窗体身份验证跨Windows身份验证 [英] Forms Authentication cross Windows Authentication

问题描述

我有我的工作，有两个企业内部网和互联网部署的网站。 2之间的唯一区别是几个配置设置

I have a website that I am working on that has both an intranet and internet deployment. The only difference between the 2 is a couple of config settings.

互联网版本工作正常，因为它只是使用窗体身份验证（这是在web配置中定义），如果没有登录的用户将被引导到登录页面。

The internet version works fine as it just uses forms authentication (which is defined in its web config) and if not logged in the user is directed to a login page.

Intranet版本是有点麻烦......当用户第一次来到了HTTP上下文主要目的是设置正确地的WindowsPrincipal网站，但使用这些信息我确认该用户被允许访问该应用程序，然后我创建自己的IPrinciple实例。

The intranet version is a little trickier... when a user first comes to the site the http context principle object is set correctly with WindowsPrincipal, but using that information I confirm that the user is allowed access to the app and then I create my own IPrinciple instance.

鉴于这种有几件事情我想在这里做...我想使用WindowsPrincipal对象为基础的认证用户，但随后从此时使用窗体身份验证（即使用一个Cookie存储权威性的信息等）。我还需要我从HTTP上下文检索是我IPrinciple类型的原则实例。

Given this there are a couple of things I want to do here... I want to use the WindowsPrincipal object as a basis for authenticating the user but then from that point forward use forms authentication (i.e. using a cookie to store the auth details etc). I also need the instance of the principle that I retrieve from the HTTP context to be of my IPrinciple type.

我如何最好地去这样做？正如我期待在Global.asax的在session_start进行身份验证逻辑，然后以某种方式得到它来存储我的自定义IPrinciple（因此对于该点之后的任何要求的情况是我自定义的原则）还是我最好做一些与Application_AuthenticateRequest

How am I best to go about doing this? As in should I look to the global.asax's Session_Start to perform auth logic and then somehow get it to store my custom IPrinciple (so for any request after that point the instance is my custom principle) or am I best to be doing something with Application_AuthenticateRequest.

干杯 安东尼

推荐答案

避免这种情况的会话对象。 Application_AuthenticateRequest是你想要的。在那里，你可以采取的WindowsPrincipal，然后去到数据库来填充自己的自定义的IPrincipal-实施对象。这意味着，Application_AuthenticateRequest被调用了很多，虽然如此，在我的应用程序，我倾向于缓存角色数据，至少在几秒钟的时间减少数据库往返。这也适用于Forms身份验证。这两种方法之间唯一的区别是，在表格的情况下，你的窗体身份验证模块得到的GenericPrincipal，你会用它来找回自己的自定义主要对象，而不是的WindowsPrincipal。

Avoid the session object for this. Application_AuthenticateRequest is where you want to be. In there, you can take the WindowsPrincipal, and then go to the database to populate your own custom IPrincipal-implementing object. This means that Application_AuthenticateRequest gets called a lot, though, so in my apps, I tend to cache the role data for at least a few seconds to cut down on database round trips. This also works with Forms authentication. The only difference between the two methods is that in the Forms scenario, you get a GenericPrincipal from the Forms auth module, and you'd use that to retrieve your own custom principal object instead of the WindowsPrincipal.

在Application_AuthenticateRequest设置HttpContext.Current.User的另一个结果是，不同于如果你把你的本金在Session对象，就可以使用声明的安全，比如装饰你的方法与PrincipalPermissionAttribute。

Another upshot of setting HttpContext.Current.User in Application_AuthenticateRequest is that, unlike if you put your principal in the Session object, you can use declarative security, such as decorating your methods with PrincipalPermissionAttribute.

这篇关于窗体身份验证跨Windows身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！