怎么今天有做ASP.net MVC的授权? [英] How to do authorization in ASP.net MVC 4 today?
问题描述
我一直与ASP.net MVC了好几年。我已经在过去开发的大多数应用程序都被访问通从传统的Web应用程序的链接。当用户到达我的应用程序之一,我的应用程序只需读取浏览器,指示该用户是由遗留应用程序验证的cookie。
I've been working with ASP.net MVC for several years now. Most applications I've developed in the past have been accessed thru a link from a legacy web application. When users arrive on one of my applications, my application simply reads a cookie from the browser that indicates that the user was authenticated by the legacy application.
现在,我终于努力,需要能够进行身份验证和授权一个全新的Web应用程序。我敢肯定,我可以做一些工作,但我想知道今天的最佳做法。
Now, I'm finally working on a brand-new web application that needs to be able to perform authentication and authorization. I'm sure I can make something work, but I want to know what today's best practices are.
这是ASP.net的WebForms,我熟悉的MembershipProvider和RoleProvider类。我也有熟悉一点与Windows身份Foundatioin(WIF)。
From ASP.net WebForms, I am familiar with the MembershipProvider and RoleProvider classes. I also have a little bit of familiarity with Windows Identity Foundatioin (WIF).
不过,当我看到在默认ASP.net MVC 4应用程序时,的AccountController类使用了一种叫做WebSecurity类。我不知道这是为了解除preciate的的MembershipProvider和RoleProvider类。
However, when I look at the default ASP.net MVC 4 application, the "AccountController" class uses something called the WebSecurity class. I'm wondering if this is meant to depreciate the MembershipProvider and RoleProvider classes.
这应该是一个基本设置与其他服务器和基于角色的访问权限的资源提供用户名/密码认证。
This should be a basic setup with username/password authentication provided by another server and role-based access to privileged resources.
什么是在ASP.net MVC 4今天实施这些最佳做法?
What are the best practices for implementing these in ASP.net MVC 4 today?
推荐答案
认证一直在变化在过去的几年里和一些所谓的ASP.NET身份,它提供了一个基于声明的标识方法是稳定在Visual Studio 2013 。不过,这仍处于测试阶段,尚未公布。
Authentication has been in flux for the last few years and is stabilizing in Visual Studio 2013 on something called the ASP.NET Identity, which offers a claims based Identity approach. However, this is still in beta and not yet released.
在MVC4在任何VS2010或2012(.NET 4.0或4.5)的默认模板是基于WebMatrix的网页技术WebSecurity班的基础上,SimpleMembershipProvider它本身就是基于的MembershipProvider这是在转。
In MVC4 in either VS2010 or 2012 (.net 4 or 4.5) the default templates are based on the Webmatrix Web Pages technology WebSecurity classes, which are in turn based on the SimpleMembershipProvider which is itself based on MembershipProvider.
让我再说一遍。 WebSecurity使用的MembershipProvider,然而,许多较新的特征只能用于通过浇铸该提供到ExtendedMembershipProvider或通过使用WebSecurity的API。
Let me say that again. WebSecurity uses MembershipProvider, however many of the newer features can only be used by casting the provider to an ExtendedMembershipProvider or by using the WebSecurity API.
您仍然可以使用旧的SqlMembershipProvider这是在ASP.NET或MVC3使用,或任何其他供应商的MS已经发布,如通用提供商。
You can still use the old SqlMembershipProvider that was used in ASP.NET or MVC3, or any of the other providers MS has released, such as the Universal Providers.
这里的关键是,所有这些(除了ASP.NET身份)基于会员,他们都在一定程度上只是插到成员身份API。
The key here is that all of these (except ASP.NET Identity) are based on Membership, and they all at some level just plug into the Membership API.
成员,但是,真的只是为用户提供了一个数据库,并验证凭据的能力。除了登录,它几乎没有做与认证的网页,或授权的网页。这是FormsAuthentication或WindowsAuthentication(或其他人)进入,并且这些提供的IIdentity和的IPrincipal的实现,这是基本的结构单元在其ASP.NET(和MVC)认证构建
Membership, however, is really just about providing a database of users and the ability to validate credentials. Other than logging in, it has little to do with Authenticating the web page, or authorizing the web page. This is where FormsAuthentication or WindowsAuthentication (or others) come in, and these provide the implementations of IIdentity and IPrincipal, which are the basic building blocks upon which ASP.NET (and MVC) authentication are built.
当您使用FormsAuthentication,它基本上只是一个IIdentity的implemtation。而当你使用RoleProvider,它基本上只是一个IPrincipal实现。
When you use FormsAuthentication, it's basically just an IIdentity implemtation. And when you use a RoleProvider, it's basically just an IPrincipal implementation.
这些提供工具中的MVC使用授权属性来控制对页面的访问,并提供使用User.IsInRole()方法来确定用户是在角色的能力。
These provide the tools in MVC to use the Authorize attribute to control access to pages, and provide the ability to use the User.IsInRole() method to determine the role a user is in.
这篇关于怎么今天有做ASP.net MVC的授权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
