ASP.NET MVC SSO单点登录设计与实现
浏览数:25 /
时间:2015年06月09日
实验环境配置
HOST文件配置如下:
127.0.0.1 app.com
127.0.0.1 sso.com
IIS配置如下:
应用程序池采用.Net Framework 4.0
注意IIS绑定的域名,两个完全不同域的域名。
app.com网站配置如下:
sso.com网站配置如下:
memcached缓存:
数据库配置:
数据库采用EntityFramework 6.0.0,首次运行会自动创建相应的数据库和表结构。
授权验证过程演示:
在浏览器地址栏中访问:http://app.com,如果用户还未登陆则网站会自动重定向至:http://sso.com/passport,同时通过QueryString传参数的方式将对应的AppKey应用标识传递过来,运行截图如下:
URL地址:http://sso.com/passport?appkey=670b14728ad9902aecba32e22fa4f6bd&username=
输入正确的登陆账号和密码后,点击登陆按钮系统自动301重定向至应用会掉首页,毁掉成功后如下所示:
由于在不同的域下进行SSO授权登陆,所以采用QueryString方式返回授权标识。同域网站下可采用Cookie方式。由于301重定向请求是由浏览器发送的,所以在如果授权标识放入Handers中的话,浏览器重定向的时候会丢失。重定向成功后,程序自动将授权标识写入到Cookie中,点击其他页面地址时,URL地址栏中将不再会看到授权标示信息。Cookie设置如下:
登陆成功后的后续授权验证(访问其他需要授权访问的页面):
校验地址:http://sso.com/api/passport?sessionkey=xxxxxx&remark=xxxxxx
返回结果:true,false
客户端可以根据实际业务情况,选择提示用户授权已丢失,需要重新获得授权。默认自动重定向至SSO登陆页面,即:http://sso.com/passport?appkey=670b14728ad9902aecba32e22fa4f6bd&username=[email protected] 同时登陆页面邮箱地址文本框会自定补全用户的登陆账号,用户只需输入登陆密码即可,授权成功后会话有效期自动延长一年时间。
SSO数据库验证日志:
用户授权验证日志:
用户授权会话Session:
数据库用户账号和应用信息:
应用授权登陆验证页面核心代码:
1 /// <summary>
2 /// 公钥:AppKey
3 /// 私钥:AppSecret
4 /// 会话:SessionKey
5 /// </summary>
6 public class PassportController : Controller
7 {
8 private readonly IAppInfoService _appInfoService = new AppInfoService();
9 private readonly IAppUserService _appUserService = new AppUserService();
10 private readonly IUserAuthSessionService _authSessionService = new UserAuthSessionService();
11 private readonly IUserAuthOperateService _userAuthOperateService = new UserAuthOperateService();
12
13 private const string AppInfo = "AppInfo";
14 private const string SessionKey = "SessionKey";
15 private const string SessionUserName = "SessionUserName";
16
17 //默认登录界面
18 public ActionResult Index(string appKey = "", string username = "")
19 {
20 TempData[AppInfo] = _appInfoService.Get(appKey);
21
22 var viewModel = new PassportLoginRequest
23 {
24 AppKey = appKey,
25 UserName = username
26 };
27
28 return View(viewModel);
29 }
30
31 //授权登录
32 [HttpPost]
33 public ActionResult Index(PassportLoginRequest model)
34 {
35 //获取应用信息
36 var appInfo = _appInfoService.Get(model.AppKey);
37 if (appInfo == null)
38 {
39 //应用不存在
40 return View(model);
41 }
42
43 TempData[AppInfo] = appInfo;
44
45 if (ModelState.IsValid == false)
46 {
47 //实体验证失败
48 return View(model);
49 }
50
51 //过滤字段无效字符
52 model.Trim();
53
54 //获取用户信息
55 var userInfo = _appUserService.Get(model.UserName);
56 if (userInfo == null)
57 {
58 //用户不存在
59 return View(model);
60 }
61
62 if (userInfo.UserPwd != model.Password.ToMd5())
63 {
64 //密码不正确
65 return View(model);
66 }
67
68 //获取当前未到期的Session
69 var currentSession = _authSessionService.ExistsByValid(appInfo.AppKey, userInfo.UserName);
70 if (currentSession == null)
71 {
72 //构建Session
73 currentSession = new UserAuthSession
74 {
75 AppKey = appInfo.AppKey,
76 CreateTime = DateTime.Now,
77 InvalidTime = DateTime.Now.AddYears(1),
78 IpAddress = Request.UserHostAddress,
