1. 程式人生 > >asp.net 的認證 (authentication) 和授權 (authorization)

asp.net 的認證 (authentication) 和授權 (authorization)

1.authorization是用過的,用於訪問webapi是否有訪問許可權。

在預設管道模型的Module裡,有3個(authentication)和2個authorization的Module

 <httpModules>
            <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />
            <add name="Session" type="System.Web.SessionState.SessionStateModule" />
            <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" />
            <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
            <add name="PassportAuthentication" type="System.Web.Security.PassportAuthenticationModule" />


            <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
            <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
            <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" />

            <add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" />
            <add name="Profile" type="System.Web.Profile.ProfileModule" />
            <add name="ErrorHandlerModule" type="System.Web.Mobile.ErrorHandlerModule, System.Web.Mobile, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
            <add name="ServiceModel" type="System.ServiceModel.Activation.HttpModule, System.ServiceModel.Activation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
            <add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" />
            <add name="ScriptModule-4.0" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>

        </httpModules>

看看原始碼是什麼.。。。。。待續

關於Authorization,在Webapi裡用的是Basic授權

  public class BasicAuthorize : AuthorizeAttribute
    {
        public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
        {

在MVC中是

   [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true)]
    public class AuthorityFilterAttribute : AuthorizeAttribute
    {
        /// <summary>
        /// 未登入時返還的地址
        /// </summary>
        private string _LoginPath = "";
        public AuthorityFilterAttribute()
        {
            this._LoginPath = "/Fourth/Login";
        }

        public AuthorityFilterAttribute(string loginPath)
        {
            this._LoginPath = loginPath;
        }
        /// <summary>
        /// 檢查使用者登入
        /// </summary>
        /// <param name="filterContext"></param>
        public override void OnAuthorization(AuthorizationContext filterContext)
        {

兩個Authorization名字一樣,甚至好些方法欄位一樣,卻不一樣的東西。


補充一個細節:上圖右半部分看到 OnAuthorization這個方法是override修飾了的,他的父類如下,這沒問題.


1.我們寫的程式碼直接就override了。這裡就是override的方法,直接override就行。就是相當於,你重寫了別人,就預設讓別人能重寫你,除非加sealled。

2.override 只能用在虛方法或抽象方法的繼承上

另外,MVC的執行順序是 先到controller 的建構函式上,然後是判斷Authorition 的執行,之後是Action 的執行。

這個在ControllerActionInvoker 的InvokerAction 方法中可以清楚的看到。

/// <summary>Invokes the specified action by using the specified controller context.</summary>
	/// <returns>The result of executing the action.</returns>
	/// <param name="controllerContext">The controller context.</param>
	/// <param name="actionName">The name of the action to invoke.</param>
	/// <exception cref="T:System.ArgumentNullException">The <paramref name="controllerContext" /> parameter is null.</exception>
	/// <exception cref="T:System.ArgumentException">The <paramref name="actionName" /> parameter is null or empty.</exception>
	/// <exception cref="T:System.Threading.ThreadAbortException">The thread was aborted during invocation of the action.</exception>
	/// <exception cref="T:System.Exception">An unspecified error occurred during invocation of the action.</exception>
	public virtual bool InvokeAction(ControllerContext controllerContext, string actionName)
	{
		if (controllerContext == null)
		{
			throw new ArgumentNullException("controllerContext");
		}
		if (string.IsNullOrEmpty(actionName) && !controllerContext.RouteData.HasDirectRouteMatch())
		{
			throw new ArgumentException(MvcResources.Common_NullOrEmpty, "actionName");
		}
		ControllerDescriptor controllerDescriptor = this.GetControllerDescriptor(controllerContext);
		ActionDescriptor actionDescriptor = this.FindAction(controllerContext, controllerDescriptor, actionName);
		if (actionDescriptor != null)
		{
			FilterInfo filters = this.GetFilters(controllerContext, actionDescriptor);
			try
			{
				AuthenticationContext authenticationContext = this.InvokeAuthenticationFilters(controllerContext, filters.AuthenticationFilters, actionDescriptor);
				if (authenticationContext.Result != null)
				{
					AuthenticationChallengeContext authenticationChallengeContext = this.InvokeAuthenticationFiltersChallenge(controllerContext, filters.AuthenticationFilters, actionDescriptor, authenticationContext.Result);
					this.InvokeActionResult(controllerContext, authenticationChallengeContext.Result ?? authenticationContext.Result);
				}
				else
				{
					AuthorizationContext authorizationContext = this.InvokeAuthorizationFilters(controllerContext, filters.AuthorizationFilters, actionDescriptor);
					if (authorizationContext.Result != null)
					{
						AuthenticationChallengeContext authenticationChallengeContext2 = this.InvokeAuthenticationFiltersChallenge(controllerContext, filters.AuthenticationFilters, actionDescriptor, authorizationContext.Result);
						this.InvokeActionResult(controllerContext, authenticationChallengeContext2.Result ?? authorizationContext.Result);
					}
					else
					{
						if (controllerContext.Controller.ValidateRequest)
						{
							ControllerActionInvoker.ValidateRequest(controllerContext);
						}
						IDictionary<string, object> parameterValues = this.GetParameterValues(controllerContext, actionDescriptor);
						ActionExecutedContext actionExecutedContext = this.InvokeActionMethodWithFilters(controllerContext, filters.ActionFilters, actionDescriptor, parameterValues);
						AuthenticationChallengeContext authenticationChallengeContext3 = this.InvokeAuthenticationFiltersChallenge(controllerContext, filters.AuthenticationFilters, actionDescriptor, actionExecutedContext.Result);
						this.InvokeActionResultWithFilters(controllerContext, filters.ResultFilters, authenticationChallengeContext3.Result ?? actionExecutedContext.Result);
					}
				}
			}
			catch (ThreadAbortException)
			{
				throw;
			}
			catch (Exception exception)
			{
				ExceptionContext exceptionContext = this.InvokeExceptionFilters(controllerContext, filters.ExceptionFilters, exception);
				if (!exceptionContext.ExceptionHandled)
				{
					throw;
				}
				this.InvokeActionResult(controllerContext, exceptionContext.Result);
			}
			return true;
		}
		return false;
	}