在父网站和子Web应用程序之间的ASP.NET 4.0单点登录失败 [英] ASP.NET 4.0 Single sign on betwen parent website and child web-application fails
问题描述
我有以下结构
www.website.com-> ASP.NET 4.0网站
www.website.com --> ASP.NET 4.0 Web-site
www.website.com/blog-> NET 4.0,Web应用程序
www.website.com/blog --> NET 4.0, Web-Application
两者都针对同一个SQL数据库执行表单身份验证,并使用框架ASP.NET成员资格和角色.我可以很好地登录到每个部分(相同的用户名/密码),但是身份验证不会继续进行,即,如果我登录到/,然后单击指向/blog/的链接,/blog/会认为我是匿名用户并提示再次登录.我已经完成了
Both do form-authentication against the same SQL database and use the framework ASP.NET memberships and roles. I can log into each portion just fine (same user/password) but the authentication doesn't carry over i.e. if I log into / and then click a link to /blog/, /blog/ thinks I'm Anonymous and prompts for login again. I've done the basics
即
-
网站和应用程序web.configs中的
-
<authentication mode="Forms">相同 -
<machineKey>相同的部分(是的,相同的validationKey和decryptionKey)
- Identical
<authentication mode="Forms">in both the site as well as app web.configs - Identical
<machineKey>section (yes, identical validationKey and decryptionKey)
因此,我随后检查了生成的Cookie,并发现网站和Web应用程序似乎正在使用不同的Cookie.
So I then inspected the cookies generated and noticed that website and the web application seem to be working on different cookies.
由website.com/blog创建的Cookie
Cookies created by website.com/blog
- .ASPXFORMSAUTH-27604f05-86ad-47ef-9e05-950bb762570c
- .ASPXROLES
由website.com创建的Cookie
Cookies created by website.com
- .ASPXFORMSAUTH
我认为这是问题所在,尽管尽管我看到了相同的<authentication>部分,就像
I think this is the problem, although I see it despite having identical <authentication> sections which looks like
<authentication mode="Forms">
<forms timeout="30" slidingExpiration="true" name=".ASPXFORMSAUTH" enableCrossAppRedirects="true" protection="All" cookieless="UseCookies"/>
</authentication>
我确实阅读了其他几篇文章,例如 通过表单身份验证进行单点登录 也 http://msdn.microsoft.com/en-us/library/eb0zx8fc. aspx
I did read several other posts like Single Sign On with Forms Authentication as well as http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
还有其他一些我现在不记得的帖子.我经历了他们(全部?),但仍然被困住了.如果需要,我很乐意提供更多调试数据.
There were also a few other posts I can't recall now. I've gone through them (all?) but am still stuck. I can gladly supply more debug data if needed.
非常感谢别人可能提供的任何提示!我想我正在撞墙!
Would really appreciate any tips someone might have! I think I'm hitting a wall on this one!
推荐答案
好,所以我在打了更长的时间后就能回答自己的问题.
Ok, so I was able to answer my own question after beating around it for longer.
基本上,BlogEngine.NET 2.5(我的Web应用程序)似乎覆盖了.NET 4.0框架的工作方式.您需要修复以下几件事,都在 BlogEngine.Core \ Security \ Security.cs 中(下载BlogEngine.NET源代码)
Basically, BlogEngine.NET 2.5 (my web-app) seems to be overriding the .NET 4.0 framework way of doing things. There are a couple of things you need to fix, all within BlogEngine.Core\Security\Security.cs (download the BlogEngine.NET source code)
第1部分:修复Cookie名称
其中有一个FormsAuthCookieName方法,我对其进行了如下更改:
In there is a method FormsAuthCookieName which I changed as follows:
File: BlogEngine.Core\Security\Security.cs
Method: FormsAuthCookieName()
// return FormsAuthentication.FormsCookieName + "-" + Blog.CurrentInstance.Id.ToString();
return FormsAuthentication.FormsCookieName;
这可确保Cookie的名称相同.一个障碍...
This ensures that the cookie names are the same. One hurdle down ...
第2部分:避免使用web-app/BlogEngine.NET的登录页面/控件/代码
我没有指示用户登录到BlogEngine.Net的login.aspx(www.website.com \ blog \ account \ login.aspx),而是将 all 登录链接指向了主网站的登录名. aspx页面(www.website.com \ login.aspx).如果您想知道如何实施自己的自己网站范围的身份验证,这是一个超级快速的指南
Instead of directing users log into the BlogEngine.Net's login.aspx (www.website.com\blog\account\login.aspx), I pointed all login links to my main website's login.aspx page (www.website.com\login.aspx). In case you're wondering how to implement you own site-wide authentication, this is a super-quick guide
msdn.microsoft.com/en-us/library/ff184050.aspx.
我还必须在网站web.config和Web应用程序web.config中都添加类似的内容,因此无论何时(从网站或Web应用程序)访问受保护的资源,我自己的全局/login/aspx使用.
I also had to add something like this to both the website web.config as well as the web-app web.config, so anytime a protected resource is accessed (from website or web app) my own global /login/aspx is used.
<authentication mode="Forms">
<forms timeout="30" loginUrl="/login.aspx" blah blah />
</authentication>
现在,我自己的通用站点范围内的用户登录控件将创建(.NET Framework标准)身份验证cookie和(用户)角色cookie.通过避免BlogEngine.NET的login.aspx,我们变得更加干净,而且避免了调用有问题的代码.
Now, my own generic, site-wide user login controls will be creating the (.NET framework standard) authentication cookies and the (user) role cookies. By avoiding the BlogEngine.NET's login.aspx we're cleaner plus we avoid calling this code which is problematic.
File: BlogEngine.Core\Security\Security.cs
Method: AuthenticateUser(string username, string password, bool rememberMe)
详细信息: 该代码在Cookie中添加了一个博客实例",因此,如果您在同一域中有多个博客,则可以防止在博客实例1上通过身份验证的user1自动在博客实例2上进行身份验证.我想每个域中大多数都只有一个博客(www.domain.com \ blog!),因此这是不必要的.更重要的是,该检查中断了我们的单点登录.
两个障碍……
第3部分:修复每次访问权限检查
现在,我们在整个站点范围内进行标准化的login.aspx均未添加特定的BlogEngine.NET实例ID(请参见上文).可以,除非仍然有一些专门用于此目的的BlogEngine.NET代码.我们也不需要该支票,所以让我们删除该有问题的支票...
Now, our site wide, standardized login.aspx doesn't add the specific BlogEngine.NET instance ID (see above). This would have been ok, except that there is still some BlogEngine.NET code that specifically looks for that. We don't need that check either, so lets remove that offending check...
File: BlogEngine.Core\Security\Security.cs
Method: void Init(HttpApplication context)
// Comment line below to revert to only-framework/default processing
//context.AuthenticateRequest += ContextAuthenticateRequest;
所以此时您应该拥有
- 由单个站点范围的login.aspx处理的所有登录
- 由上述站点范围的login.aspx创建的所有身份验证cookie 和用户角色cookie
- 所有此类Cookie均受网站& web-app web.configs(应该匹配!)
- All logins handled by a single, site wide login.aspx
- All authentication cookies and user role cookies created by the above site wide login.aspx
- All such cookies encrypted and protected per of both the website & web-app web.configs (which should match!)
依次允许单点登录:) !!万岁!
Which in turn allows single sign on :) !! Hooray !
这篇关于在父网站和子Web应用程序之间的ASP.NET 4.0单点登录失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
