ABP 框架中的集成 Windows 身份验证

Question

I'm attempting to use ABP with Windows Authentication rather than Table-based authentication.

The plan is to have the framework:

1. Detect that the website is in a Windows security context and bypass the login page.
2. Then associate Windows Identity/Roles and use those to map the Roles/Permissions defined in the database.

I did not see anything in the documentation regarding this Windows-integrated approach.

If anyone has done this previously, I appreciate any tips.

I think my best bet would be to use Policy-based authorization. So where the controllers currently use ABP auth attributes, I'll revert back to the normal ASP.NET ones.

eg [Authorize(Policy = "MyAppAdmin")]

Answer 1

To login the user thru official AspNet Boilerplate API (to have roles and other stuffs) you can use external authentication. It is exactly what you are looking for;

https://aspnetboilerplate.com/Pages/Documents/Zero/User-Management#external-authentication

Answer 2

in the spirit of sharing here is how i managed to circumvent the use of the login screen for a Window Authenticated context.

1. make the Login panel hidden and set some dummy data on the username/password controls (the dummy data is not actually used).

2. in the js file run the login action immediately (no user interaction)

    abp.ajax({ contentType: 'application/x-www-form-urlencoded', url: $loginForm.attr('action'), data: $loginForm.serialize() });

3. In the AccountController:

    var windowsIdentity = WindowsIdentity.GetCurrent(); loginModel.UsernameOrEmailAddress = windowsIdentity.Name; var count = (from x in windowsIdentity.Claims where x.Value == "myclaim" select x).Count(); if (count == 0) { throw _abpLoginResultTypeHelper.CreateExceptionForFailedLoginAttempt(AbpLoginResultType.InvalidUserNameOrEmailAddress, loginModel.UsernameOrEmailAddress, null); }

4. Create an ExternalAuthSource as described in the answer above. We will always return true becuase the real authentication is already done.

    public override Task<bool> TryAuthenticateAsync(string userNameOrEmailAddress, string plainPassword, Tenant tenant) { return Task.FromResult(true); }

   It has the added advantage that the authenticated user is created by the ABP Framework automatically. The Role the new user is assigned depends on the which role is the Default - see Table AbpUserRoles .

Hopefully this helps somebody trying to use the framework in a Windows-Authenticated context.

Answer 3

I tried to do what John suggested, but I had to make a few changes, so this is how I did it.

"angular\\src\\account\\login\\login.component.ts"

class LoginComponent {    
  ngOnInit() {
    this.loginService.authenticateModel.userNameOrEmailAddress = 'foo';
    this.loginService.authenticateModel.password = 'bar';
    this.login();
  }
}

"aspnet-core\\src\\ProjectName.Core\\Authentication\\AlwaysTrue\\AlwaysTrueExternalAuthSource.cs"

public class AlwaysTrueExternalAuthSource: DefaultExternalAuthenticationSource<Tenant, User>, ITransientDependency
{
  public override string Name => "AlwaysTrueExternalAuthSource";

  public override Task<bool> TryAuthenticateAsync(string userNameOrEmailAddress, string plainPassword, Tenant tenant)
  {
    return Task.FromResult(true);
  }
}

"aspnet-core\\src\\ProjectName.Core\\ProjectNameCoreModule.cs"

public class ProjectNameCoreModule : AbpModule
{
  public override void PreInitialize()
  {
    Configuration.Modules.Zero().UserManagement.ExternalAuthenticationSources.Add<AlwaysTrueExternalAuthSource>();
  }
}

"aspnet-core\\src\\ProjectName.Web.Core\\Controllers\\TokenAuthController.cs"

public class TokenAuthController : ProjectNameControllerBase
{
  [HttpPost]
  public async Task<AuthenticateResultModel> Authenticate([FromBody] AuthenticateModel model)
  {
    var windowsIdentity = WindowsIdentity.GetCurrent();
    model.UserNameOrEmailAddress = windowsIdentity.Name.ToLowerInvariant().Replace("\\","");

    var loginResult = await GetLoginResultAsync(...)
  }
}