C#.NET使用isAuthenticated
[英]C#.NET Using isAuthenticated
问题描述
Im using the MVC format to create a website. 
我使用MVC格式来创建一个网站。 Right now all it does is manage users from an SQL server. 现在它所做的只是从SQL服务器管理用户。 What i'm trying to do now is have the user log in and then be able to manage the Users. 我现在要做的是让用户登录然后能够管理用户。 From the Login page it should go to the Index of the Account but I only want this page to be viewable by authenticated users. 从登录页面,它应该转到帐户的索引,但我只希望经过身份验证的用户可以查看此页面。 It works fine if I: 如果我:它工作正常:
1)set the function in the controler to [AllowAnonymous] (This is not what i want) 1)将控制器中的函数设置为[AllowAnonymous](这不是我想要的)
2)Allow Windows Authentication (Which is not what I want because once I deploy, it'll be on the web) 2)允许Windows身份验证(这不是我想要的,因为一旦我部署,它将在网络上)
It really just boils down to how do I authenticate a user and then have that authentication persist. 它实际上归结为我如何验证用户身份,然后保持该身份验证。
Here is the login page: 这是登录页面:
@model myWebsite.Models.LoginModel
@{
ViewBag.Title = "Login";
ViewBag.ReturnUrl = "Index";
}
<h2>Login</h2>
@using (Html.BeginForm("Login", "Login", new { ReturnUrl = ViewBag.ReturnUrl }, FormMethod.Post, new { @class = "form-horizontal", role = "form" }))
{
@Html.AntiForgeryToken()
<div class="form-horizontal">
<h4>Login</h4>
<hr />
@Html.ValidationSummary(true, "", new { @class = "text-danger"})
<div class="form-group">
@Html.LabelFor(Model => Model.UserName, new { @class = "control-label col-md-2"})
<div class="col-md-10">
@Html.TextBoxFor(Model => Model.UserName, new { @class = "col-md-2 control-label"})
@Html.ValidationMessageFor(Model => Model.UserName, "" , new { @class = "text-danger"})
</div>
</div>
<div class="form-group">
@Html.LabelFor(Model => Model.Password, new { @class = "control-label col-md-2"})
<div class="col-md-10">
@Html.TextBoxFor(Model => Model.Password, new { @class = "col-md-2 control-label"})
@Html.ValidationMessageFor(Model => Model.Password, "" , new { @class = "text-danger"})
</div>
</div>
<div class="form-group">
<input type="submit" value="Log In" class="btn btn-default" />
</div>
</div>
}
This is the partial portion of every page 这是每个页面的部分部分
@using Microsoft.AspNet.Identity;
@if (Request.IsAuthenticated)
{
using (Html.BeginForm("LogOff", "Account", FormMethod.Post, new { id = "logoutForm", @class = "navbar-right" }))
{
@Html.AntiForgeryToken()
<ul class="nav navbar-nav navbar-right">
<li>@Html.ActionLink("Hello " + User.Identity.GetUserName() + "!", "Index" , "Manage", routeValues: null, htmlAttributes: new { title = "Manage" } )</li>
</ul>
}
}
else
{
<ul class="nav navbar-nav navbar-right">
<li>@Html.ActionLink("Register", "Create", "Login", routeValues: null, htmlAttributes: new { id = "registerLink" })</li>
<li>@Html.ActionLink("Log in", "Login", "Login", routeValues: null, htmlAttributes: new { id = "loginLink" })</li>
</ul>
}
This is the controller 这是控制器
[AllowAnonymous]
// GET: Login
public ActionResult Login()
{
return View();
}
[AllowAnonymous]
// GET: Login
public ActionResult Login()
{
return View();
}
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string retunUrl)
{
/*
if (!ModelState.IsValid)
{
Console.WriteLine("IS NOT VALID");
return View(model);
}
*/
String UserName = model.UserName;
String Password = model.Password;
LoginContext LC = new LoginContext();
LoginModel ValidUser = LC.UserList.Single(Person => Person.UserName == UserName && Person.Password == Password);
if (ValidUser != null)
{
return Redirect("Index");
}
return View(model);
}
// GET: Login Index of users
[AllowAnonymous]
public ActionResult Index()
{
return View(db.UserList.ToList());
}
1 个解决方案
解决方案1
6 已采纳 2016-07-06 03:25:00
The Old Way™ The Old Way™
