简体   繁体   English

表单身份验证跨Windows身份验证

[英]Forms Authentication cross Windows Authentication

I have a website that I am working on that has both an intranet and internet deployment. 我有一个我正在研究的网站,它有内部网和互联网部署。 The only difference between the 2 is a couple of config settings. 2之间的唯一区别是几个配置设置。

The internet version works fine as it just uses forms authentication (which is defined in its web config) and if not logged in the user is directed to a login page. 互联网版本工作正常,因为它只使用表单身份验证(在其Web配置中定义),如果未登录,则用户将被定向到登录页面。

The intranet version is a little trickier... when a user first comes to the site the http context principle object is set correctly with WindowsPrincipal, but using that information I confirm that the user is allowed access to the app and then I create my own IPrinciple instance. 内联网版本有点棘手......当用户第一次访问该站点时,使用WindowsPrincipal正确设置了http上下文原则对象,但是使用该信息我确认允许用户访问该应用程序,然后我创建了自己的IPrinciple实例。

Given this there are a couple of things I want to do here... I want to use the WindowsPrincipal object as a basis for authenticating the user but then from that point forward use forms authentication (ie using a cookie to store the auth details etc). 鉴于此,我想在这里做一些事情...我想使用WindowsPrincipal对象作为验证用户的基础,但从那时起使用表单身份验证(即使用cookie来存储身份验证详细信息等) )。 I also need the instance of the principle that I retrieve from the HTTP context to be of my IPrinciple type. 我还需要从HTTP上下文检索的原理实例是我的IPrinciple类型。

How am I best to go about doing this? 我最好怎么做呢? As in should I look to the global.asax's Session_Start to perform auth logic and then somehow get it to store my custom IPrinciple (so for any request after that point the instance is my custom principle) or am I best to be doing something with Application_AuthenticateRequest. 因为我应该看看global.asax的Session_Start来执行auth逻辑然后以某种方式让它来存储我的自定义IPrinciple(所以对于那之后的任何请求实例是我的自定义原则)或者我最好用Application_AuthenticateRequest做某事。

Cheers Anthony 干杯安东尼

Avoid the session object for this. 避免使用会话对象。 Application_AuthenticateRequest is where you want to be. Application_AuthenticateRequest是您想要的地方。 In there, you can take the WindowsPrincipal, and then go to the database to populate your own custom IPrincipal-implementing object. 在那里,您可以使用WindowsPrincipal,然后转到数据库以填充您自己的自定义IPrincipal实现对象。 This means that Application_AuthenticateRequest gets called a lot, though, so in my apps, I tend to cache the role data for at least a few seconds to cut down on database round trips. 这意味着Application_AuthenticateRequest会被调用很多,所以在我的应用程序中,我倾向于将角色数据缓存至少几秒钟以减少数据库往返。 This also works with Forms authentication. 这也适用于Forms身份验证。 The only difference between the two methods is that in the Forms scenario, you get a GenericPrincipal from the Forms auth module, and you'd use that to retrieve your own custom principal object instead of the WindowsPrincipal. 这两种方法之间的唯一区别是,在Forms方案中,您从Forms auth模块获得GenericPrincipal,并且您将使用它来检索您自己的自定义主体对象而不是WindowsPrincipal。

Another upshot of setting HttpContext.Current.User in Application_AuthenticateRequest is that, unlike if you put your principal in the Session object, you can use declarative security, such as decorating your methods with PrincipalPermissionAttribute. 在Application_AuthenticateRequest中设置HttpContext.Current.User的另一个结果是,与将主体放在Session对象中不同,您可以使用声明性安全性,例如使用PrincipalPermissionAttribute修饰方法。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM