堆栈内存溢出
  简体   繁体   English

Asp.net 5 MVC 6自定义身份验证

[英]Asp.net 5 MVC 6 Custom authentication

 原文  2016-02-16 12:37:24       asp.net/ asp.net-core-mvc

问题描述

I spent two weeks searching for solution which allows me to make permission-based authentication. 我花了两个星期的时间寻找解决方案,使我可以进行基于权限的身份验证。 I have database schema like this 我有这样的数据库架构 

User <- Role <--> Permissions

Users has only one role which is connected with permissions using many to many relationship 用户只有一个角色,该角色使用多对多关系与权限相关联

I already wrote my models for these entities. 我已经为这些实体编写了模型。

I start with Asp.Net Identity, but its default schema isn't designed for permission-based authentication. 我从Asp.Net Identity开始,但是它的默认架构不是为基于权限的身份验证而设计的。

I also tried to use Cookie Middleware but i can't override ClaimsPrincipal and use my model of user account 我也尝试使用Cookie中间件,但无法覆盖ClaimsPrincipal并使用我的用户帐户模型

The only thing I can do at the moment is writting from the beginning a simple authentication library that uses the session, but it's bad idea due to security issues 我目前唯一能做的就是从一开始就编写一个使用会话的简单身份验证库,但是由于安全性问题,这是一个坏主意

Documentation of new version of Asp.Net mvc isn't finished yet, but maybe someone know how to help me ? 新版本的Asp.Net mvc的文档尚未完成,但是也许有人知道如何帮助我? :/ :/

1 个解决方案

解决方案1
 0 已采纳  2016-02-16 15:19:52

There are two options. 有两种选择。

  1. You map the permissions to claims. 您将权限映射到声明。 Roles are really just a grouping in your scenario and not something you would authorize upon. 角色实际上只是您场景中的一个分组,并非您会授权的角色。 So when create the user claims principal you'd add claims for each permission, then validate them in your authorization policies. 因此,在创建用户声明主体时,您将为每个权限添加声明,然后在授权策略中对其进行验证。
  2. You create role claims, and then inside the authorize policies you would go to your database and pull the permissions out of there and see if the role fulfills the policy. 您创建角色声明,然后在授权策略中进入数据库,并从中提取权限,查看角色是否满足策略。 Authorization requirements handlers can take DI registered classes , so you'd register your PermissionsProvider on application startup, and then reference it in the constructor for your handler. 授权需求处理程序可以采用DI注册的类 ,因此您将在应用程序启动时注册PermissionsProvider,然后在处理程序的构造函数中对其进行引用。

You can leverage the cookie authentication system identity uses without having to roll your own, getting the signed validation for free. 您可以利用cookie身份验证系统身份使用,而不必自己动手,免费获得签名验证。 All you would need to do, at a minimum is implement login, logout and a forbidden page. 您所需要做的,至少是实现登录,注销和禁止页面。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 自定义ASP.NET MVC表单身份验证 - Custom ASP.NET MVC Forms Authentication ASP.Net MVC自定义身份验证 - ASP.Net MVC Custom Authentication asp.net MVC表单身份验证自定义 - asp.net MVC forms authentication custom asp.net MVC 5的自定义身份验证框架 - Custom Authentication Framework for asp.net MVC 5 自定义身份验证和ASP.NET MVC - Custom Authentication and ASP.NET MVC ASP.NET MVC 3自定义身份验证/授权 - ASP.NET MVC 3 Custom Authentication/Authorization ASP.NET MVC中的身份验证 - Authentication in ASP.NET MVC 来自ASP.net/MVC中第三方的自定义身份验证 - Custom authentication from third party in ASP.net/MVC 用于ASP.NET和MVC3的自定义身份验证提供程序 - Custom Authentication Provider for ASP.NET and MVC3 自定义用户身份验证ASP.net MVC在服务器上不起作用 - Custom user authentication ASP.net MVC not working on server
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM