微软官方参考文档
ASP.NET Web API 中的身份验证和授权
https://docs.microsoft.com/zh-cn/aspnet/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
ASP.NET Web API 2 中的身份验证筛选器
https://docs.microsoft.com/zh-cn/aspnet/web-api/overview/security/authentication-filters
AuthorizeAttribute过滤器执行顺序:
重写AuthorizeAttribute实现请求拦截
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Web;
using System.Web.Http;
using System.Web.Http.Controllers;
using WebApi_Gdd_Performance_Reward.Model.Common;
using WebApi_Gdd_Performance_Reward.Model.View;
namespace WebApi_Gdd_Performance_Reward.Models
{
/// <summary>
/// 登录过滤
/// </summary>
public sealed class LoginFilter : AuthorizeAttribute
{
//会先进IsAuthorized方法,如果有return false的情况则才会走HandleUnauthorizedRequest
//检查授权
protected override bool IsAuthorized(HttpActionContext actionContext)
{
HttpResponseMessage response = actionContext.Response;
var requestHeaders = actionContext.Request.Headers;
AuthenticationHeaderValue authorization = actionContext.Request.Headers.Authorization;
if (authorization == null)
{
requestHeaders.Add("errorMsg", "无效身份,请设置Authorization请求头");
return false;
}
if (!authorization.Scheme.Equals("Bearer"))
{
requestHeaders.Add("errorMsg", "无效身份,请确保Authorization请求头值中以Bearer开头,格式:“Bearer KLeZicALNZcTK5cOmYkoQ7yHgegeeNEH5Btg1hGoM+XtP/u3dSoiM+ziNBSwQeXWHLxsTp”");
return false;
}
string token = authorization.Parameter;
string json = DESEncryptionHelper.DecryptDES(token);
AdminView admin = Newtonsoft.Json.JsonConvert.DeserializeObject<AdminView>(json);
if (admin == null)
{
requestHeaders.Add("errorMsg", "没有检出登录用户");
return false;
}
if (Convert.ToDateTime(admin.ExpirationTime) < DateTime.Now)
{
requestHeaders.Add("errorMsg", "登录失效,请重新登录");
return false;
}
return true;
}
//处理授权失败的请求,返回客户端消息
protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
{
var response = new HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);
string msg = "";
try
{
msg = actionContext.Request.Headers.GetValues("errorMsg").FirstOrDefault();
}
catch (System.Exception)
{
msg = "此用户无权访问该操作";
}
if (!string.IsNullOrWhiteSpace(msg))
{
response.Content = new StringContent(msg);
actionContext.Response = response;
}
}
}
}
控制器方法:
/// <summary>
/// 新增一条用户
/// </summary>
/// <param name="user"></param>
/// <returns></returns>
/// 2020-11-2 17:08:18 添加
[HttpPost]
[LoginFilter]
public async Task<IHttpActionResult> Add([FromBody] Users user)
{
var result = await userBusiness.AddAsync(user, CurrentLoginUser);
return Json(result);
}