1.引入相关程序包JwtBearer注意版本:
2.配置文件appsettings.json写相关配置参数(也可不写,写在程序里面,数据库读取也是一样的)
, //JWT加密"JWTToken": {"SecretKey": "jsaduwqe6asdjewejdue7dfmsdfu0sdfmwmsd8wfsd6", //密钥"Issuer": "ZYP", //发行者"Audience": "simple", //拥护者//"ExpireMinutes": 240 //过期时间}
3.在Program配置相关服务。
#region JWT
//获取配置文件
var configuration = builder.Configuration;
string Issuer = configuration["JWTToken:Issuer"];
string Audience = configuration["JWTToken:Audience"];
string SecretKey = configuration["JWTToken:SecretKey"];
//注入jwt
builder.Services.AddAuthentication(options =>
{options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{options.TokenValidationParameters = new TokenValidationParameters(){//过期时间容错值,解决服务器端时间不同步问题(秒)//允许服务器时间偏移量30秒,即我们配置的过期时间加上这个允许偏移的时间值,才是真正过期的时间(过期时间 + 偏移值)你也可以设置为0,ClockSkew = TimeSpan.ZeroClockSkew = TimeSpan.FromSeconds(30),//要求Token的Claims中必须包含ExpiresRequireExpirationTime = true,//是否在令牌期间验证签发者ValidateIssuer = true,//发行人IssuerValidIssuer = Issuer, //是否验证接收者ValidateAudience = true,//是否验证失效时间ValidateLifetime = true,//是否验证签名SecurityKeyValidateIssuerSigningKey = true,//接收者ValidAudience = Audience,//密钥SecurityKeyIssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SecretKey)), };
});
//注入JwtHelper
builder.Services.AddSingleton(new JwtHelper(configuration));
#endregion//注入Swagger,注入这个才能在调试接口时输入token
builder.Services.AddSwaggerGen(options =>
{options.AddSecurityRequirement(new Microsoft.OpenApi.Models.OpenApiSecurityRequirement{{new OpenApiSecurityScheme{Reference=new OpenApiReference{Id="Bearer",Type=ReferenceType.SecurityScheme},},Array.Empty<string>()}});options.AddSecurityDefinition("Bearer", new Microsoft.OpenApi.Models.OpenApiSecurityScheme{Description = "请输入文字'Bearer '后面跟空格和token格式 Bearer {token}",Name = "Authorization",In = Microsoft.OpenApi.Models.ParameterLocation.Header,Type = Microsoft.OpenApi.Models.SecuritySchemeType.ApiKey});
});//配置跨域
builder.Services.AddCors(policy =>
{policy.AddPolicy("CorsPolicy", opt => opt.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod().WithExposedHeaders("X-Pagination"));
});//调用中间件:UseAuthentication(认证),
//必须在所有需要身份认证的中间件前调用,比如 UseAuthorization(授权)。
app.UseAuthentication();
//调用中间件:UseAuthorization(授权)。
app.UseAuthorization();
4.相关配置结束后,我们得生成Token,这时我们创建一个专门生成Token的类里面有两个生成Token的方法,想用哪个用哪个。该类在Program里有引用。
/// <summary>/// Token生成类/// </summary>public class JwtHelper{/// <summary>/// 配置文件信息/// </summary>private readonly IConfiguration _configuration;public JwtHelper(IConfiguration configuration){_configuration = configuration;}/// <summary>/// 创建一个使用控制器方法授权的Token/// </summary>/// <returns></returns>public string CreatePermissionToken(string UserName, string RoleName, string AppId, Claim[] claims){// 1. 定义需要使用到的Claimsif (claims == null){claims = new[]{new Claim(ClaimTypes.Name, UserName), //HttpContext.User.Identity.Namenew Claim(ClaimTypes.Role, RoleName), //HttpContext.User.IsInRole("r_admin")new Claim(JwtRegisteredClaimNames.Jti, AppId),//分配给订阅着的特定Idnew Claim("Permission", Permissions.UserCreate),new Claim("Permission", Permissions.UserDelete),new Claim("Permission", Permissions.UserUpdate),new Claim("Permission", Permissions.UserSelect)//new Claim("Username", "Admin"),//其他荷载信息};}// 2. 从 appsettings.json 中读取密钥SecretKeyvar secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JWTToken:SecretKey"]));// 3. 选择加密算法var algorithm = SecurityAlgorithms.HmacSha256;// 4. 生成Credentialsvar signingCredentials = new SigningCredentials(secretKey, algorithm);// 5. 