParameter) { var actionResult = new AccessFailResult(); actionResult.AuthorizedFailedMessage = missParameterErrorMessage; actionResult.responseResult.State.Id = (int)ResponseStatusCode.NotLogin; actionResult.responseResult.State.Description = actionResult.AuthorizedFailedMessage; filterContext.Result = actionResult; return; } //登陆者id long guserid = Convert.ToInt64(filterContext.HttpContext.Request.Form["GUserId"] ?? "0"); foreach (var key in keys) { if (key == "Token") { string token = filterContext.HttpContext.Request.Form[key]; var user = repository.GetByToken(token); //判断当前用户是否登录 if (user == null || string.IsNullOrEmpty(user.Token)) { var actionResult = new AccessFailResult(); actionResult.AuthorizedFailedMessage = ResponseStatusCode.NotLogin.GetDescription(); actionResult.responseResult.State.Id = (int)ResponseStatusCode.NotLogin; actionResult.responseResult.State.Description = actionResult.AuthorizedFailedMessage; filterContext.Result = actionResult; return; } else if (user.IsDeleted) { var actionResult = new AccessFailResult(); actionResult.AuthorizedFailedMessage = ResponseStatusCode.UserIsLock.GetDescription(); actionResult.responseResult.State.Id = (int)ResponseStatusCode.UserIsLock; actionResult.responseResult.State.Description = actionResult.AuthorizedFailedMessage; filterContext.Result = actionResult; return; } //检测E田调用接口登录获得Token的时间--在webconfig中配置了10分钟 int validLoginDays = int.Parse(ConfigHelper.GetAppSetting(DataKey.ValidLoginToken)); if (!user.LastLoginTime.HasValue || (DateTime.Now - user.LastLoginTime.Value).Minutes > validLoginDays) { //提示用户重新登录 var actionResult = new AccessFailResult(); actionResult.AuthorizedFailedMessage = ResponseStatusCode.PleaseReLogin.GetDescription(); actionResult.responseResult.State.Id = (int)ResponseStatusCode.PleaseReLogin; actionResult.responseResult.State.Description = actionResult.AuthorizedFailedMessage; filterContext.Result = actionResult; return; } keyString += user.Token; } else { var specialstr = System.Configuration.ConfigurationManager.AppSettings["specialstr"]; if (!specialstr.Contains(key)) { keyString += filterContext.HttpContext.Request.Form[key]; } } } var privateKey = System.Configuration.ConfigurationManager.AppSettings["encryptKey"]; keyString += privateKey; keyString = keyString.ToLower(); keyString = TransferEncoding(Encoding.GetEncoding("iso-8859-1"), Encoding.UTF8, keyString); string logErrstring = DateTime.Now.ToString("\r\n---------MM/dd/yyyy HH:mm:ss,fff---------\r\n") + "安全验证加密对比"; IOHelper.WriteLogToFile(logErrstring + "加密前:" + keyString, filterContext.HttpContext.Server.MapPath("~/App_Data/Log") + @"\DuPontRequestEtLog"); //对服务器端token做加密处理 var encryptedAuthorizedStr = new Encrypt().SHA256_Encrypt(keyString); //获取客户端token var encrypt = filterContext.HttpContext.Request.Form["encrypt"]; IOHelper.WriteLogToFile(logErrstring + "对比前:" + encrypt + "\r\n" + encryptedAuthorizedStr, filterContext.HttpContext.Server.MapPath("~/App_Data/Log") + @"\DuPontRequestEtLog"); //将服务端token和客户端token进行比较 bool isEquals = encryptedAuthorizedStr.Equals(encrypt, StringComparison.CurrentCultureIgnoreCase); if (isEquals == false) { IOHelper.WriteLogToFile("将服务端token和客户端token进行比较:" + encrypt + "\r\n" + encryptedAuthorizedStr, filterContext.HttpContext.Server.MapPath("~/App_Data/Log") + @"\DuPontRequestEtLog"); var actionResult = new AccessFailResult(); actionResult.AuthorizedFailedMessage = ResponseStatusCode.BadRequest.GetDescription(); actionResult.responseResult.State.Id = (int)ResponseStatusCode.BadRequest; actionResult.responseResult.State.Description = actionResult.AuthorizedFailedMessage; filterContext.Result = actionResult; } } }