如何在没有身份的asp.net MVC中实现自定义身份验证/授权?
[英]How can I implement custom authentication/authorization in asp.net MVC without Identity?
问题描述
I am working on a asp.net MVC 5-solution where I now need to implement authentication and authorization. 
我正在研究一个asp.net MVC 5解决方案,现在我需要实现身份验证和授权。 The solution has a external service managing the "Heavy work" that will take the username and password on every request, and on successfull verification send back a token with the users permissions(roles) which should be matched against Attributes in the controller. 该解决方案具有管理“繁重工作”的外部服务,该服务将在每个请求中使用用户名和密码,并在成功验证后发送回带有用户权限(角色)的令牌,该令牌应与控制器中的属性相匹配。
A request to the external service should be made on every request to my solution. 对我的解决方案的每个请求都应向外部服务请求。 How can I implement this in a simple way in my exising asp.net MVC 5-solution? 如何在现有的asp.net MVC 5解决方案中以简单的方式实现此目的? I have looked at Identity and Owin but they feel overly bloated for what Im trying to achieve. 我看过Identity和Owin,但他们为Im试图实现的目标感到feel肿。 I've also found some info about Forms auth, but it seems to be deprecated? 我还找到了有关Forms auth的一些信息,但似乎已弃用?
The workflow I have tried with is something like this: 我尝试过的工作流程是这样的:
A user request a controller. 用户请求控制器。 The controller is marked with an attribute like "Require(Roles="IT")". 控制器标记有“ Require(Roles =“ IT”)“之类的属性。 I implement the IauthenticationFilter and call my service in the OnAuthentication to verify the users request. 我实现IauthenticationFilter并在OnAuthentication中调用我的服务以验证用户的请求。 From the return I will verify that the user is in fact who he says he is and also if he is permitted to enter the said action on said controller. 从返回中,我将验证用户实际上是他说的是谁,以及是否允许他在所述控制器上输入所述动作。
Any input is appreciated as I'm having a hard time finding solid info on how to implement a custom auth-solution. 任何输入都值得赞赏,因为我很难找到有关如何实现自定义身份验证解决方案的可靠信息。 Is there any best practice? 有没有最佳做法?
Thanks! 谢谢!
1 个解决方案
解决方案1
3 2017-10-13 10:10:05
MVC builds upon ASP.NET's interfaces IPrincipal and IIdentity . MVC基于ASP.NET的接口IPrincipal和IIdentity 。 If you implement these interfaces, you can tap into the existing [Authorize] / [AllowAnonymous] attribute functionality of MVC and only extend it if you need some functionality other than users/roles. 如果实现这些接口,则可以利用MVC的现有[Authorize] / [AllowAnonymous]属性功能,仅在需要除用户/角色之外的其他功能时才扩展它。
I won't repeat the implementation here - there are several posts about how to properly implement these interfaces (which should be set in the Application_PostAuthenticateRequest event in ASP.NET/MVC). 我不会在这里重复实现-关于如何正确实现这些接口的几篇文章(应该在ASP.NET/MVC的Application_PostAuthenticateRequest事件中设置)。
- ASP.NET MVC - Set custom IIdentity or IPrincipal ASP.NET MVC-设置自定义IIdentity或IPrincipal
- ASP.NET MVC - Custom IIdentity or IPrincipal with Windows Authentication ASP.NET MVC-具有Windows身份验证的自定义IIdentity或IPrincipal
- Implementing IPrincipal and IIdentity in MVC with use of custom membership and role provider 使用自定义成员身份和角色提供程序在MVC中实现IPrincipal和IIdentity
- using custom IPrincipal and IIdentity in MVC3 在MVC3中使用自定义IPrincipal和IIdentity
- IdentityReboot - open source example of custom security provider IdentityReboot-自定义安全提供程序的开源示例
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.