根据以上,生成tokenvar Token = new JwtSecurityToken(issuer: _configuration["JWTToken:Issuer"], //发布者audience: _configuration["JWTToken:Audience"], //接收者claims: claims, //存放的用户信息notBefore: DateTime.Now, //发布时间expires: System.DateTime.Now.AddHours(48), //有效期设置为48小时signingCredentials: signingCredentials //数字签名,用于生成Token的Header,其余都是荷载数据);// 6. 将token变为stringvar token = new JwtSecurityTokenHandler().WriteToken(Token);return token;}/// <summary>/// 创建一个使用账号密码授权验证的Token/// </summary>/// <param name="UserName"></param>/// <param name="RoleName"></param>/// <param name="AppId"></param>/// <param name="Account"></param>/// <param name="PassWord"></param>/// <returns></returns>public string CreateLoginToken(string UserName, string RoleName, string AppId, string Account, string PassWord){// 1. 定义需要使用到的Claimsvar claims = new[]{new Claim(ClaimTypes.Name, UserName),new Claim(ClaimTypes.Role, RoleName),new Claim(JwtRegisteredClaimNames.Jti, AppId),//分配给订阅着的特定Idnew Claim("Account", Account),//账号new Claim("PassWord", PassWord)//密码,可以要求使用特定加密技术加密//new Claim("Username", "Admin"),//其他荷载信息};// 2. 从 appsettings.json 中读取密钥SecretKeyvar secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JWTToken:SecretKey"]));// 3. 选择加密算法var algorithm = SecurityAlgorithms.HmacSha256;// 4. 生成Credentialsvar signingCredentials = new SigningCredentials(secretKey, algorithm);// 5. 根据以上,生成tokenvar Token = new JwtSecurityToken(issuer: _configuration["JWTToken:Issuer"], //发布者audience: _configuration["JWTToken:Audience"], //接收者claims: claims, //存放的用户信息notBefore: DateTime.Now, //发布时间expires: System.DateTime.Now.AddHours(48), //有效期设置为48小时signingCredentials: signingCredentials //数字签名,用于生成Token的Header,其余都是荷载数据);// 6. 将token变为stringvar token = new JwtSecurityTokenHandler().WriteToken(Token);return token;}}
5.这时可以生成Token了,我们来新建一个控制器来生成一个试试:
[Route("api/[controller]")]
[ApiController]
public class GetTokenController : ControllerBase
{private readonly JwtHelper _jwtHelper;public GetTokenController(JwtHelper jwtHelper){_jwtHelper = jwtHelper;}[HttpPost][Route("Token")]public Task<JsonResult> GetToken(UserToken token){string thetoken = _jwtHelper.CreateLoginToken(token.Name, "User", token.AppId, token.Account, token.PassWord);var result = new{success = true,msg = "OK",//消息token = thetoken};return Task.FromResult(new JsonResult(result));}
}
控制器的参数类(根据自己需要修改)
public class UserToken
{/// <summary>/// 给需要访问本系统的程序的唯一标识/// </summary>public string AppId { get; set; } = string.Empty;/// <summary>/// 需要访问本系统的程序的名称/// </summary>public string Name { get; set; } = string.Empty;/// <summary>/// 分配给需要访问本系统的程序的账号/// </summary>public string Account { get; set; } = string.Empty;/// <summary>/// 分配给需要访问本系统的程序的密码/// </summary>public string PassWord { get; set; } = string.Empty;
}
启动程序测试,生成成功!:
6.既然可以生成Token了,那么就该给控制器授权了,总不能让每个携带Token的用户能访问系统所以的API吧,那样会出现垂直越权的情况,渗透测试过不了哦。
相关标签:Authorize 和 AllowAnonymous
授权方式:介绍三种授权方式(Policy、Role、Scheme)
此处着重说Policy方式,对Role方法感兴趣的可以看我前面的Cookie方式验证。
6.1首先新建一个JwtAuthorizationRequirement类(类名不固定)用于继承IAuthorizationRequirement
public class JwtAuthorizationRequirement : IAuthorizationRequirement
{//这里可以扩展一些其他的角色或者需要的东西.//txt参数是在使用策略授权时传入进来的,例如:Authorize(Policy= "MyPolicy")的MyPolicypublic JwtAuthorizationRequirement(string name){Name = name;}public string? Name { get; set; }
}
6.2然后新建一个JwtAuthorizationHandler类继承AuthorizationHandler<JwtAuthorizationRequirement>
/// <summary>
/// 检验策略,相当于.NET MVC继承AuthorizeAttribute实现JWT的拦截器的效果。
