Windows窗体的MVC WebAPI身份validation

只需在服务器端创建身份validation令牌，并将其存储在数据库甚至缓存中。 然后使用来自win表单应用程序的请求发送此令牌。 WebApi应始终检查此令牌。 它足够好，您可以完全控制您的身份validation过程。

让我分享一下，它对我有用：

具有Auth详细信息的对象：

public class TokenIdentity { public int UserID { get; set; } public string AuthToken { get; set; } public ISocialUser SocialUser { get; set; } } 

Web API Auth控制器：

  public class AuthController : ApiController { public TokenIdentity Post( SocialNetwork socialNetwork, string socialUserID, [FromUri]string socialAuthToken, [FromUri]string deviceRegistrationID = null, [FromUri]DeviceType? deviceType = null) { var socialManager = new SocialManager(); var user = socialManager.GetSocialUser(socialNetwork, socialUserID, socialAuthToken); var tokenIdentity = new AuthCacheManager() .Authenticate( user, deviceType, deviceRegistrationID); return tokenIdentity; } } 

Auth缓存管理器：

 public class AuthCacheManager : AuthManager { public override TokenIdentity CurrentUser { get { var authToken = HttpContext.Current.Request.Headers["AuthToken"]; if (authToken == null) return null; if (HttpRuntime.Cache[authToken] != null) { return (TokenIdentity) HttpRuntime.Cache.Get(authToken); } return base.CurrentUser; } } public int? CurrentUserID { get { if (CurrentUser != null) { return CurrentUser.UserID; } return null; } } public override TokenIdentity Authenticate( ISocialUser socialUser, DeviceType? deviceType = null, string deviceRegistrationID = null) { if (socialUser == null) throw new ArgumentNullException("socialUser"); var identity = base.Authenticate(socialUser, deviceType, deviceRegistrationID); HttpRuntime.Cache.Add( identity.AuthToken, identity, null, DateTime.Now.AddDays(7), Cache.NoSlidingExpiration, CacheItemPriority.Default, null); return identity; } } 

认证经理：

  public abstract class AuthManager { public virtual TokenIdentity CurrentUser { get { var authToken = HttpContext.Current.Request.Headers["AuthToken"]; if (authToken == null) return null; using (var usersRepo = new UsersRepository()) { var user = usersRepo.GetUserByToken(authToken); if (user == null) return null; return new TokenIdentity { AuthToken = user.AuthToken, SocialUser = user, UserID = user.ID }; } } } public virtual TokenIdentity Authenticate( ISocialUser socialUser, DeviceType? deviceType = null, string deviceRegistrationID = null) { using (var usersRepo = new UsersRepository()) { var user = usersRepo.GetUserBySocialID(socialUser.SocialUserID, socialUser.SocialNetwork); user = (user ?? new User()).CopyFrom(socialUser); user.AuthToken = System.Guid.NewGuid().ToString(); if (user.ID == default(int)) { usersRepo.Add(user); } usersRepo.SaveChanges(); return new TokenIdentity { AuthToken = user.AuthToken, SocialUser = user, UserID = user.ID }; } } } 

全局动作filter：

 public class TokenAuthenticationAttribute : System.Web.Http.Filters.ActionFilterAttribute { public override void OnActionExecuting(System.Web.Http.Controllers.HttpActionContext actionContext) { if (actionContext.Request.RequestUri.AbsolutePath.Contains("api/auth")) { return; } var authManager = new AuthCacheManager(); var user = authManager.CurrentUser; if (user == null) { throw new HttpResponseException(HttpStatusCode.Unauthorized); } //Updates the authentication authManager.Authenticate(user.SocialUser); } } 

Global.asax注册：

 GlobalConfiguration.Configuration.Filters.Add(new AuthFilterAttribute()); 

我们的想法是AuthCacheManager扩展了AuthManager并修饰了它的方法和属性。 如果缓存中没有任何内容，那么去检查数据库。

您可以使用基于令牌的身份validation 这是一篇很棒的文章，说明如何编写使用RSA公共/私有加密的自定义操作filter。