ASP.NET MVC 基于页面的权限管理
2015-07-06 23:04
746 查看
ASP.NET MVC 中运用AOP的思想(Filter)来实现页面级别的权限。在每个页面里,我们再去管理更小级别的权限。
1.Models
1)PermissionItem
包含两个方法,获取所有权限列表并缓存,获取用户权限并缓存。
继承自AuthorizeAttribute,重写其OnAuthorization方法,实现AOP。
1)访问:http://localhost:5598/Home/Page1,结果:You have no permission to access this page.
2)访问:http://localhost:5598/Home/Page2,结果:Page2
3)访问:http://localhost:5598/Home/Page3,结果:Page3
4)访问:http://localhost:5598/Home/Page4,结果:You have no permission to access this page.
5)访问:http://localhost:5598/Home/Page5,结果:Page5
6)访问:http://localhost:5598/Home/Page6,结果:The page you want to access has not been configed permission.
具体逻辑请参照代码进行推理。(UserID =1 的用户有2,3权限,而2,3权限可以看2,3,5页面,所以,只有访问2,3,5才是合法的,其他都是非法,Page6没有配置,也是非法的,只是返回的错误信息不同。)
备注:这个做法是源于看过的博客园里面一个仁兄的做法写的,忘记文章链接了,在此表示感谢。
1.Models
1)PermissionItem
namespace AspNetMvcAuthDemo1.Models
{
public class PermissionItem
{
public int ID { set; get; }
public int PermissionID { set; get; }
public string Name { set; get; }
public string Route { set; get; }
}
}2)PermissionListnamespace AspNetMvcAuthDemo1.Models
{
public class PermissionList
{
public int ID { set; get; }
public int PermissionID { set; get; }
public int UserID { set; get; }
}
}3)UrlAuthorizeEntitiesnamespace AspNetMvcAuthDemo1.Models
{
public class UrlAuthorizeEntities
{
public IEnumerable<PermissionItem> PermissionItems = new List<PermissionItem>
{
new PermissionItem{ ID = 1 , PermissionID = 1, Name = "Test Page 1", Route = "/Home/Page1" },
new PermissionItem{ ID = 2 , PermissionID = 2, Name = "Test Page 2", Route = "/Home/Page2" },
new PermissionItem{ ID = 3 , PermissionID = 3, Name = "Test Page 3", Route = "/Home/Page3" },
new PermissionItem{ ID = 4 , PermissionID = 1, Name = "Test Page 4", Route = "/Home/Page4" },
new PermissionItem{ ID = 5 , PermissionID = 2, Name = "Test Page 5", Route = "/Home/Page5" }
};
public IEnumerable<PermissionList> PermissionList = new List<PermissionList>
{
new PermissionList{ ID = 1 , PermissionID = 2, UserID = 1},
new PermissionList{ ID = 2 , PermissionID = 3, UserID = 1},
};
}
}2.账户帮助类-AccountHelper包含两个方法,获取所有权限列表并缓存,获取用户权限并缓存。
namespace AspNetMvcAuthDemo1.UrlAuthorize
{
/// <summary>
/// Account Helper
/// </summary>
public static class AccountHelper
{
/// <summary>
/// Get all permission list
/// </summary>
/// <returns>Permission List</returns>
public static List<PermissionItem> GetPermissionItems()
{
if (HttpContext.Current.Cache["PermissionItems"] == null)
{
UrlAuthorizeEntities db = new UrlAuthorizeEntities();
var items = db.PermissionItems.Where(c => c.PermissionID > 0).ToList();
HttpContext.Current.Cache["PermissionItems"] = items;
}
return (List<PermissionItem>)HttpContext.Current.Cache["PermissionItems"];
}
/// <summary>
/// Get User Permission
/// </summary>
/// <param name="userID">User ID</param>
/// <returns>User Permission Array</returns>
public static Int32[] GetUserPermission(int userID)
{
if (HttpContext.Current.Session["Permission"] == null)
{
UrlAuthorizeEntities db = new UrlAuthorizeEntities();
var permissions = db.PermissionList.Where(c => c.UserID == userID).Select(c=>c.PermissionID).ToArray();
HttpContext.Current.Session["Permission"] = permissions;
}
return (Int32[])HttpContext.Current.Session["Permission"];
}
}
}3.Filter(AOP)-UrlAuthorizeAttribute继承自AuthorizeAttribute,重写其OnAuthorization方法,实现AOP。
namespace AspNetMvcAuthDemo1.UrlAuthorize
{
/// <summary>
/// URL permission
/// </summary>
public class UrlAuthorizeAttribute : AuthorizeAttribute
{
/// <summary>
/// Rewrite OnAuthorization
/// </summary>
/// <param name="filterContext"></param>
public override void OnAuthorization(AuthorizationContext filterContext)
{
//Get permission list
List<PermissionItem> pItems = AccountHelper.GetPermissionItems();
//Get current page permission ID,if items is null,the page you what to access has not been configed.