79 SessionKey = Guid.NewGuid().ToString().ToMd5(),
80 UserName = userInfo.UserName
81 };
82
83 //创建Session
84 _authSessionService.Create(currentSession);
85 }
86 else
87 {
88 //延长有效期,默认一年
89 _authSessionService.ExtendValid(currentSession.SessionKey);
90 }
91
92 //记录用户授权日志
93 _userAuthOperateService.Create(new UserAuthOperate
94 {
95 CreateTime = DateTime.Now,
96 IpAddress = Request.UserHostAddress,
97 Remark = string.Format("{0} 登录 {1} 授权成功", currentSession.UserName, appInfo.Title),
98 SessionKey = currentSession.SessionKey
99 }); 104
105 var redirectUrl = string.Format("{0}?SessionKey={1}&SessionUserName={2}",
106 appInfo.ReturnUrl,
107 currentSession.SessionKey,
108 userInfo.UserName);
109
110 //跳转默认回调页面
111 return Redirect(redirectUrl);
112 }
113 }
Memcached会话标识验证核心代码:
public class PassportController : ApiController
{
private readonly IUserAuthSessionService _authSessionService = new UserAuthSessionService();
private readonly IUserAuthOperateService _userAuthOperateService = new UserAuthOperateService();
public bool Get(string sessionKey = "", string remark = "")
{
if (_authSessionService.GetCache(sessionKey))
{
_userAuthOperateService.Create(new UserAuthOperate
{
CreateTime = DateTime.Now,
IpAddress = Request.RequestUri.Host,
Remark = string.Format("验证成功-{0}", remark),
SessionKey = sessionKey
});
return true;
}
_userAuthOperateService.Create(new UserAuthOperate
{
CreateTime = DateTime.Now,
IpAddress = Request.RequestUri.Host,
Remark = string.Format("验证失败-{0}", remark),
SessionKey = sessionKey
});
return false;
}
}
Client授权验证Filters Attribute
public class SSOAuthAttribute : ActionFilterAttribute
{
public const string SessionKey = "SessionKey";
public const string SessionUserName = "SessionUserName";
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var cookieSessionkey = "";
var cookieSessionUserName = "";
//SessionKey by QueryString
if (filterContext.HttpContext.Request.QueryString[SessionKey] != null)
{
cookieSessionkey = filterContext.HttpContext.Request.QueryString[SessionKey];
filterContext.HttpContext.Response.Cookies.Add(new HttpCookie(SessionKey, cookieSessionkey));
}
//SessionUserName by QueryString
if (filterContext.HttpContext.Request.QueryString[SessionUserName] != null)
{
cookieSessionUserName = filterContext.HttpContext.Request.QueryString[SessionUserName];
filterContext.HttpContext.Response.Cookies.Add(new HttpCookie(SessionUserName, cookieSessionUserName));
}
//从Cookie读取SessionKey
if (filterContext.HttpContext.Request.Cookies[SessionKey] != null)
{
cookieSessionkey = filterContext.HttpContext.Request.Cookies[SessionKey].Value;
}
//从Cookie读取SessionUserName
if (filterContext.HttpContext.Request.Cookies[SessionUserName] != null)
{
cookieSessionUserName = filterContext.HttpContext.Request.Cookies[SessionUserName].Value;
}
if (string.IsNullOrEmpty(cookieSessionkey) || string.IsNullOrEmpty(cookieSessionUserName))
{
//直接登录
filterContext.Result = SsoLoginResult(cookieSessionUserName);
}
else
{
//验证
if (CheckLogin(cookieSessionkey, filterContext.HttpContext.Request.RawUrl) == false)
{
//会话丢失,跳转到登录页面
filterContext.Result = SsoLoginResult(cookieSessionUserName);
}
}
base.OnActionExecuting(filterContext);
}
public static bool CheckLogin(string sessionKey, string remark = "")
{
var httpClient = new HttpClient
{
BaseAddress = new Uri(ConfigurationManager.AppSettings["SSOPassport"])
};
var requestUri = string.Format("api/Passport?sessionKey={0}&remark={1}", sessionKey, remark);
try
{
var resp = httpClient.GetAsync(requestUri).Result;
resp.EnsureSuccessStatusCode();
return resp.Content.ReadAsAsync<bool>().Result;
}
catch (Exception ex)
{
throw ex;
}
}
private static ActionResult SsoLoginResult(string username)
{
return new RedirectResult(string.Format("{0}/passport?appkey={1}&username={2}",
ConfigurationManager.AppSettings["SSOPassport"],
ConfigurationManager.AppSettings["SSOAppKey"],
username));
}
}
示例SSO验证特性使用方法:
[SSOAuth]
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
public ActionResult About()
{
ViewBag.Message = "Your application description page.";
return View();
}
public ActionResult Contact()
{
ViewBag.Message = "Your contact page.";
return View();
}
}
总结:
http://c.tieba.baidu.com/p/3377964103
http://c.tieba.baidu.com/p/3378005804
http://c.tieba.baidu.com/p/3378009365
http://c.tieba.baidu.com/p/3378012438
http://c.tieba.baidu.com/p/3378016459
http://c.tieba.baidu.com/p/3378016610
http://c.tieba.baidu.com/p/3378019503
http://c.tieba.baidu.com/p/3378019830
http://c.tieba.baidu.com/p/3378021984
http://c.tieba.baidu.com/p/3378022788
http://c.tieba.baidu.com/p/3378035226
http://c.tieba.baidu.com/p/3378036943
http://c.tieba.baidu.com/p/3378037887
http://c.tieba.baidu.com/p/3378040680
http://c.tieba.baidu.com/p/3378044481
http://c.tieba.baidu.com/p/3378045262
http://c.tieba.baidu.com/p/3378047815
http://c.tieba.baidu.com/p/3378049138
http://c.tieba.baidu.com/p/3378050716
http://c.tieba.baidu.com/p/3378051436
http://c.tieba.baidu.com/p/3378054281
http://c.tieba.baidu.com/p/3378064684
http://c.tieba.baidu.com/p/3378065265
http://c.tieba.baidu.com/p/3378067482
http://c.tieba.baidu.com/p/3378067923
http://c.tieba.baidu.com/p/3378069730
http://c.tieba.baidu.com/p/3378070378
http://c.tieba.baidu.com/p/3378057285
http://c.tieba.baidu.com/p/3378071134
http://c.tieba.baidu.com/p/3378071751
http://c.tieba.baidu.com/p/3378072446
http://c.tieba.baidu.com/p/3378073739
http://c.tieba.baidu.com/p/3378074211
http://c.tieba.baidu.com/p/3378074998
http://c.tieba.baidu.com/p/3378076189
http://c.tieba.baidu.com/p/3378076255
http://c.tieba.baidu.com/p/3378077285
http://c.tieba.baidu.com/p/3378077446
http://c.tieba.baidu.com/p/3378078582
http://c.tieba.baidu.com/p/3378079467
http://c.tieba.baidu.com/p/3378079774
http://c.tieba.baidu.com/p/3378080709
http://c.tieba.baidu.com/p/3378080912
http://c.tieba.baidu.com/p/3378081949
http://c.tieba.baidu.com/p/3378082221
http://c.tieba.baidu.com/p/3378082974
http://c.tieba.baidu.com/p/3378084014
http://c.tieba.baidu.com/p/3378084930
http://c.tieba.baidu.com/p/3378085804
http://c.tieba.baidu.com/p/3378086708
http://c.tieba.baidu.com/p/3378087595
http://c.tieba.baidu.com/p/3378088404
http://c.tieba.baidu.com/p/3378089243
http://c.tieba.baidu.com/p/3378090829
http://c.tieba.baidu.com/p/3378091595
http://c.tieba.baidu.com/p/3378092332
http://c.tieba.baidu.com/p/3378093041
http://c.tieba.baidu.com/p/3378093707
http://c.tieba.baidu.com/p/3378094380
http://c.tieba.baidu.com/p/3378095068
http://c.tieba.baidu.com/p/3378095692
http://c.tieba.baidu.com/p/3378096379
http://c.tieba.baidu.com/p/3378096999
http://c.tieba.baidu.com/p/3378097660
http://c.tieba.baidu.com/p/3378098251
http://c.tieba.baidu.com/p/3378098860
http://c.tieba.baidu.com/p/3378099478
http://c.tieba.baidu.com/p/3378100110
http://c.tieba.baidu.com/p/3378100746
http://c.tieba.baidu.com/p/3378101356
http://c.tieba.baidu.com/p/3378101940
http://c.tieba.baidu.com/p/3378103574
http://c.tieba.baidu.com/p/3378104124
http://c.tieba.baidu.com/p/3378104670
http://c.tieba.baidu.com/p/3378105199
http://c.tieba.baidu.com/p/3378105692
http://c.tieba.baidu.com/p/3378106169
http://c.tieba.baidu.com/p/3378106713
http://c.tieba.baidu.com/p/3378107195
http://c.tieba.baidu.com/p/3378107692
http://c.tieba.baidu.com/p/3378108127
http://c.tieba.baidu.com/p/3378108595
http://c.tieba.baidu.com/p/3378109024
http://c.tieba.baidu.com/p/3378109421
http://c.tieba.baidu.com/p/3378109842
http://c.tieba.baidu.com/p/3378110259
http://c.tieba.baidu.com/p/3378110693
http://c.tieba.baidu.com/p/3378111135
http://c.tieba.baidu.com/p/3378111530
http://c.tieba.baidu.com/p/3378111917
http://c.tieba.baidu.com/p/3378103028
http://c.tieba.baidu.com/p/3378112307
http://c.tieba.baidu.com/p/3378112702
http://c.tieba.baidu.com/p/3378112702
http://c.tieba.baidu.com/p/3378113492
http://c.tieba.baidu.com/p/3378113894
http://c.tieba.baidu.com/p/3378114317
http://c.tieba.baidu.com/p/3378114674
http://c.tieba.baidu.com/p/3378102481
http://c.tieba.baidu.com/p/3378115036
http://c.tieba.baidu.com/p/3378115397
http://c.tieba.baidu.com/p/3378115758
http://c.tieba.baidu.com/p/3378116127
http://c.tieba.baidu.com/p/3378116540
http://c.tieba.baidu.com/p/3378116929
http://c.tieba.baidu.com/p/3378117277
http://c.tieba.baidu.com/p/3378116929
http://c.tieba.baidu.com/p/3378117631
http://c.tieba.baidu.com/p/3378118023
http://c.tieba.baidu.com/p/3378118423
http://c.tieba.baidu.com/p/3378118788
http://c.tieba.baidu.com/p/3378119164
http://c.tieba.baidu.com/p/3378119578
http://c.tieba.baidu.com/p/3378120029
http://c.tieba.baidu.com/p/3378120487
http://c.tieba.baidu.com/p/3378120897
http://c.tieba.baidu.com/p/3378121295
http://c.tieba.baidu.com/p/3378121737
http://c.tieba.baidu.com/p/3378122175
http://c.tieba.baidu.com/p/3378122609
http://c.tieba.baidu.com/p/3378123095
http://c.tieba.baidu.com/p/3378798630
http://c.tieba.baidu.com/p/3378804120
http://c.tieba.baidu.com/p/3378807890
http://c.tieba.baidu.com/p/3378812662
http://c.tieba.baidu.com/p/3378820014
http://c.tieba.baidu.com/p/3378824084
