[英]Custom IPrincipal with Forms Authentication in ASP.NET MVC
This should be simple, but I simply cannot figure it out after all my googling. 这应该很简单,但在我所有的谷歌搜索之后我根本想不出来。 Here's what I want. 这就是我想要的。 I have a custom Users table (no roles at the moment) that I'd like to authorize against. 我有一个我想要授权的自定义用户表(目前没有角色)。 For this I'll have to implement a custom Membership Provider which I've already done. 为此,我必须实现我已经完成的自定义成员资格提供程序。 My question is though, how do I go about setting a custom IPrincipal to the HttpContext.Current.User? 我的问题是,如何设置自定义IPrincipal到HttpContext.Current.User? Where should that happen? 应该在哪里发生? Let's say I have the following setup: 假设我有以下设置:
public class CustomMembershipProvider : MembershipProvider
{
private IUserRepository _repository;
public CustomMembershipProvider(IUserRepository repository)
{
_repository = repository;
}
public override bool ValidateUser(string username, string password)
{
//check user repository
}
//additional methods omitted for brevity
}
I then have a custom user class the implements IPrincipal
and IIdentity
然后我有一个自定义用户类,实现IPrincipal
和IIdentity
public class CustomUser : IPrincipal
{
public CustomUser(string name, int userId, string additionalInfo)
{
Identity = new CustomIdentity(name, userId, additionalInfo);
}
public IIdentity Identity { get; private set; }
public bool IsInRole(string role)
{
return true;
}
}
public class CustomIdentity : IIdentity
{
public CustomIdentity(string name, int userId, string additionalInfo)
{
Name = name;
UserId = userId;
AdditionalInfo = additionalInfo;
}
public string Name { get; private set; }
public string AuthenticationType
{
get { return "CustomAuth"; }
}
public bool IsAuthenticated
{
get { return !String.IsNullOrEmpty(Name); }
}
public int UserId { get; private set; }
public string AdditionalInfo { get; private set; }
}
So my question is, where is the correct place to set the Context.User to an instance of this custom user? 所以我的问题是,将Context.User设置为此自定义用户的实例的正确位置在哪里? Do I need a custom Authorize Attribute? 我需要自定义授权属性吗? If so, what would that look like? 如果是这样,那会是什么样子?
I suggest using a custom controller base class for all your controllers 我建议为所有控制器使用自定义控制器基类
Then, in OnAuthorization
, call 然后,在OnAuthorization
,调用
protected override void OnAuthorization(System.Web.Mvc.AuthorizationContext filterContext)
{
// Actual Authentication
HttpContext.User = user;
Thread.CurrentPrincipal = user;
base.OnAuthorization(filterContext);
}
I'm not entirely sure how to invoke the membership provider because I'm doing it manuallt, but I think you have static access to Membership.Provider
to perform the actual object construction. 我不完全确定如何调用成员资格提供程序,因为我正在进行manuallt,但我认为您可以静态访问Membership.Provider
来执行实际的对象构造。
Do I need a custom Authorize Attribute? 我需要自定义授权属性吗?
No. Notice the difference of authentication and authorization: authentication establishes the user's identity in your system. 请注意,身份验证和授权的区别在于:身份验证可在系统中建立用户身份。 Authorization allows or denies a specific request. 授权允许或拒绝特定请求。 Hence, AuthorizeAttribute
also has a Roles
parameter to allow an action to be called only by certain users. 因此, AuthorizeAttribute
还具有Roles
参数,以允许仅由特定用户调用操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.