[Authorize]属性如何知道用户在ASP.NET MVC中已通过身份验证令牌进行身份验证?
[英]How [Authorize] attribute get to know that the user is authenticate in ASP.NET MVC, is it by using authentication token?
问题描述
I would like to know that how [Authorize] attribute recognize that this user is authenticate? 
我想知道[Authorize]属性如何识别此用户已通过身份验证?
If user is valid then we call FormsAuthentication.SetAuthCookie() method and as per MSDN this method: 如果用户有效,则我们调用FormsAuthentication.SetAuthCookie()方法,根据MSDN,此方法为:
Creates an authentication ticket for the supplied user name and adds it to the cookies collection of the response, or to the URL if you are using cookieless authentication.
Is [Authorize] attribute checks authentication ticket or cookies collection? [Authorize]属性是否检查身份验证票证或cookie收集?
2 个解决方案
解决方案1
3 已采纳 2018-05-16 18:42:23
[Authorize] does not deal with any authentication mechanism itself. [Authorize]本身不涉及任何身份验证机制。 It merely looks in the users IIdentity for the IsAuthenticated flag. 它只是看起来在用户IIdentity的IsAuthenticated标志。 It will also look in the users IsMemberOf method, for authorization based on roles. 它还将在用户IsMemberOf方法中查找基于角色的授权。
All the work to decode the authentication ticket is done in the early stages of the app pipeline, which sets those flags. 解码身份验证票证的所有工作都在应用程序管道的早期阶段完成,该阶段设置了这些标志。 By the time the Authorization Attribute methods are called, all that work has already been done and is stored in the users runtime data. 在调用Authorization Attribute方法时,所有工作已经完成,并存储在用户运行时数据中。
You can easily check the source code for the Authorize attribute, and you will see that it's quite simple in nature. 您可以轻松地检查Authorize属性的源代码,并且您会发现它本质上非常简单。 It just returns true or false based on some simple lookups. 它只是基于一些简单的查找而返回true或false。
It's become more complicated in .net core, where it's based on policies and what not, but the original MVC implementation was quite simple. 它在.net核心中变得越来越复杂,因为它基于策略而并非基于策略,但是原始的MVC实现非常简单。
解决方案2
0 2018-05-16 18:32:57
My answer relates to ASP.NET Core I'm not sure if you asked about classic ASP.NET but this should be similar. 我的答案与ASP.NET Core有关,我不确定您是否询问过经典的ASP.NET,但这应该是相似的。
There's a middleware that you have to add for [Authorize] to work. 您必须添加一个中间件才能使[Authorize]正常工作。 ASP.NET Core provides this middleware out of the box and you can add your custom authentication handlers too. ASP.NET Core开箱即用提供了这种中间件,您也可以添加自定义身份验证处理程序。
You can check how it's implemented by reading: https://github.com/aspnet/Security/tree/dev/src 您可以通过阅读以下内容检查其实施方式: https : //github.com/aspnet/Security/tree/dev/src
For example you want to use JWT bearer authentication, you have to add JWT bearer middleware, this is simply extension of AuthenticationBuilder : https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.JwtBearer/JwtBearerExtensions.cs which calls AddScheme under the hood. 例如,您要使用JWT承载身份验证,则必须添加JWT承载中间件,这只是AuthenticationBuilder的扩展: https : //github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.JwtBearer /JwtBearerExtensions.cs ,它在后台调用AddScheme 。
You want to use cookie based authentication you just call AddCookie which is also extension that calls AddScheme under the hood: https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.Cookies/CookieExtensions.cs 您要使用基于cookie的身份验证,只需调用AddCookie ,它也是在AddScheme调用AddScheme扩展: https : //github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.Cookies/CookieExtensions。 cs
Usage of it is documented here: https://docs.microsoft.com/en-us/aspnet/core/migration/1x-to-2x/identity-2x?view=aspnetcore-2.1 此处记录了它的用法: https : //docs.microsoft.com/zh-cn/aspnet/core/migration/1x-to-2x/identity-2x?view=aspnetcore-2.1
See also Using the [Authorize] Attribute 另请参见使用[Authorize]属性
Web API provides a built-in authorization filter, AuthorizeAttribute.
If you are interested how this filter works under the hood you can check it here . 如果您对此过滤器的工作原理感兴趣,可以在这里进行检查 。
You must be authenticated before you can be authorized, this is the logic responsible for it: https://github.com/aspnet/Security/blob/644f34e90d35b369efdce9c11ab1db42e0a7f4a7/src/Microsoft.AspNetCore.Authorization.Policy/PolicyEvaluator.cs#L91 必须先进行身份验证,然后才能被授权,这是对此负责的逻辑: https : //github.com/aspnet/Security/blob/644f34e90d35b369efdce9c11ab1db42e0a7f4a7/src/Microsoft.AspNetCore.Authorization.Policy/PolicyEvaluator.cs#L91
In summary 综上所述
how [Authorize] attribute knows that this user is authenticated.
Authorize attribute alone doesn't know if this user is authenticated. 仅Authorize属性不知道此用户是否已通过身份验证。 This is handled by authentication middleware and depends stricly on the scheme it tries to authenticate with. 这由身份验证中间件处理,并严格取决于它尝试进行身份验证的方案。 It simply tries to authenticate with schemes you have added(cookie,jwt etc.) by calling HttpContext.AuthenticateAsync which is simply calling AuthenticationService.AuthenticateAsync under the hood and sets HttpContext.User from the result ClaimsPrincipal , which is simply result from schema handler like jwt handler for instance. 它只是通过调用HttpContext.AuthenticateAsync(它只是在ClaimsPrincipal调用AuthenticationService.AuthenticateAsync )尝试通过添加的方案(cookie,jwt等)进行身份验证 ,并从结果ClaimsPrincipal设置HttpContext.User ,而结果ClaimsPrincipal则仅是模式处理程序之类的结果例如, jwt处理程序 。 I think this should give you more in-depth idea how this works. 我认为这应该使您更深入地了解其工作原理。
Generally if you're starting new project I don't recommend using classic ASP.NET and prepare for the future with .NET Core as everything is now going in this direction. 通常,如果您要开始新项目,我不建议您使用经典的ASP.NET并为.NET Core的未来做准备,因为现在所有事情都朝着这个方向发展。 ASP.NET 5 ( I also refer to it as "classic") is pretty much dead now. ASP.NET 5(我也将其称为“经典”)现在已经死了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.