本例是用简单角色验证方式来通过用户登录后,获取用户角色,每种角色可以通过[Authorize(Roles="admin,user")]在Action上来控制访问的权限,也就是说,只有属性这个角色才能访问这个Action。

道先添加Microsoft.AspNetCore.Authentication.Cookies引用

在StartUp.cs的Configure方法中添加

//为验证添加中间件app.UseCookieAuthentication(newCookieAuthenticationOptions{//验证方案名称AuthenticationScheme="loginvalidate",//没有权限时导航的登录actionLoginPath=newMicrosoft.AspNetCore.Http.PathString("/login"),//访问被拒绝后的acionAccessDeniedPath=newMicrosoft.AspNetCore.Http.PathString("/Home/NoPermission"),AutomaticAuthenticate=true,AutomaticChallenge=true,SlidingExpiration=true});


HomeController中的登录的action实现

usingSystem.Collections.Generic;usingSystem.Linq;usingMicrosoft.AspNetCore.Mvc;usingMicrosoft.AspNetCore.Authorization;usingSystem.Security.Claims;namespacewebAuth.Controllers{///<summary>///本Controller允许admin和user两种角色可以访问///</summary>[Authorize(Roles="admin,user")]publicclassHomeController:Controller{publicIActionResultIndex(){returnView();}///<summary>///aobout只允许user角色访问///</summary>///<returns></returns>[Authorize(Roles="user")]publicIActionResultAbout(){varid=User.Claims.SingleOrDefault(c=>c.Type==ClaimTypes.Sid).Value;ViewData["Message"]="UserID:"+id;returnView();}///<summary>///contact只允许admin角色访问///</summary>///<returns></returns>[Authorize(Roles="admin")]publicIActionResultContact(){varid=User.Claims.SingleOrDefault(c=>c.Type==ClaimTypes.Sid).Value;ViewData["Message"]="UserID:"+id;returnView();}publicIActionResultNoPermission(){returnView();}///<summary>///允许所有登录者///</summary>///<paramname="returnUrl">如果用户访问的不是登录页,returnUrl将把这个url传进来,待登录成功后返回这个地址</param>///<returns></returns>[AllowAnonymous][HttpGet("login")]publicIActionResultLogin(stringreturnUrl){//判断是否验证if(!HttpContext.User.Identity.IsAuthenticated){//把返回地址保存在前台的hide表单中ViewBag.returnUrl=returnUrl;}ViewBag.error=null;returnView();}///<summary>///允许所有登录者///</summary>///<paramname="username">用户名</param>///<paramname="password">密码</param>///<paramname="returnUrl">返回u</param>///<returns></returns>[AllowAnonymous][HttpPost("login")]publicIActionResultLogin(stringusername,stringpassword,stringreturnUrl){//从数据库验证用户,关取出用户所需要信息varusers=newList<dynamic>(){new{ID=1,UserName="zsf",Password="111",Name="张三丰",RoleTypeID=1,RoleType="admin",RoleTypeName="管理员"},new{ID=2,UserName="zwj",Password="222",Name="张无忌",RoleTypeID=2,RoleType="user",RoleTypeName="普通用户"}};varuser=users.SingleOrDefault(u=>u.UserName==username&&u.Password==password);if(user!=null){//登录成功后,设置声明varclaims=newClaim[]{newClaim(ClaimTypes.UserData,username),newClaim(ClaimTypes.Role,user.RoleType),newClaim(ClaimTypes.Name,user.Name),newClaim(ClaimTypes.Sid,user.ID.ToString())};HttpContext.Authentication.SignInAsync("loginvalidate",newClaimsPrincipal(newClaimsIdentity(claims,"Cookie")));HttpContext.User=newClaimsPrincipal(newClaimsIdentity(claims));returnnewRedirectResult(returnUrl==null?"/":returnUrl);}else{ViewBag.error="用户名或密码错误!";returnView();}}}}


Login.cshtml页面如下:

@{Layout=null;}<!DOCTYPEhtml><html><head><metacharset="utf-8"/><metaname="viewport"content="width=device-width,initial-scale=1.0"/><title>登录</title><linkhref="~/lib/bootstrap/dist/css/bootstrap.css"rel="stylesheet"/><style>.col-md-12{text-align:center;margin-top:10px;}.input-group{width:300px;margin:0auto;}.input-group-addon{width:80px;}</style></head><body><formmethod="post"action="/login"><divclass="container"><divclass="row"><divclass="col-md-12"><divclass="input-group"><spanclass="input-group-addon"id="basic-addon1">用户名</span><inputtype="text"class="form-control"name="username"aria-describedby="basic-addon1"></div></div></div><divclass="row"><divclass="col-md-12"><divclass="input-group"><spanclass="input-group-addon"id="basic-addon1">密码</span><inputtype="password"class="form-control"name="password"aria-describedby="basic-addon1"></div></div></div><divclass="row"><divclass="col-md-12"><divclass="input-group"><inputtype="hidden"value="@ViewBag.returnUrl"name="returnUrl"/><buttontype="submit"class="btnbtn-primary">登录</button></div></div></div>@if(ViewBag.error!=null){<fontcolor="red">@ViewBag.error</font>}</div></form><scriptsrc="~/lib/bootstrap/dist/js/bootstrap.js"></script><scriptsrc="~/lib/jquery/dist/jquery.js"></script></body></html>


如果在其他页面使用User,可以像下面这样使用

<span>当前用户:@User.Identity.Name</span>

当然也可以从User中查到其他登录时存储的Claim的值

登录成功后

登录成功后访问没有权限页面(当然可以不让这种角色看到不能访问的链接)