ASP.NET MVC SSO單點登入設計與實現(轉發)(待續)
阿新 • • 發佈:2020-09-03
原文:https://www.cnblogs.com/smartbooks/p/3800849.html
實驗環境配置
HOST檔案配置如下:
127.0.0.1 app.com
127.0.0.1 sso.com
IIS配置如下:
應用程式池採用.Net Framework 4.0
注意IIS繫結的域名,兩個完全不同域的域名。
app.com網站配置如下:
sso.com網站配置如下:
memcached快取:
資料庫配置:
資料庫採用EntityFramework6.0.0,首次執行會自動建立相應的資料庫和表結構。
授權驗證過程演示:
在瀏覽器位址列中訪問:http://app.com,如果使用者還未登陸則網站會自動重定向至:http://sso.com/passport,同時通過QueryString傳引數的方式將對應的AppKey應用標識傳遞過來,執行截圖如下:
URL地址:http://sso.com/passport?appkey=670b14728ad9902aecba32e22fa4f6bd&username=
輸入正確的登陸賬號和密碼後,點選登陸按鈕系統自動301重定向至應用會掉首頁,毀掉成功後如下所示:
由於在不同的域下進行SSO授權登陸,所以採用QueryString方式返回授權標識。同域網站下可採用Cookie方式。由於301重定向請求是由瀏覽器傳送的,所以在如果授權標識放入Handers中的話,瀏覽器重定向的時候會丟失。重定向成功後,程式自動將授權標識寫入到Cookie中,點選其他頁面地址時,URL位址列中將不再會看到授權標示資訊。Cookie設定如下:
登陸成功後的後續授權驗證(訪問其他需要授權訪問的頁面):
校驗地址:http://sso.com/api/passport?sessionkey=xxxxxx&remark=xxxxxx
返回結果:true,false
客戶端可以根據實際業務情況,選擇提示使用者授權已丟失,需要重新獲得授權。預設自動重定向至SSO登陸頁面,即:http://sso.com/passport?appkey=670b14728ad9902aecba32e22fa4f6bd&[email protected] 同時登陸頁面郵箱地址文字框會自定補全使用者的登陸賬號,使用者只需輸入登陸密碼即可,授權成功後會話有效期自動延長一年時間。
SSO資料庫驗證日誌:
使用者授權驗證日誌:
使用者授權會話Session:
資料庫使用者賬號和應用資訊:
應用授權登陸驗證頁面核心程式碼:
1 /// <summary>
2 /// 公鑰:AppKey
3 /// 私鑰:AppSecret
4 /// 會話:SessionKey
5 /// </summary>
6 public class PassportController : Controller
7 {
8 private readonly IAppInfoService _appInfoService = new AppInfoService();
9 private readonly IAppUserService _appUserService = new AppUserService();
10 private readonly IUserAuthSessionService _authSessionService = new UserAuthSessionService();
11 private readonly IUserAuthOperateService _userAuthOperateService = new UserAuthOperateService();
12
13 private const string AppInfo = "AppInfo";
14 private const string SessionKey = "SessionKey";
15 private const string SessionUserName = "SessionUserName";
16
17 //預設登入介面
18 public ActionResult Index(string appKey = "", string username = "")
19 {
20 TempData[AppInfo] = _appInfoService.Get(appKey);
21
22 var viewModel = new PassportLoginRequest
23 {
24 AppKey = appKey,
25 UserName = username
26 };
27
28 return View(viewModel);
29 }
30
31 //授權登入
32 [HttpPost]
33 public ActionResult Index(PassportLoginRequest model)
34 {
35 //獲取應用資訊
36 var appInfo = _appInfoService.Get(model.AppKey);
37 if (appInfo == null)
38 {
39 //應用不存在
40 return View(model);
41 }
42
43 TempData[AppInfo] = appInfo;
44
45 if (ModelState.IsValid == false)
46 {
47 //實體驗證失敗
48 return View(model);
49 }
50
51 //過濾欄位無效字元
52 model.Trim();
53
54 //獲取使用者資訊
55 var userInfo = _appUserService.Get(model.UserName);
56 if (userInfo == null)
57 {
58 //使用者不存在
59 return View(model);
60 }
61
62 if (userInfo.UserPwd != model.Password.ToMd5())
63 {
64 //密碼不正確
65 return View(model);
66 }
67
68 //獲取當前未到期的Session
69 var currentSession = _authSessionService.ExistsByValid(appInfo.AppKey, userInfo.UserName);
70 if (currentSession == null)
71 {
72 //構建Session
73 currentSession = new UserAuthSession
74 {
75 AppKey = appInfo.AppKey,
76 CreateTime = DateTime.Now,
77 InvalidTime = DateTime.Now.AddYears(1),
78 IpAddress = Request.UserHostAddress,
79 SessionKey = Guid.NewGuid().ToString().ToMd5(),
80 UserName = userInfo.UserName
81 };
82
83 //建立Session
84 _authSessionService.Create(currentSession);
85 }
86 else
87 {
88 //延長有效期,預設一年
89 _authSessionService.ExtendValid(currentSession.SessionKey);
90 }
91
92 //記錄使用者授權日誌
93 _userAuthOperateService.Create(new UserAuthOperate
94 {
95 CreateTime = DateTime.Now,
96 IpAddress = Request.UserHostAddress,
97 Remark = string.Format("{0} 登入 {1} 授權成功", currentSession.UserName, appInfo.Title),
98 SessionKey = currentSession.SessionKey
99 }); 104
105 var redirectUrl = string.Format("{0}?SessionKey={1}&SessionUserName={2}",
106 appInfo.ReturnUrl,
107 currentSession.SessionKey,
