MVC应用程序中的授权和身份验证

Question

Authorization and authentication in MVC application MVC应用程序中的授权和身份验证

I have an internal web app developed in C# using MVC 2. I want to use AD roles/groups to do authorization. 我有一个使用MVC 2在C＃中开发的内部Web应用程序。我想使用AD角色/组来进行授权。 Thus I have 3 access group Admin, Basic, Readonly. 因此我有3个访问组Admin，Basic，Readonly。 The access to the application will be controlled through these groups. 将通过这些组控制对应用程序的访问。

Now when I hit an action/page of my MVC app, the requirements are: 现在，当我点击我的MVC应用程序的操作/页面时，要求是：

1) Check level of access (is in either group Admin, Basic or Readonly) 1）检查访问级别（在Admin，Basic或Readonly组中）

2) If in a group - serve the page. 2）如果在一个组中 - 为页面提供服务。 If not - serve the 401 Unauthorized page. 如果不是 - 请提供401 Unauthorized页面。

I am probably confusing myself with the concepts authorization/authentication, but this is how it is set up so far (from answers, google and my own efforts flowing from this question : 我可能会对概念授权/身份验证感到困惑，但到目前为止它是如何设置的（从答案，谷歌和我自己的努力来自这个问题：

public static class AuthorizationModule
    {
        public static bool Authorize(HttpContext httpContext, string roles)
        {
            ...
            //Check Configuration.AppSettings for the roles to check

            //using httpContext.User check .IsInRole for each role and return true if they are

            ...

            //other wise throw new HttpException(401,.....)
        }

        ...
    }

    public class AuthorizeByConfigurationAttribute : AuthorizeAttribute
    {
        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            //Essentially at the moment this is pretty much the same as AuthorizationModule.Authorize(HttpContext httpContext, string roles)
        }

    }

    //This code from http://paulallen.com.jm/blog/aspnet-mvc-redirect-unauthorized-access-page-401-page
    public class RequiresAuthenticationAttribute : AuthorizeAttribute
    {
        protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
        {
            if (filterContext.HttpContext.User.Identity.IsAuthenticated)
            {
                filterContext.Result = new ViewResult {ViewName = "AccessDenied"};
            }
            else
            {
                base.HandleUnauthorizedRequest(filterContext);
            }
        }
    }

The problems with this are that I seem to need to decorate my action methods twice now, ala: 这个问题是我现在需要两次装饰我的动作方法，ala：

[AuthorizeByConfiguration(Roles = "Admin, Basic, Readonly")]
        [RequiresAuthentication(Roles = "Admin, Basic, Readonly")]
        public ActionResult Index(string msg)
        {
            ...
        }

And the next problem is that it seems I have three separate methods all trying to do the same thing. 接下来的问题是，似乎我有三种不同的方法都试图做同样的事情。 I am overriding methods based on advice and not entirely sure how they were meant to work originally. 我根据建议重写方法，并不完全确定它们最初是如何工作的。 How could I go about implementing my requirements? 我怎么能实现我的要求？

edit: Since this is an IntrAnet app, all users who sign on with their network accounts will be able to access this app. 编辑：由于这是一个IntrAnet应用程序，所有使用其网络帐户登录的用户都可以访问此应用程序。 I need to restrict the access so that only those who belong to certain Active Directory security groups can access this app 我需要限制访问权限，以便只有属于某些Active Directory安全组的人才能访问此应用程序

Answer 1

I have wrapped all the methods concerning auth with the interface IAuthorization. 我已经使用接口IAuthorization包装了有关auth的所有方法。

Here is an example custom attrbiute you would need to add the Roles property and your own implementaion. 下面是一个示例自定义attrbiute，您需要添加Roles属性和您自己的实现。

Attribute calls the filter itself for testability reasons. 出于可测试性原因，属性调用过滤器本身。

public class SomeAuthorizeAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        var filter = new SomeAuthorizeFilter(DependencyLookup.Resolve<IAuthorization>());
        filter.OnAuthorization(filterContext);
    }
}

public class SomeAuthorizeFilter : IAuthorizationFilter
{
    private readonly IAuthorization _authorization;

    public SomeAuthorizeFilter(IAuthorization authorization)
    {
        _authorization = authorization;
    }

    protected virtual ActionResult ResultWhenNotAuthenticated(AuthorizationContext filterContext)
    {
        //snip..

        //default
        RouteValueDictionary redirectTargetDictionary = new RouteValueDictionary
                                                            {
                                                                {"action", "Index"},
                                                                {"controller", "Home"}
                                                            };
        return new RedirectToRouteResult(redirectTargetDictionary);
    }

    #region IAuthorizationFilter Members

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (!_authorization.GetCurrentUserIdentity().IsAuthenticated)
        {
            filterContext.Result = ResultWhenNotAuthenticated(filterContext);
        }
    }

    #endregion
}

MVC应用程序中的授权和身份验证

问题描述

1 个解决方案

解决方案1
2 2011-08-09 05:27:49

MVC应用程序中的授权和身份验证

问题描述

1 个解决方案

解决方案1 2 2011-08-09 05:27:49

解决方案1
2 2011-08-09 05:27:49