var item = pItems.FirstOrDefault(c => c.Route == filterContext.HttpContext.Request.Path);
if (item != null)
{
int[] permissions = AccountHelper.GetUserPermission(int.Parse(filterContext.HttpContext.Session["UserID"].ToString()));
if (Array.IndexOf<Int32>(permissions, item.PermissionID) == -1)
{
//have not permission
filterContext.HttpContext.Response.Write("You have no permission to access this page.");
filterContext.HttpContext.Response.End();
}
}
else
{
//the page you what to access has not been configed.
filterContext.HttpContext.Response.Write("The page you want to access has not been configed permission.");
filterContext.HttpContext.Response.End();
}
}
}
}4.控制器namespace AspNetMvcAuthDemo1.Controllers
{
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
public ActionResult About()
{
ViewBag.Message = "Your application description page.";
return View();
}
public ActionResult Contact()
{
ViewBag.Message = "Your contact page.";
return View();
}
public string Login()
{
HttpContext.Session["UserID"] = 1;
return "Login success.";
}
[UrlAuthorize]
public string Page1()
{
return "Page1";
}
[UrlAuthorize]
public string Page2()
{
return "Page2";
}
[UrlAuthorize]
public string Page3()
{
return "Page3";
}
[UrlAuthorize]
public string Page4()
{
return "Page4";
}
[UrlAuthorize]
public string Page5()
{
return "Page5";
}
[UrlAuthorize]
public string Page6()
{
return "Page6";
}
}
}6.Route Confignamespace AspNetMvcAuthDemo1
{
public class RouteConfig
{
public static void RegisterRoutes(RouteCollection routes)
{
routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
routes.MapRoute(
name: "Default",
url: "{controller}/{action}/{id}",
defaults: new { controller = "Home", action = "Login", id = UrlParameter.Optional }
);
}
}
}效果:1)访问:http://localhost:5598/Home/Page1,结果:You have no permission to access this page.
2)访问:http://localhost:5598/Home/Page2,结果:Page2
3)访问:http://localhost:5598/Home/Page3,结果:Page3
4)访问:http://localhost:5598/Home/Page4,结果:You have no permission to access this page.
5)访问:http://localhost:5598/Home/Page5,结果:Page5
6)访问:http://localhost:5598/Home/Page6,结果:The page you want to access has not been configed permission.
具体逻辑请参照代码进行推理。(UserID =1 的用户有2,3权限,而2,3权限可以看2,3,5页面,所以,只有访问2,3,5才是合法的,其他都是非法,Page6没有配置,也是非法的,只是返回的错误信息不同。)
备注:这个做法是源于看过的博客园里面一个仁兄的做法写的,忘记文章链接了,在此表示感谢。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- ASP.Net Cache(缓存)
- ASP.Net MVC 使用MySQL 【转】
- ASP.NET MVC与Sql Server交互,把字典数据插入数据库
- Asp.Net Ajax4.5 未知的服務器標記 問題
- ASP.NET MVC与Sql Server交互, 插入数据
- ASP.NET MVC与Sql Server建立连接
- 【回味无穷】ASP.NET内部控件
- ASP.NET动态添加用户控件的方法
- Asp.net Vnext IValueProvider
- 关于在asp.net中的调试
- aspx 体现mvc 模式的增删改查
- 解密aspx与aspx.cs的关系
- ASP.Net核心对象之context.Server对象几个常用方法
- Web服务器和ASP.Net
- asp了解
- 第1章 ASP.NET4.0开发技术概述
- Picture Aspect Ratio
- ASP.NET 为什么要有 MVC
- ASP.NET分页
- asp.net webapi 多文件上传