[英]ASP.NET Identity + Windows Authentication for Intranet Site
I am building an intranet site where users will be on the corporate domain and have different permission levels. 我正在构建一个Intranet站点,其中用户将在公司域上并具有不同的权限级别。 I'm currently using
<authentication mode="Windows"/>
to control site access, but it seems like I should be using ASP.NET Identity . 我目前正在使用
<authentication mode="Windows"/>
来控制站点访问,但似乎我应该使用ASP.NET身份 。
For example, say my application is a dashboard for each department in the organization. 例如,假设我的应用程序是组织中每个部门的仪表板。 I want to create a single AD group called
DashboardUsers
and put everyone that can touch the site in this group. 我想创建一个名为
DashboardUsers
AD组,并将每个可以触及该组中的站点的人放入。
I also want to restrict the views in the dashboard. 我还想限制仪表板中的视图。 For example, I only want the IT group to see their view, and the Finance folks see theirs, etc.
例如,我只希望IT小组看到他们的观点,财务人员看到他们的观点等。
Question -- should I be using Windows Authentication to control access to the site, and then use ASP.NET Identity for user level permissions? 问题 - 我应该使用Windows身份验证来控制对站点的访问,然后使用ASP.NET身份进行用户级权限吗?
I have done something similar to this using only WindowsAuthentication. 我只使用WindowsAuthentication做了类似的事情。 You can tag your actions with the Authorize Attribute:
您可以使用授权属性标记您的操作:
[Authorize(Roles = @"DashboardUsers")]
As long is this user is a member of the DashboardUsers AD group they will get access to this action. 只要此用户是DashboardUsers AD组的成员,他们就可以访问此操作。 It seems like MVC magic, but it really is that simple.
它看起来像MVC魔术,但它真的很简单。
Unfortunately this approach will not allow you to overload an action for different Roles as the Authorize Attribute is not part of the method's signature. 不幸的是,这种方法不允许您为不同的角色重载动作,因为授权属性不是方法签名的一部分。 In your views, you would have to show different anchor tags based on the current users role.
在您的视图中,您必须根据当前用户角色显示不同的锚标记。
ie: 即:
[Authorize(Roles = @"DashboardUsers\Manager")]
public ActionResult IndexManagers()
{
..
}
or 要么
[Authorize(Roles = @"DashboardUsers\Finance")]
public ActionResult IndexFinance()
{
..
}
EDIT AFTER COMMENT: Since your Identity is coming from AD, you could use logic in your controller like: 编辑后编辑:由于您的身份来自AD,您可以在控制器中使用逻辑,如:
if(User.IsInRole("Finance"))
{
..
}
else if(User.IsInRole("IT"))
{
..
}
And this will check which AD Group they belong too. 这将检查他们属于哪个AD组。 I know it's not very elegant, but I can't imagine mixing Windows Auth with a custom identity and managing permissions in your own db would be elegant either.
我知道它不是很优雅,但我无法想象将Windows Auth与自定义标识混合在一起,并且在您自己的数据库中管理权限也会很优雅。
I have run into this dilemma before and wound up creating a custom role provider that i used in conjunction with windows authentication. 我之前遇到过这种困境,并且创建了一个与Windows身份验证结合使用的自定义角色提供程序。 I'm not sure you need the OWIN middleware when authenticating against AD.
在对AD进行身份验证时,我不确定您是否需要OWIN中间件。
public class MyAwesomeRoleProvider : RoleProvider
{
public override void AddUsersToRoles(string[] usernames, string[] roleNames)
{
// i talk to my database via entityframework in here to add a user to a role.
}
// override all the methods for your own role provider
}
config file 配置文件
<system.web>
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="MyAwesomeRoleManager">
<providers>
<clear />
<add name="MyAwesomeRoleManager" type="MyAwesomeNamespace.MyAwesomeRoleProvider" connectionStringName="MyAwesomeContext" applicationName="MyAwesomeApplication" />
</providers>
</roleManager>
</system.web>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.