我已经在我的 Web API 项目中使用角色管理实现了一个 JWT 令牌。它工作正常。授权属性也运行良好。角色管理也使用 JWT 实现。这是控制器端代码。
public Object Authentication(string objuser, string password)
{
var Login = UserLogin.DoLogin(objuser, password);
if (Login!=null)
{
if (Login.Email== "Sucess")
{
string UserRole = GetUserRole(Login.UserType);**//Admin,Buyer,Seller**
string issuer = ConfigurationManager.AppSettings["Url"].ToString();
var key = ConfigurationManager.AppSettings["AuthTokenKey"].ToString();
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key));
var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
var permClaims = new List<Claim>();
permClaims.Add(new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()));
permClaims.Add(new Claim("valid", "1"));
permClaims.Add(new Claim("userid", Login.User_ID.ToString()));
permClaims.Add(new Claim("Email", Login.Email));
permClaims.Add(new Claim(ClaimTypes.Role, UserRole));
var token = new JwtSecurityToken(issuer,
issuer,
permClaims,
expires: DateTime.Now.AddDays(1),
signingCredentials: credentials);
var jwt_token = new JwtSecurityTokenHandler().WriteToken(token);
Login.Token = jwt_token;
return Login;
}
}
return Login;
}
启动文件代码在这里
public void Configuration(IAppBuilder app)
{
//createRolesandUsers();
string Url=ConfigurationManager.AppSettings["Url"].ToString();
string key = ConfigurationManager.AppSettings["AuthTokenKey"].ToString();
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateIssuerSigningKey = true,
ValidIssuer = Url, //some string, normally web url,
ValidAudience = Url,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key))
}
});
}
Ajax 端代码我像这样从 ajax 发送这个令牌:
$.ajax({
url: pathtoBuyerDetails,
type: "Get",
**headers: { Authorization: 'Bearer ' + sessionStorage.getItem('AuthorizeToken')},**
data: { Time: Time, UID: UID },
success: function (values) {something}
我的客户的新要求是令牌应该使用 UserID 进行验证。ie first Buyer login and his UserID=2 and TokenID="eyJqdGkiOiJkNTEwMzEwMC1jZDI3LTQxY2QtOTFmZS1iZGFjOTY5ZTMwOTUiLCJ2YWxpZCI6IjEiLCJleHAiOjE2MDExMjI4NTksImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTUyNTMvIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo1NTI1My8ifQ"
Second Buyer login and his UserID=3 and TokenID="JqdGkiOiJkNTEwMzEwMC1jZDI3LTQxY2QtOTFmZS1iZGFjOTY5ZTMwOTUiLCJ2YWxpZCI6IjEiLCJleHAiOjE2MDExMjI4NTksImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTUyNTMvIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo1NTI1My8ifQ.zEazMtGdWSjMOj4EqrCM3BX"
如果第二个买家在会话存储中将他的 id 从 3 更改为 2 并点击他不应该访问第一个买家的数据的 URL,因为其令牌 id 与第一个买家令牌 id 不匹配,则需要的解决方案。简而言之,我们需要确保一个买家无法访问另一个买家的数据。这意味着我们需要检查 JWT 以确保我们作为参数传递的用户 ID 与 JWT 的所有者相同。