/// </summary>
public class JwtAuthorizationHandler : AuthorizationHandler<JwtAuthorizationRequirement>
{protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, JwtAuthorizationRequirement requirement){if (context.User == null){context.Fail();return Task.CompletedTask;}//requirement.Name 就是在添加策略授权时传入的值 string? Account = context.User.Claims.FirstOrDefault(p => p.Type == requirement.Name)?.Value;string? PassWord = context.User.Claims.FirstOrDefault(p => p.Type == "PassWord")?.Value;//这里时数据库或者其他方式校验 if (Account=="1234"){context.Succeed(requirement);}else{context.Fail();}return Task.CompletedTask;}
}
6.3然后将该策略在Program下注入
//注入授权策略(非必要,仅有需要自定义授权规则时使用)
builder.Services.AddSingleton<IAuthorizationHandler, JwtAuthorizationHandler>();
//账号密码验证策略
builder.Services.AddAuthorization(p =>
{p.AddPolicy("Account", t =>{t.Requirements.Add(new JwtAuthorizationRequirement("Account"));});
});
6.4 使用:
[Authorize(policy: "Account")]//主要是这个public IEnumerable<WeatherForecast> Get(){return Enumerable.Range(1, 5).Select(index => new WeatherForecast{Date = DateTime.Now.AddDays(index),TemperatureC = Random.Shared.Next(-20, 55),Summary = Summaries[Random.Shared.Next(Summaries.Length)]}).ToArray();}
策略授权基本就是这样了。
再贴一个策略授权代码(可以忽略):
/// <summary>/// 规则授权参数/// </summary>public class Permissions{/// <summary>/// 规则受体/// </summary>public const string User = "User";/// <summary>/// 增权限/// </summary>public const string UserCreate = User + ".Create";/// <summary>/// 删权限/// </summary>public const string UserDelete = User + ".Delete";/// <summary>/// 改权限/// </summary>public const string UserUpdate = User + ".Update";/// <summary>/// 查权限/// </summary>public const string UserSelect = User + ".Select";}
public class PermissionAuthorizationRequirement : IAuthorizationRequirement
{/// <summary>/// 参数是在使用策略授权时传入进来的,例如:Authorize(Policy= "MyPolicy")的MyPolicy/// </summary>/// <param name="name">Authorize(Policy= "MyPolicy")的MyPolicy</param>public PermissionAuthorizationRequirement(string name){Name = name;}public string Name { get; set; }
}
public class PermissionAuthorizationHandler : AuthorizationHandler<PermissionAuthorizationRequirement>{protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionAuthorizationRequirement requirement){//取出当前用户的所有Permission的参数var permissions = context.User.Claims.Where(_ => _.Type == "Permission").Select(_ => _.Value).ToList();//是否满足授权,满足则运行 context.Succeed if (permissions.Any(_ => _.StartsWith(requirement.Name))){context.Succeed(requirement);}else{context.Fail();}return Task.CompletedTask;}}
Program
builder.Services.AddSingleton<IAuthorizationHandler, PermissionAuthorizationHandler>();
//控制器方法验证策略
builder.Services.AddAuthorization(options =>
{options.AddPolicy(Permissions.UserCreate, policy => policy.AddRequirements(new PermissionAuthorizationRequirement(Permissions.UserCreate)));options.AddPolicy(Permissions.UserUpdate, policy => policy.AddRequirements(new PermissionAuthorizationRequirement(Permissions.UserUpdate)));options.AddPolicy(Permissions.UserDelete, policy => policy.AddRequirements(new PermissionAuthorizationRequirement(Permissions.UserDelete)));options.AddPolicy(Permissions.UserSelect, policy => policy.AddRequirements(new PermissionAuthorizationRequirement(Permissions.UserSelect)));
});
7.最后.整个Program
var builder = WebApplication.CreateBuilder(args);// Add services to the container.builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
