ASP.NET MVC 3自定义身份验证/授权
[英]ASP.NET MVC 3 Custom Authentication/Authorization
问题描述
I have searched all over the internet and SO, and I have found some good stuff on this topic, but I have a few questions that I am still unsure about: 
我在互联网上搜索过,所以我在这个主题上找到了一些好东西,但是我还有一些问题,我仍然不确定:
1) I am using Forms Authentication with a custom Authentication provider. 1)我正在使用自定义身份验证提供程序的表单身份验证。 So I use the Authorize attribute and the section in the web.config still, but basically when the FormsAuthenticationTicket does not exist, I redirect to a login page (specified in the web.config) which then utilizes the custom Authentication Provider to auth the user against a db and then issues the FormsAuthenticationTicket . 所以我仍然使用Authorize属性和web.config中的部分,但基本上当FormsAuthenticationTicket不存在时,我重定向到登录页面(在web.config中指定),然后利用自定义身份验证提供程序来授权用户对数据库然后发出FormsAuthenticationTicket 。 Is this correct? 这个对吗?
2) Should I be using a custom Authorize attribute or should I just inject a GenericPrincipal into the HttpContext from the Application_AuthenticateRequest event handler in the global.asax page? 2)我应该使用自定义Authorize属性还是应该从Global.asax页面中的Application_AuthenticateRequest事件处理程序中将GenericPrincipal注入HttpContext ? Or should I be using User.IsInRole insode of the controller actions? 或者我应该使用控制器操作的User.IsInRole insode?
I just need role based authorization, and I think my Authentication Scheme is pretty good. 我只需要基于角色的授权,我认为我的身份验证方案非常好。
Any pointers/advice? 任何指针/建议?
Thanks, Sam 谢谢,山姆
Edit 编辑
So from what I have read, the best option for this is to create a custom AuthorizeAttribute and override the AuthorizeCore . 因此,根据我的阅读,最好的选择是创建自定义AuthorizeAttribute并覆盖AuthorizeCore 。
So what I have done is this: 所以我做的是这样的:
public class CustomAuthorize : System.Web.Mvc.AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext.User.Identity.IsAuthenticated)
{
var model = AdminUserViewModel.FromJsonString(((FormsIdentity)httpContext.User.Identity).Ticket.UserData);
httpContext.User = new GenericPrincipal(HttpContext.Current.User.Identity, model.SecurityGroups.Select(x => x.Name).ToArray());
}
return base.AuthorizeCore(httpContext);
}
protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
{
//base.HandleUnauthorizedRequest(filterContext);
filterContext.Result = new System.Web.Mvc.RedirectResult("/Authentication/NotAuthorized", false);
}
}
Simply inject a new principal/identity with the roles that are stored in the FormsAuthenticationTicket UserData property. 只需使用存储在FormsAuthenticationTicket UserData属性中的角色注入新的主体/标识。 Then let the base do the rest. 然后让基地完成剩下的工作。
Does this seem to be OK? 这看起来好吗?
Edit #2 编辑#2
I am a little weary of using the Application_AuthenticateRequest in the global.asax with IIS7, because of the integrated pipeline, every request fires that event, images, css, js... 我对使用IIS7的global.asax中的Application_AuthenticateRequest感到有点厌倦,因为集成管道,每个请求都会触发该事件,图像,css,js ......
Is this correct? 这个对吗?
1 个解决方案
解决方案1
4 已采纳 2011-10-10 20:38:32
1) I do the same thing. 1)我做同样的事情。
2) I use Authorize attribute and Application_AuthenticateRequest event handler. 2)我使用Authorize属性和Application_AuthenticateRequest事件处理程序。
In Application_AuthenticateRequest event handler I do something like this: 在Application_AuthenticateRequest事件处理程序中,我执行以下操作:
string[] roles = authenticationTicket.UserData.Split(',');
if (Context.User != null)
Context.User = new GenericPrincipal(Context.User.Identity, roles);
And at controller or action level I do something like this: 在控制器或动作级别,我做这样的事情:
[Authorize(Roles = "Admin, SuperAdmin")]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.