在ASP.NET Core中关于Security有两个容易混淆的概念一个是Authentication(认证),一个是Authorization(授权)。而前者是确定用户是谁的过程,后者是围绕着他们允许做什么,今天的主题就是关于在ASP.NET Core 2.0中如何使用CookieAuthentication认证。
在ASP.NET Core 2.0中使用CookieAuthentication跟在1.0中有些不同,需要在ConfigureServices和Configure中分别设置,前者我们叫注册服务,后者我们叫注册中间
public void ConfigureServices(IServiceCollection services) { services.AddAuthentication(options => { options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme; }).AddCookie();
// 不允许匿名访问 services.AddMvc(options => { var policy = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .Build(); options.Filters.Add(new AuthorizeFilter(policy)); }); }
public void Configure(IApplicationBuilder app, IHostingEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } else { app.UseExceptionHandler("/Home/Error"); } app.UseStaticFiles();
// 使用Authentication中间件,这里关于认证只有一个中间件,具体的认证策略将在服务中注册 app.UseAuthentication(); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); }); }
在配置服务方法中我们使用Cookie认证所以AddCookie(),没有任何参数,系统会为某些属性指定默认值
public static class CookieAuthenticationDefaults { /// <summary> /// The default value used for CookieAuthenticationOptions.AuthenticationScheme /// </summary> public const string AuthenticationScheme = "Cookies"; /// <summary> /// The prefix used to provide a default CookieAuthenticationOptions.CookieName /// </summary> public static readonly string CookiePrefix = ".AspNetCore."; /// <summary> /// The default value used by CookieAuthenticationMiddleware for the /// CookieAuthenticationOptions.LoginPath /// </summary> public static readonly PathString LoginPath = new PathString("/Account/Login"); /// <summary> /// The default value used by CookieAuthenticationMiddleware for the /// CookieAuthenticationOptions.LogoutPath /// </summary> public static readonly PathString LogoutPath = new PathString("/Account/Logout"); /// <summary> /// The default value used by CookieAuthenticationMiddleware for the /// CookieAuthenticationOptions.AccessDeniedPath /// </summary> public static readonly PathString AccessDeniedPath = new PathString("/Account/AccessDenied"); /// <summary> /// The default value of the CookieAuthenticationOptions.ReturnUrlParameter /// </summary> public static readonly string ReturnUrlParameter = "ReturnUrl"; }
根据微软的命名规范在ConfigureServices统一使用Add***,在Configure统一使用Use***
登陆代码
public async Task<IActionResult> LoginDo() { var user = new ClaimsPrincipal(new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, "bidianqing") }, CookieAuthenticationDefaults.AuthenticationScheme)); await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, user, new AuthenticationProperties { IsPersistent = true, ExpiresUtc = DateTimeOffset.Now.Add(TimeSpan.FromDays(180)) }); return Redirect("/"); }
登出代码
public async Task<IActionResult> Logout() { await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); return Redirect("/"); }