課程代碼課件45-webapi專題3登陸驗(yàn)證四種方式

第一種：FORM驗(yàn)證（若在ASP.NET應(yīng)用程序使用，則該驗(yàn)證方式不支持跨域，因?yàn)?定義一個FormAuthenticationFil ttribute，該類繼承自AuthorizationFil 1using2using3using4using5using6using7using8using9usingusingusingusingusingusingnamespace{publicclassFormAuthenticationFilttribute:AuthorizationFil{privateconststringUnauthorizedMessage="請求未，。publicoverridevoid{if>{}if(HttpContext.Current.User!=null&&{}vars=actionContext.Request.Headers.Getif(s==null||s.Count<{actionContext.Response=new{Content=newStringContent(UnauthorizedMessage,Encoding.UTF8)}FormsAuthenticationTicketticket=GetTicket(if(ticket=={actionContext.Response=new{Content=newStringContent(UnauthorizedMessage,Encoding.UTF8)}varprincipal=newGenericPrincipal(newFormsIdentity(ticket),HttpContext.Current.User=Thread.CurrentPrincipal=}privateFormsAuthenticationTicketGetTicket(Collection<HeaderValue>{FormsAuthenticationTicketticket=foreach(varitemin{var=item.s.SingleOrDefault(c=>c.Nameif(!={ticket=FormsAuthentication.Decrypt(}}return}}}在需要認(rèn)證后才能的Controller中類或ACTION方法上添加上述過濾器 1using2using3using4using5using6using7using8using9using10namespace11{12publicclassTestController:{13publicHttpResponseMessageLogin(stringuname,string{if parison.OrdinalIgnoreCase)&&{FormsAuthenticationTicketticket=newFormsAuthenticationTicket(1,uname,DateTime.Now.AddMinutes(30),false,stringauthTicket=9//為Http=newHttp(FormsAuthentication.FormsName,20.Path=FormsAuthentication.FormsPath; 2122//FormsAuthentication.SetAuth(uname,false,23returnRequest.CreateResponse(HttpStatusCode.OK,}24{25ame){Expires=DateTime.Now.AddDays(-10)});//測試用：當(dāng)?shù)卿浭r，清除可能存在的驗(yàn)證26returnRequest.CreateErrorResponse(HttpStatusCode.NotFound,"登錄失敗，無效的用戶名或27}28}29//GETpublicIEnumerable<string>30{returnnewstring[]{"value1","value2"31}3//GET233publicstringGetValue(int{return34}}35}363738394044748495055758若成功調(diào)用Login方法后（），再 來調(diào)用Api的相關(guān)方法，示例代碼如下1publicasyncstaticvoid2{3HttpHandlerhandler=newHttp4handler.Uses=true;//因?yàn)椴捎肍orm驗(yàn)證，所以需要使用記錄登錄信56 =newHttp789varresponse=awaitvarr=await ine("StatusCode:{0}",if{Console.Wriine("Msg:{1}",response.StatusCode,} ine("Msg:{1}",response.StatusCode,vargetshandler.Container.Gets(newUri("Console.Wriine("獲取到的數(shù)量："+get for(inti=0;i<gets.Count;{Console.Wriine(gets[i].Name+":"}response=varr2=awaitforeach(stringitemin{Console.Wriine("GetValues-ItemValue:{0}",}response=varr3=awaitConsole.Wriine("GetValue-ItemValue:{0}",}如果WebApi作為ASP.NET或MVC的一部份使用，那么完全可以采用基于默認(rèn)的FORM驗(yàn)證特ASP.NETMVC的FORM驗(yàn)證1<authentication2然后在需要認(rèn)證后才能的Controller中類或ACTION方法上添加Authorize特性，Controller與上文相同WEB.CONFIG中配置：12<deny3最后將WEBAPI寄宿到（或者說發(fā)布到）IIS，且需要在IIS中啟用WINDOWS驗(yàn)證，如下圖示這樣就完成了該驗(yàn)證模式（理論上WEB服務(wù)、WCF若都以IIS為宿主，都可以采用集成WINDOWS驗(yàn)證 來調(diào)用WEBAPI，示例代碼如下1publicasyncstaticvoid2{3HttpHandler=new45handler.Options67=newNetworkCredential("admin", 89Http=newHttpvarresponse=varr2=foreach(stringitemin{Console.Wriine("GetValues-Value:{0}",}response=varr3=awaitConsole.Wriine("GetValue-Item}定義一個繼承自AuthorizationFil 1using2using3using4using5using6using7using8using9using10usingusing11namespace12{publicclassHttpBasicAuthenticationFilter:AuthorizationFil{publicoverridevoidOnAuthorization(System.Web.Http.Controllers.HttpActionContext{{}if(Thread.CurrentPrincipal!=null&&8{}stringauthParameter=varauthValue=actionContext.Request.Headers.Authorization;if(authValue!=null&&authValue.Scheme=="Basic"){authParameterauthValue.Parameter;//authparameter:Base64編碼的（碼}425if{2627}28authParameter=29varauthToken=if(authToken.Length<30{3}if(!ValidateUser(authToken[0],{}varprincipal=newGenericPrincipal(newGenericIdentity(authToken[0]),Thread.CurrentPrincipal=if(HttpContext.Current!=3{7HttpContext.Current.User=38}39}40privatevoidChallenge(HttpActionContext4{varhost=actionContext.Response=actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized,請求未，。