简体繁体 English

多层体系结构中的身份验证

[英]Authentication in a multi layer architecture

原文 2011-09-27 15:16:48 0 4 c#/ .net/ asp.net-mvc/ architecture/ asp.net-membership

I am designing an N-Layer system in .NET that will consist of 我正在设计一个由.NET组成的N层系统

SQL Server 2008 SQL Server 2008
EF 4 EF 4
Repository Layer 存储库层
Service Layer(Business Logic) 服务层（业务逻辑）

On top of this I will have: 除此之外，我将：

ASP.NET MVC website ASP.NET MVC网站
external API to be consumed by other clients(built with WCF or ServceStack.NET) 其他客户端使用的外部API（使用WCF或ServceStack.NET构建）

I would like to implement the typical username/password auth within the MVC app as well as OpenID/twitter/facebook login options 我想在MVC应用程序中实现典型的用户名/密码auth以及OpenID / twitter / facebook登录选项

The api will need similar forms of authentication. api需要类似的身份验证形式。

Where in the architecture is the best place to implement the authentication and are any samples available of how to implement something like this with a .NET Stack? 在架构中哪里是实现身份验证的最佳位置，以及如何使用.NET堆栈实现类似的任何示例？

Is a custom Membership provider an option for this? 自定义成员资格提供程序是一个选项吗？

I realize that there are libraries available to implement the openID portion so that is not a concern at the moment but I would like to leave things open to add this in the future. 我意识到有一些库可用于实现openID部分，所以目前不是一个问题，但我想留待未来添加它。

Suggestions? 建议？

4 个解决方案

Authentication should be done at the user facing point: MVC website and the WCF service. 身份验证应该在面向用户的点上完成：MVC网站和WCF服务。

In each point, use the appropriate authentication/authorization mechanism. 在每个点中，使用适当的身份验证/授权机制。

MVC website : forms authentication (or windows authentication etc.) MVC网站 ：表单身份验证（或Windows身份验证等）

WCF service : (what method will you be taking, API key, user/name password on every request, secure key, auth cookie etc.) WCF服务 :(您将采用什么方法，API密钥，每个请求的用户/名称密码，安全密钥，身份验证cookie等）

For each point, call the service layer with the credentials used by the requestor (user) and validate it against your database (in the service layer). 对于每个点，使用请求者（用户）使用的凭据调用服务层，并针对您的数据库（在服务层中）对其进行验证。

The service layer should return valid/invalid for the credentials given to it. 服务层应该为给定的凭据返回有效/无效。

If it's invalid , have your website or webservice reject any further actions from the user and inform them that it's not valid. 如果它无效，请让您的网站或网络服务拒绝用户的任何进一步操作，并通知他们该操作无效。

If it's valid , have your MVC website create the auth cookie ( FormsAuthentication.SetAuthCookie ) and your WCF service do the appropriate action for the authentication mechanism you chose. 如果它有效，请让您的MVC网站创建auth cookie（ FormsAuthentication.SetAuthCookie ），并且您的WCF服务对您选择的身份验证机制执行适当的操作。

Keep your service layer agnostic of the authentication. 使您的服务层与身份验证无关。 It should only respond with whether or not a set of credentials is valid and your front-facing layers should take care of setting the authentication tickets. 它只应响应一组凭据是否有效，并且您的前置层应该负责设置身份验证票证。

For Open ID/Twitter/Facebook logins, all the information needed is on the web app (via the login source cookies), so use that to setup your website's auth cookie. 对于Open ID / Twitter / Facebook登录，所需的所有信息都在Web应用程序上（通过登录源cookie），因此使用它来设置您的网站的auth cookie。

A basic architecture would be to use the asp.net membership api for your service and web apps calling into the same membership database. 一个基本架构是使用asp.net成员资格api为您的服务和Web应用程序调用相同的成员资格数据库。 Then use an impersonated user to connect to SQL Server. 然后使用模拟用户连接到SQL Server。

You can then write custom membership providers for the other auth mechanisms or incorporate them all into one membership provider. 然后，您可以为其他身份验证机制编写自定义成员资格提供程序，或将它们全部合并到一个成员资

Sorry had to write this as another answer as didn't have enough space in the comments. 很抱歉不得不写这个作为另一个答案，因为评论中没有足够的空间。

Configure the membership provider at the IIS level and use the OOTB SQL membership provider to get basic authentication working. 在IIS级别配置成员资格提供程序，并使用OOTB SQL成员资格提供程序来使基本身份验证正常工作。

You can then write a custom membership the repository layer will be running in the context of the web application either web service or asp.net site so your authentication information will be in the httpcontext, you can then use that to connect through to your database or use an impersonated account ie the app pool user to connect instead. 然后，您可以在Web应用程序的Web服务或asp.net站点的上下文中编写存储库层的自定义成员资格，以便您的身份验证信息位于httpcontext中，然后您可以使用它来连接到您的数据库或使用模拟帐户，即应用程序池用户来连接。

You can then write a custom membership provider that authenticates against the other providers if you like and just swap out the standard SQL one for your custom one. 然后，您可以编写一个自定义成员资格提供程序，如果您愿意，可以针对其他提供程序进行身份验证，并将标准SQL替换为自定义提供程序。

As an addition to Omar's answer : 作为奥马尔答案的补充：

You could also use a Facade Pattern which handles the authorization and is used by both the WCF and MVC code and provides the API to the business layer. 您还可以使用处理授权的Facade Pattern ，并由WCF和MVC代码使用，并为业务层提供API。

A rule of thumb is: Put authorization at one single point and let the auth-logic be handled by the client(s). 经验法则是：将授权放在一个单一点上，让客户端处理auth逻辑。 Don't spread it over your service layer! 不要将其传播到服务层！