http://c.tieba.baidu.com/p/3378832928
http://c.tieba.baidu.com/p/3378842937
http://c.tieba.baidu.com/p/3378850215
http://c.tieba.baidu.com/p/3378855876
http://c.tieba.baidu.com/p/3378861160
http://c.tieba.baidu.com/p/3378865053
http://c.tieba.baidu.com/p/3378873772
http://c.tieba.baidu.com/p/3378880510
http://c.tieba.baidu.com/p/3378886573
http://c.tieba.baidu.com/p/3378890024
http://c.tieba.baidu.com/p/3378900813
http://c.tieba.baidu.com/p/3378904442
http://c.tieba.baidu.com/p/3378910860
http://c.tieba.baidu.com/p/3378919463
http://c.tieba.baidu.com/p/3378924191
http://c.tieba.baidu.com/p/3378928733
http://c.tieba.baidu.com/p/3378933474
http://c.tieba.baidu.com/p/3378938277
http://c.tieba.baidu.com/p/3378977259
http://c.tieba.baidu.com/p/3378987464
http://c.tieba.baidu.com/p/3378997405
http://c.tieba.baidu.com/p/3379001265
http://c.tieba.baidu.com/p/3379005827
http://c.tieba.baidu.com/p/3379013947
http://c.tieba.baidu.com/p/3379027672
http://c.tieba.baidu.com/p/3379028124
http://c.tieba.baidu.com/p/3379040717
http://c.tieba.baidu.com/p/3379044326
http://c.tieba.baidu.com/p/3379053998
http://c.tieba.baidu.com/p/3379061330
http://c.tieba.baidu.com/p/3379066850
http://c.tieba.baidu.com/p/3379071395
http://c.tieba.baidu.com/p/3379078552
http://c.tieba.baidu.com/p/3379087386
http://c.tieba.baidu.com/p/3379104849
http://c.tieba.baidu.com/p/3379120475
http://c.tieba.baidu.com/p/3379127041
http://c.tieba.baidu.com/p/3379130751
http://c.tieba.baidu.com/p/3379136990
http://c.tieba.baidu.com/p/3379143814
http://c.tieba.baidu.com/p/3379150653
http://c.tieba.baidu.com/p/3379157738
http://c.tieba.baidu.com/p/3379164716
http://c.tieba.baidu.com/p/3379168415
http://c.tieba.baidu.com/p/3379197784
http://c.tieba.baidu.com/p/3379202187
http://c.tieba.baidu.com/p/3379207322
http://c.tieba.baidu.com/p/3379398670
http://c.tieba.baidu.com/p/3379411106
http://c.tieba.baidu.com/p/3379424106
http://c.tieba.baidu.com/p/3379435926
http://c.tieba.baidu.com/p/3379442149
http://c.tieba.baidu.com/p/3379447860
http://c.tieba.baidu.com/p/3379451787
http://c.tieba.baidu.com/p/3379457907
http://c.tieba.baidu.com/p/3379463892
http://c.tieba.baidu.com/p/3379470556
http://c.tieba.baidu.com/p/3379475874
http://c.tieba.baidu.com/p/3379481202
http://c.tieba.baidu.com/p/3379486512
http://c.tieba.baidu.com/p/3379491857
http://c.tieba.baidu.com/p/3379507300
http://c.tieba.baidu.com/p/3379513254
http://c.tieba.baidu.com/p/3379518782
http://c.tieba.baidu.com/p/3379523805
http://c.tieba.baidu.com/p/3379618567
http://c.tieba.baidu.com/p/3379622898
http://c.tieba.baidu.com/p/3379649500
http://c.tieba.baidu.com/p/3379655168
http://c.tieba.baidu.com/p/3379674479
http://c.tieba.baidu.com/p/3379680086
http://c.tieba.baidu.com/p/3379686005
http://c.tieba.baidu.com/p/3379691944
http://c.tieba.baidu.com/p/3379697946
http://c.tieba.baidu.com/p/3379703907
http://c.tieba.baidu.com/p/3379709893
http://c.tieba.baidu.com/p/3379715841
http://c.tieba.baidu.com/p/3379721783
http://c.tieba.baidu.com/p/3379727566
