如上,我们在Get请求中返回登录页面,在Post请求中验证用户名密码,匹配成功后,创建用户Claim, ClaimsIdentity, ClaimsPrincipal 最终通过SignInAsync方法将用户身份写入到响应Cookie中,完成身份令牌的发放。
授权我们在登录中间件后面添加一个自定义的授权中间件,用来禁用匿名用户的访问:
app.UseAuthorize();UseAuthorize的实现很简单,就是判断用户是否已通过认证,并跳过对首页的验证:
public static IApplicationBuilder UseAuthorize(this IApplicationBuilder app) { return app.Use(async (context, next) => { if (context.Request.Path == "http://www.likecs.com/") { await next(); } else { var user = context.User; if (user?.Identity?.IsAuthenticated ?? false) { await next(); } else { await context.ChallengeAsync(); } } }); }其实上面的实现和我们在MVC5中常用的[Authorize]特性非常相似。
个人信息再定义一个认证后才能访问的页面,并把当前登录用户的信息展示出来:
app.Map("/profile", builder => builder.Run(async context => { await context.Response.WriteHtmlAsync(async res => { await res.WriteAsync($"<h1>你好,当前登录用户: {HttpResponseExtensions.HtmlEncode(context.User.Identity.Name)}</h1>"); await res.WriteAsync("<a class=http://www.likecs.com/\"btn btn-default\" href=http://www.likecs.com/\"/Account/Logout\">退出</a>"); await res.WriteAsync($"<h2>AuthenticationType:{context.User.Identity.AuthenticationType}</h2>"); await res.WriteAsync("<h2>Claims:</h2>"); await res.WriteTableHeader(new string[] { "Claim Type", "Value" }, context.User.Claims.Select(c => new string[] { c.Type, c.Value })); }); })); 退出退出则直接调用SignOutAsync方法即可:
app.Map("/Account/Logout", builder => builder.Run(async context => { await context.SignOutAsync(); context.Response.Redirect("http://www.likecs.com/"); })); 首页最后,添加一个简单的首页,方便测试:
app.Run(async context => { await context.Response.WriteHtmlAsync(async res => { await res.WriteAsync($"<h2>Hello Cookie Authentication</h2>"); await res.WriteAsync("<a class=http://www.likecs.com/\"btn btn-default\" href=http://www.likecs.com/\"/profile\">我的信息</a>"); }); }); 运行在浏览器中打开:5000/,显示 "Hello Cookie Authentication",点击 “我的信息” 按钮:
请求: GET :5000/profile HTTP/1.1 Host: localhost:5000 响应: HTTP/1.1 302 Found Location: :5000/Account/Login?ReturnUrl=%2Fprofile