我应该使用哪种安全性?
[英]Which security should I use?
问题描述
I am making an intranet mvc app for in-house use. 
我正在制作内部使用的Intranet MVC应用程序。 Only other guy in the shop is the server tech. 商店中只有其他人是服务器技术。 I am told we have a domain controller and we use AD, every user is in groups. 有人告诉我我们有一个域控制器,我们使用AD,每个用户都是成组的。 I'm pretty sure we use windows authentication (based on we have to log in to our workstation. 我很确定我们使用Windows身份验证(基于我们必须登录到工作站的情况。
I'm not sure if I should be using the UserPrincipal in Directory Services, or the Current.User stuff in HTTPContext, or something else, for authenticating users. 我不确定是否应该使用Directory Services中的UserPrincipal或HTTPContext中的Current.User或其他方式对用户进行身份验证。 Only people in certain AD groups should be able to open the app. 只有某些广告组中的人才能打开该应用。
Obviously I know nothing about app security stuff. 显然,我对应用程序安全性一无所知。 I plan to hit the books, as soon as I figure out which "technology" I should be using. 一旦我弄清楚了我应该使用哪种“技术”,我计划打书。 I also need to check users against specific groups. 我还需要根据特定组检查用户。 I almost had that figured out, but I am getting false when I know it should be true. 我几乎已经搞清楚了,但是当我知道它应该是真实的时,我就变得虚假了。
if (HttpContext.Current.User.IsInRole("MyADGroup"))
{
IsAdmin = true; //keeps returning false.
}
So what should I be looking into? 那么我应该研究什么呢?
2 个解决方案
解决方案1
1 2015-01-14 00:37:01
You can use this example to help you get started with Active Directory Roles. 您可以使用此示例来帮助您开始使用Active Directory角色。
Since the application is in-house, you don't want to stray far from Windows Authentication, but I do recommend looking into LDAP. 由于该应用程序是内部应用程序,因此您不想偏离Windows身份验证,但是我建议您研究LDAP。
Connecting to an LDAP Server 连接到LDAP服务器
Good luck! 祝好运!
解决方案2
0 2015-01-13 23:37:02
You can hook up the internal application to use users and groups from AD by using the ActiveDirectoryMembershipProvider . 您可以使用ActiveDirectoryMembershipProvider连接内部应用程序以使用AD中的用户和组。 Then simply authenticate against the provider instances ( Membership.ValidateUser ). 然后只需针对提供者实例( Membership.ValidateUser )进行身份验证。 This allows you to use AD as a backing store but isolates your application from an explicit dependence on it. 这使您可以将AD用作后备存储,但可以将您的应用程序与对它的明确依赖隔离开。 This will also populate the UserPrincipal on the HttpContext. 这还将在HttpContext上填充UserPrincipal。
I would recommend using this with a standard login form, though IIS will allow you to configure Windows authentication for the entire site. 尽管IIS允许您为整个站点配置Windows身份验证,但我建议将其与标准登录表单一起使用。 Using a standard login form along with AD-backed authentication allows you to maintain the decoupling and also expose some parts of the site as public pages by allowing anonymous access. 通过使用标准的登录表单以及支持AD的身份验证,您可以保持脱钩状态,并允许匿名访问,从而将网站的某些部分显示为公共页面。 This can be useful for things like application help and FAQs which might be useful to someone trying to log on but either disallowed by permission or using the incorrect credentials. 这对于诸如应用程序帮助和FAQ之类的事情可能很有用,这可能对尝试登录但由于权限不允许或使用不正确的凭据而有用的人有用。 Provides a better user experience as well. 也提供更好的用户体验。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.