http://c.tieba.baidu.com/p/3379733382
http://c.tieba.baidu.com/p/3379737574
http://c.tieba.baidu.com/p/3379738993
http://c.tieba.baidu.com/p/3379744780
http://c.tieba.baidu.com/p/3379746437
http://c.tieba.baidu.com/p/3379750440
http://c.tieba.baidu.com/p/3379754764
http://c.tieba.baidu.com/p/3379756122
http://c.tieba.baidu.com/p/3379761769
http://c.tieba.baidu.com/p/3379761886
http://c.tieba.baidu.com/p/3379767622
http://c.tieba.baidu.com/p/3379773214
http://c.tieba.baidu.com/p/3379775595
http://c.tieba.baidu.com/p/3379778839
http://c.tieba.baidu.com/p/3379784070
http://c.tieba.baidu.com/p/3379788547
http://c.tieba.baidu.com/p/3379789495
http://c.tieba.baidu.com/p/3379794777
http://c.tieba.baidu.com/p/3379800020
http://c.tieba.baidu.com/p/3379805383
http://c.tieba.baidu.com/p/3379806346
http://c.tieba.baidu.com/p/3379810607
http://c.tieba.baidu.com/p/3379814428
http://c.tieba.baidu.com/p/3379815631
http://c.tieba.baidu.com/p/3379818302
http://c.tieba.baidu.com/p/3379820549
http://c.tieba.baidu.com/p/3379825459
http://c.tieba.baidu.com/p/3379828936
http://c.tieba.baidu.com/p/3379830324
http://c.tieba.baidu.com/p/3379835035
http://c.tieba.baidu.com/p/3379836800
http://c.tieba.baidu.com/p/3379839668
http://c.tieba.baidu.com/p/3379839668
http://c.tieba.baidu.com/p/3379844219
http://c.tieba.baidu.com/p/3379851995
http://c.tieba.baidu.com/p/3379857209
http://c.tieba.baidu.com/p/3379857691
http://c.tieba.baidu.com/p/3379862291
http://c.tieba.baidu.com/p/3379862665
http://c.tieba.baidu.com/p/3379867248
http://c.tieba.baidu.com/p/3379869439
http://c.tieba.baidu.com/p/3379871737
http://c.tieba.baidu.com/p/3379873954
http://c.tieba.baidu.com/p/3379875930
http://c.tieba.baidu.com/p/3379880033
http://c.tieba.baidu.com/p/3379880441
http://c.tieba.baidu.com/p/3379884050
http://c.tieba.baidu.com/p/3379887193
http://c.tieba.baidu.com/p/3379887876
http://c.tieba.baidu.com/p/3379891568
http://c.tieba.baidu.com/p/3379895149
http://c.tieba.baidu.com/p/3379897354
http://c.tieba.baidu.com/p/3379898661
http://c.tieba.baidu.com/p/3379900071
http://c.tieba.baidu.com/p/3379901971
http://c.tieba.baidu.com/p/3379905277
http://c.tieba.baidu.com/p/3379906939
http://c.tieba.baidu.com/p/3379908508
http://c.tieba.baidu.com/p/3379911512
http://c.tieba.baidu.com/p/3379911521
http://c.tieba.baidu.com/p/3379913696
http://c.tieba.baidu.com/p/3379914416
http://c.tieba.baidu.com/p/3379917089
http://c.tieba.baidu.com/p/3379919751
http://c.tieba.baidu.com/p/3379920356
http://c.tieba.baidu.com/p/3379922427
http://c.tieba.baidu.com/p/3379923497
http://c.tieba.baidu.com/p/3379924940
http://c.tieba.baidu.com/p/3379927196
http://c.tieba.baidu.com/p/3379926347
http://c.tieba.baidu.com/p/3379937545
http://c.tieba.baidu.com/p/3379940750
http://c.tieba.baidu.com/p/3379943364
从草稿示例代码中可以看到代码性能上还有很多优化的地方,还有SSO应用授权登陆页面的用户账号不存在、密码错误等一系列的提示信息等。在业务代码运行基本正确的后期,可以考虑往更多的安全性层面优化,比如启用AppSecret私钥签名验证,IP范围验证,固定会话请求攻击、SSO授权登陆界面的验证码、会话缓存自动重建、SSo服务器、缓存的水平扩展等。
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。
