MVC中的身份验证和授权
[英]Authentication and Authorization in MVC
问题描述
I have created an asp.net web application with MVC. 
我已经用MVC创建了一个asp.net Web应用程序。 So far everything is good except authentication and authorization. 到目前为止,除身份验证和授权外,其他所有内容都不错。
I want to do this: Create an authentication function and pass the username and password to it. 我想这样做:创建一个身份验证功能并将用户名和密码传递给它。
I already created the stored procedure which returns true or false. 我已经创建了存储过程,该过程返回true或false。 The authentication function just calls the procedure and returns true or false - if it returns true the user will be authenticated and we are good to go. 身份验证功能仅调用该过程并返回true或false-如果返回true,则将对用户进行身份验证,我们很高兴这样做。
The next step is to have an authorization method which runs when the user wants to do anything (checks when user click on a button or link). 下一步是拥有一种授权方法,该授权方法将在用户想要执行任何操作时运行(在用户单击按钮或链接时进行检查)。
So I created an authorization function and pass the username and a function ID to it. 因此,我创建了一个授权功能,并将用户名和功能ID传递给它。 Just like the authentication function, a stored procedure returns true or false. 就像身份验证功能一样,存储过程返回true或false。 True means user can do it otherwise the user must return to the login page. True表示用户可以执行此操作,否则用户必须返回登录页面。
My questions are: 我的问题是:
1- how can I run the authorization function whenever the user wants to do anything? 1-每当用户要执行任何操作时,如何运行授权功能?
2- how can define a unique function ID? 2-如何定义唯一的功能ID? I mean function ID should be what? 我的意思是功能ID应该是什么? (objects ID?) (对象ID?)
1 个解决方案
解决方案1
1 已采纳 2015-06-17 10:06:48
1 run authoristion function whenever the user wants to do anythng
Add an ActionFilterAttribute and apply it to all your controllers 添加一个ActionFilterAttribute并将其应用于所有控制器
2 give each function a unique id
No need, each function already has a unique name: controller name + action name (unless you have some very weird, unmanageable setup...) 不需要,每个功能已经有一个唯一的名称:控制器名称+动作名称(除非您有一些非常奇怪,难以管理的设置...)
Example: 例:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public sealed class AuthoriseActionAttribute : ActionFilterAttribute
{
public override void OnResultExecuted(ResultExecutedContext filterContext)
{
var user = HttpContext.Current.Request.LogonUserIdentity;
var controller = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;
var action = filterContext.ActionDescriptor.ActionName;
// call existing authorisation function here
// using user, controller, action to determine if user has access
bool authorised = ...
if (!authorised) {
// throw exception or redirect
throw new UnauthorizedAccessException("You are not authorised to perform this action.");
}
base.OnAuthorization(filterContext);
}
}
usage: 用法:
[AuthoriseAction]
public class HomeController : Controller
Note: I use windows authentication, so the user= part may not be what you need for your application authentication method. 注意:我使用Windows身份验证,因此user=部分可能不是您的应用程序身份验证方法所需要的。 But the principle is the same. 但是原理是一样的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.