//actionContext.Response.Headers.Add("WWW-Authenticatestring.Format("Basicrealm=\"{0}\"",ing.Format("realm=\"{0}\"",}protectedvirtualboolValidateUser(stringuserName,string474{if(userName.Equals("admin", parison.OrdinalIgnoreCase)&&password.Equals("api.admin"))//判斷用戶名及，實(shí)際可從數(shù)據(jù)庫查詢驗(yàn)證,可重寫{8return4}9return50}5}1}5253545556575859606676869707172737475767778798088788在需要認(rèn)證后才能的Controller中類或ACTION方法上添加上述定義的 來調(diào)用WEBAPI，示例代碼如下1publicasyncstaticvoid2{3 =newHttp4.DefaultRequestHeaders.Authorization=CreateBasicHeader("admin",56varresponse=await7varr2=await8foreach(stringitemin9{Console.Wriine("GetValues-ItemValue:{0}",}response=awaitvarr3=awaitConsole.Wriine("GetValue-ItemValue:{0}",}publicstaticAuthenticationHeaderValueCreateBasicHeader(stringusername,string{returnnewusername,}實(shí)現(xiàn)Basic基礎(chǔ)認(rèn)證，除了通過繼承自AuthorizationFil ttribute來實(shí)現(xiàn)自定義的驗(yàn)證過濾器外，還可以通過繼承自DelegatingHandler來實(shí)現(xiàn)自定義的消息處理管道類，具體的實(shí)現(xiàn)方式可參見園子里的這篇文章： 1using2using3using4using5using6using7using8using9usingusingusingnamespace{publicclassHttpDigestAuthenticationHandler:{protectedasyncoverrideTask<HttpResponseMessage>SendAsync(HttpRequestMessageCancellationToken{{HttpRequestHeadersheaders=if(headers.Authorization!={Headerheader=newif(Nonce.IsValid(header.Nonce,{stringpassword if {password"api.admin";//}#region計(jì)算正確的可的Hashstringha1=String.Format("{0}:{1}:{2}",header.UserName,stringha2=String.Format("{0}:{1}",stringcomputedResponse=ha1,header.Nonce,once,"auth",if pareOrdinal(header.Response,computedResponse0較請求的Hash值與正確的可的Hash值是否相同，相則則表示驗(yàn)證通過，否則失{//digestcomputedmatchesthevaluesentbyinthe//Lookslikeanauthentic!Createa varclaims=new newClaim(ClaimTypes.Name, new ClaimsPrincipalprincipal=newClaimsPrincipal(new[]{ClaimsIdentity(claims,"Digest") Thread.CurrentPrincipal= if(HttpContext.Current!= HttpContext.Current.User=var=newGenericPrincipal(newGenericIdentity(header.UserName),Thread.CurrentPrincipal=if(HttpContext.Current!={HttpContext.Current.User=}}}}HttpResponseMessageresponse=awaitbase.SendAsync(request,if(response.StatusCode=={response.Headers.WwwAuthenticate.Add(new}return}catch{varresponse=return}}}publicclass{publicHeader(){publicHeader(stringheader,string{stringkeyValuePairs=header.Rece("\"",foreach(stringkeyValuePairin{intindex= stringkey=keyValuePair.Substring(0,stringvalue=keyValuePair.Substring(index+switch{case"username":this.UserName=value;case"realm":this.Realm=value;case"nonce":this.Nonce=value;case"uri":this.Uri=value;case"nc":this.NounceCounter=value;case once=value;case"response":this.Response=value;case"method":this.Method=value;}}ifthis.Method=}publicstringCnonce{get;privateset;publicstringNonce{get;privateset;publicstringRealm{get;privateset;publicstringUserName{get;privateset;publicstringUri{get;privateset;publicstringResponse{get;privateset;publicstringMethod{get;privateset;publicstringNounceCounter{get;privateset;//Thispropertyisusedbythehandlertogenerate//nonceandgetitreadytobepackagedin//WWW-Authenticateheader,aspartof401publicstaticHeaderGetUnauthorizedResponseHeader(HttpRequestMessage{varhost=returnnew{Realm=Nonce=}publicoverridestring{StringBuilderheader=newheader.AppendFormat(",qop=\"{0}\"",return}}publicclass{privatestaticConcurrentDictionary<string,Tuple<int,nonces=newConcurrentDictionary<string,Tuple<int,publicstaticstring{byte[]bytes=newusing(varrngProvider=new{}stringnonce=nonces.TryAdd(nonce,newTuple<int,DateTime>(0,return}publicstaticboolIsValid(stringnonce,string{Tuple<int,DateTime>cachedNonce=//nonces.TryGetValue(nonce,outnonces.TryRemove(nonceoutcachedNonce);//nonceif(cachedNonce!=null)//nonceis{//noncecountisgreaterthantheoneinif(Int32.Parse(nonceCount)>{//noncehasnotexpiredif(cachedNonce.Item2>{//updatethedictionarytoreflectthenoncecountjustreceivedthis//nonces[nonce]=newTuple<int,//Everythinglooksok-servernonceisfreshandnoncecountseems//incremented.Doesnotlooklikerereturn}}}return}}}1using2using3using45namespace6{7publicstaticclass8{9publicstaticstringToMD5Ha