//首先引用Microsoft.AspNetCore.Mvc.NewtonsoftJson包。再在builder.Services.AddControllers()后添加相应内容
builder.Services.AddControllers().AddNewtonsoftJson(options =>
{//设置JSON返回数据格式大小写与Model一致options.SerializerSettings.ContractResolver = new DefaultContractResolver();//设置一般API的日期格式options.SerializerSettings.DateFormatString = "yyyy-MM-dd HH:mm:ss";
});#region JWT
//获取配置文件
var configuration = builder.Configuration;
string Issuer = configuration["JWTToken:Issuer"];
string Audience = configuration["JWTToken:Audience"];
string SecretKey = configuration["JWTToken:SecretKey"];
//注入jwt
builder.Services.AddAuthentication(options =>
{options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{options.TokenValidationParameters = new TokenValidationParameters(){//过期时间容错值,解决服务器端时间不同步问题(秒)//允许服务器时间偏移量30秒,即我们配置的过期时间加上这个允许偏移的时间值,才是真正过期的时间(过期时间 + 偏移值)你也可以设置为0,ClockSkew = TimeSpan.ZeroClockSkew = TimeSpan.FromSeconds(30),//要求Token的Claims中必须包含ExpiresRequireExpirationTime = true,//是否在令牌期间验证签发者ValidateIssuer = true,//发行人IssuerValidIssuer = Issuer, //是否验证接收者ValidateAudience = true,//是否验证失效时间ValidateLifetime = true,//是否验证签名SecurityKeyValidateIssuerSigningKey = true,//接收者ValidAudience = Audience,//密钥SecurityKeyIssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SecretKey)), };
});
//注入JwtHelper
builder.Services.AddSingleton(new JwtHelper(configuration));
//注入授权策略(非必要,仅有需要自定义授权规则时使用)
builder.Services.AddSingleton<IAuthorizationHandler, JwtAuthorizationHandler>();
//账号密码验证策略
builder.Services.AddAuthorization(p =>
{p.AddPolicy("Account", t =>{t.Requirements.Add(new JwtAuthorizationRequirement("Account"));});
});builder.Services.AddSingleton<IAuthorizationHandler, PermissionAuthorizationHandler>();
//控制器方法验证策略
builder.Services.AddAuthorization(options =>
{options.AddPolicy(Permissions.UserCreate, policy => policy.AddRequirements(new PermissionAuthorizationRequirement(Permissions.UserCreate)));options.AddPolicy(Permissions.UserUpdate, policy => policy.AddRequirements(new PermissionAuthorizationRequirement(Permissions.UserUpdate)));options.AddPolicy(Permissions.UserDelete, policy => policy.AddRequirements(new PermissionAuthorizationRequirement(Permissions.UserDelete)));options.AddPolicy(Permissions.UserSelect, policy => policy.AddRequirements(new PermissionAuthorizationRequirement(Permissions.UserSelect)));
});
#endregion
//注入Swagger
builder.Services.AddSwaggerGen(options =>
{options.AddSecurityRequirement(new Microsoft.OpenApi.Models.OpenApiSecurityRequirement{{new OpenApiSecurityScheme{Reference=new OpenApiReference{Id="Bearer",Type=ReferenceType.SecurityScheme},},Array.Empty<string>()}});options.AddSecurityDefinition("Bearer", new Microsoft.OpenApi.Models.OpenApiSecurityScheme{Description = "请输入文字'Bearer '后面跟空格和token格式 Bearer {token}",Name = "Authorization",In = Microsoft.OpenApi.Models.ParameterLocation.Header,Type = Microsoft.OpenApi.Models.SecuritySchemeType.ApiKey});
});//配置跨域
builder.Services.AddCors(policy =>
{policy.AddPolicy("CorsPolicy", opt => opt.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod().WithExposedHeaders("X-Pagination"));
});
var app = builder.Build();
//调用中间件:UseAuthentication(认证),
//必须在所有需要身份认证的中间件前调用,比如 UseAuthorization(授权)。
app.UseAuthentication();
//调用中间件:UseAuthorization(授权)。
app.UseAuthorization();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{app.UseSwagger();app.UseSwaggerUI();
}app.UseHttpsRedirection();app.MapControllers();app.Run();
参考链接:ASP.NET Core 6.0 添加 JWT 认证和授权 - 芦荟柚子茶 - 博客园