108 userInfo.UserName);
109
110 //跳轉預設回撥頁面
111 return Redirect(redirectUrl);
112 }
113 }
Memcached會話標識驗證核心程式碼:
public class PassportController : ApiController
{
private readonly IUserAuthSessionService _authSessionService = new UserAuthSessionService();
private readonly IUserAuthOperateService _userAuthOperateService = new UserAuthOperateService();
public bool Get(string sessionKey = "", string remark = "")
{
if (_authSessionService.GetCache(sessionKey))
{
_userAuthOperateService.Create(new UserAuthOperate
{
CreateTime = DateTime.Now,
IpAddress = Request.RequestUri.Host,
Remark = string.Format("驗證成功-{0}", remark),
SessionKey = sessionKey
});
return true;
}
_userAuthOperateService.Create(new UserAuthOperate
{
CreateTime = DateTime.Now,
IpAddress = Request.RequestUri.Host,
Remark = string.Format("驗證失敗-{0}", remark),
SessionKey = sessionKey
});
return false;
}
}
Client授權驗證Filters Attribute
public class SSOAuthAttribute : ActionFilterAttribute
{
public const string SessionKey = "SessionKey";
public const string SessionUserName = "SessionUserName";
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var cookieSessionkey = "";
var cookieSessionUserName = "";
//SessionKey by QueryString
if (filterContext.HttpContext.Request.QueryString[SessionKey] != null)
{
cookieSessionkey = filterContext.HttpContext.Request.QueryString[SessionKey];
filterContext.HttpContext.Response.Cookies.Add(new HttpCookie(SessionKey, cookieSessionkey));
}
//SessionUserName by QueryString
if (filterContext.HttpContext.Request.QueryString[SessionUserName] != null)
{
cookieSessionUserName = filterContext.HttpContext.Request.QueryString[SessionUserName];
filterContext.HttpContext.Response.Cookies.Add(new HttpCookie(SessionUserName, cookieSessionUserName));
}
//從Cookie讀取SessionKey
if (filterContext.HttpContext.Request.Cookies[SessionKey] != null)
{
cookieSessionkey = filterContext.HttpContext.Request.Cookies[SessionKey].Value;
}
//從Cookie讀取SessionUserName
if (filterContext.HttpContext.Request.Cookies[SessionUserName] != null)
{
cookieSessionUserName = filterContext.HttpContext.Request.Cookies[SessionUserName].Value;
}
if (string.IsNullOrEmpty(cookieSessionkey) || string.IsNullOrEmpty(cookieSessionUserName))
{
//直接登入
filterContext.Result = SsoLoginResult(cookieSessionUserName);
}
else
{
//驗證
if (CheckLogin(cookieSessionkey, filterContext.HttpContext.Request.RawUrl) == false)
{
//會話丟失,跳轉到登入頁面
filterContext.Result = SsoLoginResult(cookieSessionUserName);
}
}
base.OnActionExecuting(filterContext);
}
public static bool CheckLogin(string sessionKey, string remark = "")
{
var httpClient = new HttpClient
{
BaseAddress = new Uri(ConfigurationManager.AppSettings["SSOPassport"])
};
var requestUri = string.Format("api/Passport?sessionKey={0}&remark={1}", sessionKey, remark);
try
{
var resp = httpClient.GetAsync(requestUri).Result;
resp.EnsureSuccessStatusCode();
return resp.Content.ReadAsAsync<bool>().Result;
}
catch (Exception ex)
{
throw ex;
}
}
private static ActionResult SsoLoginResult(string username)
{
return new RedirectResult(string.Format("{0}/passport?appkey={1}&username={2}",
ConfigurationManager.AppSettings["SSOPassport"],
ConfigurationManager.AppSettings["SSOAppKey"],
username));
}
}
示例SSO驗證特性使用方法:
[SSOAuth]
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
public ActionResult About()
{
ViewBag.Message = "Your application description page.";
return View();
}
public ActionResult Contact()
{
ViewBag.Message = "Your contact page.";
return View();
}
}
總結:
從草稿示例程式碼中可以看到程式碼效能上還有很多優化的地方,還有SSO應用授權登陸頁面的使用者賬號不存在、密碼錯誤等一系列的提示資訊等。在業務程式碼執行基本正確的後期,可以考慮往更多的安全性層面優化,比如啟用AppSecret私鑰簽名驗證,IP範圍驗證,固定會話請求攻擊、SSO授權登陸介面的驗證碼、會話快取自動重建、SSo伺服器、快取的水平擴充套件等。
原始碼地址:https://github.com/smartbooks/SmartSSO