ASP.NET MVC 5 中的自定义授权过滤器? [英] Custom Authorization filter in ASP.NET MVC 5?

问题描述

在 ASP.NET MVC 5 中，我们可以使用 [Authorize] 属性来检查授权并限制对某些操作页面的访问.我想知道如何修改此属性 - 应该在一段时间后检查授权?例如，让未经授权的用户在 10 分钟内查看页面，然后阻止访问.

In ASP.NET MVC 5 we can use [Authorize] attribute to check authorization and limit access to some actionspages. I wonder how can I modify this attribute - authorization should be checked after some period of time? For instance, let unauthorized user to see the page during 10 minutes and then block access.

更新:似乎我的问题不清楚，所以我将问题加粗.我需要计算每个未经授权的用户在网站上花费的时间，然后在 N 分钟后阻止他.

Updated : it is seems that my question wasn't clear so I bolded the problem. I need to count time each unauthorized user spent on the site and then block him after N minutes.

推荐答案

您可以实现自定义授权以允许在有限的时间内匿名浏览，如下所示:

You may implement a custom authorization for allowing anonymous browsing during a limited amount of time like this:

public class AuthorizeWithAnonymousTimeoutAttribute : AuthorizeAttribute
{
    public int? AnonymousMinutesTimeout { get; set; }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        // Let default handling occurs
        base.OnAuthorization(filterContext);

        // If result is set, authorization has already been denied,
        // nothing more to do.
        if (filterContext.Result as HttpUnauthorizedResult != null)
            return;

        var isAnonAllowed = filterContext.ActionDescriptor.IsDefined(
                typeof(AllowAnonymousAttribute), true) || 
            filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(
                typeof(AllowAnonymousAttribute), true);
        if (isAnonAllowed && AnonymousMinutesTimeout.HasValue &&
            // Not authorized
            !AuthorizeCore(filterContext.HttpContext))
        {
            const string visitStartCookieName = "visitStartCookie";
            const string visitStartDateFormat = "yyyyMMddhhmmss";
            var visitStartCookie = filterContext.HttpContext.Request
                .Cookies[visitStartCookieName];
            var now = DateTime.UtcNow;
            DateTime visitStartDate;
            var visitStartCookieValid = visitStartCookie != null &&
                DateTime.TryParseExact(visitStartCookie.Value,
                    visitStartDateFormat, null, DateTimeStyles.AssumeUniversal,
                    out visitStartDate);
            if (!visitStartCookieValid)
            {
                visitStartDate = now;
                filterContext.HttpContext.Response.Cookies.Add(
                    // Session cookie. (Need to set an expiry date if
                    // a "permanent" cookie is wished instead.)
                    new HttpCookie
                    {
                        Name = "visitStartCookie",
                        Value = now.ToString(visitStartDateFormat)
                    });
            }
            if (visitStartDate.AddMinutes(AnonymousMinutesTimeout.Value) < now)
            {
                // Anonymous visit timed out
                HandleUnauthorizedRequest(filterContext);
                return;
            }
        }
    }
}

然后，如果它适合您，将其用作全局过滤器，如下所示:

Then, use it as a global filter if it suits you, like this:

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(
        new AuthorizeWithAnonymousTimeoutAttribute
        {
            // By example, 10 minutes
            AnonymousMinutesTimeout = 10
        });
    // Your other filters
    ...
}

不要忘记用 AllowAnonymousAttribute 装饰你的控制器或动作:

And do not forget to decorate your controllers or actions with AllowAnonymousAttribute:

[AllowAnonymous]
public class YourController
{
}

或

public class YourController
{
    [AllowAnonymous]
    public ActionResult YourAction()
    {
    }
}

如果全局定义不适合您，您也可以将自定义授权属性直接放在控制器或操作上:

You may also put your custom authorize attribute directly on controllers or actions if defining it globally does not suit you:

// By example, 10 minutes anonymous browsing allowed.
[AuthorizeWithAnonymousTimeout(AnonymousMinutesTimeout = 10)]
public class YourController
{
}

请注意，此实现不保护匿名超时.只要他愿意，黑客可以克服它并匿名浏览.浏览器工具允许删除 cookie，因此很容易从新的超时开始.
我的示例也只是设置了一个会话 cookie，它会在关闭/重新打开浏览器后消失.当然，使用其他浏览器或设备将允许再使用 10 分钟.

Please note this implementation does not secure the anonymous timeout. A hacker may overcome it and browse anonymously as long as he wishes. Browser tools allow for cookie deletion, so it is easy to start with a fresh timeout.
My example also just set a session cookie, which will be gone by closing/re-opening the browser. Of course using another browser or device will allow for another 10 minutes of usage.

保护匿名超时非常困难，因为您的用户是匿名的.您可以尝试从他们的技术特征识别您的匿名用户，然后跟踪他们的超时服务器端.
但是您可能会遇到很多问题:企业用户使用相同的 IP 地址浏览，或者因为没有单一的 Internet 连接而在不同的 IP 之间切换，...​​

Securing an anonymous timeout is quite hard, since your user is anonymous. You may try to identify your anonymous users from their technical characteristics and then track their timeouts server side.
But you will probably run into many issues: corporate users browsing with the same IP address, or switching between different IP because they do not have a single Internet connection, ...

这篇关于ASP.NET MVC 5 中的自定义授权过滤器?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！