If all you care about is persisting the fact that a user gave you valid credentials, your simplest option is probably FormsAuthentication: 如果您只关心用户为您提供有效凭据的事实,那么您最简单的选项可能是FormsAuthentication:
FormsAuthentication.SetAuthCookie(model.UserName, false);
and 和
FormsAuthentication.SignOut();
These require that the FormsAuthentication module is active, so you would look for a line like this in the web.config: 这些要求FormsAuthentication模块处于活动状态,因此您可以在web.config中查找这样的行:
<remove name="FormsAuthentication" />
and remove it, and either add or update the authentication section: 并删除它,并添加或更新身份验证部分:
<authentication mode="Forms">
<forms loginUrl="~/account/login" timeout="2880" defaultUrl="~/" protection="All" />
</authentication>
With these settings, ASP.NET knows to build the Identity and Principle from the cookie generated by FormsAuthentication.SetAuthCookie . 通过这些设置,ASP.NET知道从FormsAuthentication.SetAuthCookie生成的cookie构建Identity和Principle。
The Right(ish) Way™ Right(ish)Way™
That being said, FormsAuthentication is not the recommended path at this point, both for it's reliance on System.Web, and the fact that it isn't claims aware. 话虽这么说,FormsAuthentication在这一点上不是推荐的路径,因为它依赖于System.Web,而且它不是声明感知的事实。
You can accomplish a minimum setup using OWIN that does yield a claims-aware Identity. 您可以使用确实产生声明感知身份的OWIN来完成最小设置。 If you started with a newer ASP.NET project template, you should have a Startup.Auth.cs file in the App_Start folder, or you can add one. 如果您使用较新的ASP.NET项目模板,那么您应该在App_Start文件夹中有一个Startup.Auth.cs文件,或者您可以添加一个。 The minimum code to use cookie-based authentication with OWIN is: 使用OWIN进行基于cookie的身份验证的最小代码是:
using Microsoft.AspNet.Identity;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Owin;
public partial class Startup
{
public void ConfigureAuth(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
LoginPath = new PathString("/account/login"),
LogoutPath = new PathString("/account/logout"),
CookieName = ".YOUR_COOKIE_NAME_HERE",
SlidingExpiration = true,
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
AuthenticationMode = AuthenticationMode.Active
});
}
}
Then, when you authenticate your user, you do something like: 然后,当您对用户进行身份验证时,您会执行以下操作:
var claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.Name, model.UserName));
var identity = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie);
HttpContext.Current.Request.GetOwinContext().Authentication.SignIn(identity);
And to sign out: 并退出:
HttpContext.Current.Request.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
You will also need to set the following value in your Global.asax file: 您还需要在Global.asax文件中设置以下值:
using System.Web.Helpers;
using System.Security.Claims;
public class MvcApplication : System.Web.HttpApplication
{
protected void Application_Start()
{
// ... your other startup/registration code ...
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;
}
}
The Request.IsAuthenticated just checks to see if a non-anonymous Identity has been established on the current request context, so either option noted above will work. Request.IsAuthenticated只是检查当前请求上下文中是否已建立非匿名身份,因此上述任一选项都将起作用。
As an aside: you really should not be storing passwords in plain text. 暂时不说 : 你真的不应该用纯文本存储密码。 When you create your user records, use Crypto.HashPassword to create a salted hash of the password, storing that instead, and then use Crypto.VerifyHashedPassword when checking if the user entered the correct password. 创建用户记录时,使用Crypto.HashPassword创建密码的盐渍哈希值,然后存储密码,然后在检查用户是否输入正确的密码时使用Crypto.VerifyHashedPassword 。 You can find the Crypto documentation here . 您可以在此处找到加密文档 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.