我如何使用我自己的数据库SimpleMembership和WebSecurity?什么是MVC4安全一回事呢? [英] How do I use my own database with SimpleMembership and WebSecurity? What is MVC4 security all about?
问题描述
我读过关于这个话题我能找到的,包括MSDN文章和帖子SO的一切,但我仍然很失落和迷茫。
I've read everything on this topic I could find, including MSDN articles and SO posts, but I'm still very lost and confused.
请回答以下(简单地说,如果可能的话):
Please answer the following (briefly, if possible):
-
什么是的 SimpleMembership / SimpleMembershipProvider ( WebMatrix.WebData em>的)又是什么/是他们负责?
What is SimpleMembership/SimpleMembershipProvider (WebMatrix.WebData) and what is it/are they responsible for?
什么是的 WebSecurity ( WebMatrix.WebData em>的)?
什么是在成员( System.Web.Security 的)类?
为什么MVC4创建一个用户配置表和 webpages_Membership 表?它们是什么并有什么区别?什么是用户配置类MVC4创建?
Why does MVC4 create a UserProfile table and a webpages_Membership table? What are they for and what is the difference? What is the UserProfile class that MVC4 creates?
什么是在 UsersContext 类?
如何做所有这些工作,共同努力,使用户认证?
How do all of these work together to make user authentication?
这些问题再引到下一个问题:
My Situation
These questions then lead into the next problem:
假设我有与用户(身份证,用户名,密码)现有数据库。我正在制作新的应用MVC4和使用窗体身份验证。用户密码存储在数据库中以加密的形式(而不是bcrypt)。
Suppose I have an existing database with users (IDs, Usernames, passwords). I'm creating a new MVC4 application and using Forms Authentication. User passwords are stored in the database in an encrypted form (not bcrypt).
什么我需要做的,使其与MVC4工作?
What do I have to do to make it work with MVC4?
我一定要创建一个自定义的的MembershipProvider 的?
Do I have to create a custom MembershipProvider?
据我可以理解, WebSecurity 的是一个静态类(模块),与一的的MembershipProvider 的交互。一个的MembershipProvider是一类特殊说明如何工作,比如的ValidateUser 的 CREATEUSER 的的ChangePassword 的
As far as I can understand, WebSecurity is a static class (Module) that interacts with a MembershipProvider. A MembershipProvider is a class that explains how particular functions work, such as ValidateUser, CreateUser, ChangePassword.
要解决我的问题,我想我需要创建一个自定义的MembershipProvider,并告诉WebSecurity用我新的MembershipProvider。
To solve my problem I assume I need to create a custom MembershipProvider and tell WebSecurity to use my new MembershipProvider.
我已经把在这个问题上的赏金,并打算授予它安迪·布朗为一个优秀的答案。
I have placed a bounty on this question and intend to award it to Andy Brown for an outstanding answer.
推荐答案
的每次见下文报价摘要一个快速的答案,和对细节的段落。另请参阅参考部分在最后的权威来源。的
1.什么是SimpleMembership / SimpleMembershipProvider(WebMatrix.WebData)又是什么/是他们负责?
1.What is SimpleMembership/SimpleMembershipProvider (WebMatrix.WebData) and what is it/are they responsible for?
SimpleMembership(一个术语,涵盖了<一个href=\"http://msdn.microsoft.com/en-us/library/webmatrix.webdata.simplemembershipprovider%28v=vs.111%29.aspx\"><$c$c>SimpleMembershipProvider$c$c>和<一个href=\"http://msdn.microsoft.com/en-us/library/webmatrix.webdata.simpleroleprovider%28v=vs.111%29.aspx\"><$c$c>SimpleRoleProvider$c$c>)负责提供实现80%-there即插即用身份验证和授权框架,安全的密码存储干净,快捷的方式,任何人都可以使用。
SimpleMembership (a term that covers both the SimpleMembershipProvider
and SimpleRoleProvider
) is responsible for providing a clean and quick way of implementing an 80 %-there plug and play authentication and authorisation framework with secure password storage, that anyone can use.
2.什么是WebSecurity(WebMatrix.WebData)?
2.What is WebSecurity (WebMatrix.WebData)?
<一个href=\"http://msdn.microsoft.com/en-us/library/gg547905%28v=vs.111%29.aspx\"><$c$c>WebSecurity$c$c>是普通会员任务的helper类一起会员作品
和<一个href=\"http://msdn.microsoft.com/en-us/library/microsoft.web.webpages.oauth.oauthwebsecurity%28v=vs.111%29.aspx\"><$c$c>OAuthWebSecurity$c$c>.角色仍然通过<一个单独访问href=\"http://msdn.microsoft.com/en-us/library/system.web.security.roles.aspx\"><$c$c>Roles$c$c>.
3.什么是会员(System.Web.Security)班?
3.What is the Membership (System.Web.Security) class?
<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.security.membership.aspx\"><$c$c>Membership$c$c>从管理用户的设置和操作原ASP.NET成员实现静态类。许多用户的操作仍然在这里完成,而不是在 WebSecurity
重复它们。他们都使用自己选择的相同的供应商。
Membership
is a static class from the original ASP.NET membership implementation that manages user settings and operations. Many user operations are still done here rather than repeating them in WebSecurity
. They both use the same provider of your choice.
4.为什么不MVC4创建一个用户配置表和webpages_Membership表?它们是什么并有什么区别?什么是用户配置类MVC4创建?
4.Why does MVC4 create a UserProfile table and a webpages_Membership table? What are they for and what is the difference? What is the UserProfile class that MVC4 creates?
这两个表执行不同的功能。在 webpages_Membership
模式是由框架控制和用于凭据时,用户配置
模式是由我们控制,并用于任何性能我们要对存储用户。
The two tables perform different functions. The webpages_Membership
schema is controlled by the framework and used for credentials, the UserProfile
schema is controlled by us and used for any properties we want to store against a user.
5.什么是UsersContext类?
5.What is the UsersContext class?
这是一个<一个href=\"http://msdn.microsoft.com/en-us/library/system.data.entity.dbcontext%28v=vs.103%29.aspx\"><$c$c>DbContext$c$c>由MVC互联网应用程序模板出发提供(的的DbContext API 的一部分)。其唯一的工作就是包含用户配置
类,所以我们可以使用它(例如,通过 InitializeSimpleMembershipAttribute
)。
It is a DbContext
(part of the DbContext API) provided as a starting by the MVC Internet Application template. Its only job is to contain the UserProfile
class so we can work with it (e.g. through InitializeSimpleMembershipAttribute
).
6.How做所有这些工作,共同努力,使用户认证?
6.How do all of these work together to make user authentication?
这个现在应该从上面的总结和下面的细节是显而易见的。用途: WebSecurity
常见任务; 用户配置
自定义属性存储对用户,通过 UsersContext
(在Visual StudioMVC互联网应用程序访问模板); 成员
在 WebSecurity
或 OAuthWebSecurity
没有方法;和角色
的角色。使用VS模板的控制器来看看使用的例子。
This should now be evident from the summaries above and the detail below. Use: WebSecurity
for common tasks; UserProfile
for custom properties to store against a user, accessed through the UsersContext
(in the Visual Studio "MVC Internet Application" template); Membership
when WebSecurity
or OAuthWebSecurity
doesn't have the method; and Roles
for roles. Use the VS template's controller to see examples of use.
修改。如果有人走到这一步
Edit. In case anyone got this far
假设我有一个现有的数据库...
Suppose I have an existing database ...
如果您有一个现有的数据库,和你的编写自定义成员提供程序的唯一目的是处理您的旧密码存储方法,那么你可以使用一种解决方法。这如果你可以从你的旧密码存储移开到SimpleMembership算法(它使用<一个只会工作href=\"http://msdn.microsoft.com/en-us/library/system.security.cryptography.rfc2898derivebytes.aspx\"><$c$c>Rfc2898DeriveBytes$c$c>类)。详见注脚。
If you have an existing database, and your only reason for writing a custom membership provider is to deal with your legacy password storage method, then you could use a workaround. This will only work if you can move away from your old password storage to the SimpleMembership algorithm (which uses the Rfc2898DeriveBytes
class). See the footnote for details.
如果你不能搬走,然后是你将不得不创建自己的供应商使用特定的密码算法,它可以做<一个href=\"http://weblogs.asp.net/thangchung/archive/2012/11/15/customize-the-simplemembership-in-asp-net-mvc-4-0.aspx\">by从 SimpleMembershipProvider
派生。
If you can't move away, then yes you are going to have to create your own provider to use your specific password algorithm, which you can do by deriving from SimpleMembershipProvider
.
注意: SimpleMembershipProvider
你的密码没有加密它们。如果你不知道其中的差别,为什么这是很重要的,然后用自定义的安全做自己的供应商之前三思而后行
NOTE: SimpleMembershipProvider
will HASH your passwords not ENCRYPT them. If you don't know the difference and why that is important then think twice before doing your own provider with custom security
要明白这一切是如何结合在一起它有助于了解历史。
To understand how it all fits together it helps to understand the history.
- ASP.NET在2005年介绍ASP.NET成员系统
- 本系统中使用供应商从通用接口用于管理帐户和角色等抽象掉的实施细则。
- 这也给了我们一个基本的用户配置文件功能(存储在单个列中的XML领域,因此人们倾向于避免)
- SimpleMembership被释放到世界在2010年ISH作为插入到ASP.NET成员资格系统供应商,而且还允许OAuth认证,物业每列的用户配置文件存储(而不是用单一的列存储在原来的实现)。
- <$c$c>SimpleMembershipProvider$c$c>工具<一个href=\"http://msdn.microsoft.com/en-us/library/webmatrix.webdata.extendedmembershipprovider%28v=vs.111%29.aspx\"><$c$c>ExtendedMembershipProvider$c$c>扩展原始提供者实现
这是在codePLEX 开源(镜像的在github )。至于安全性,因此那张可以评估code自己,克隆它,改变它等你应该把<一个href=\"http://www.zdnet.com/six-open-source-security-myths-debunked-and-eight-real-challenges-to-consider-7000014225/\">your在优点和缺点的 = http://en.wikipedia.org/wiki/Open-source_software_security\">open源安全,煮,高达了的 NIH 。 (个人观点:我有时用它,我不使用它,其他时间的)
It is Open Source on codeplex (mirrored on github). As far as security goes you can therefore assess the code yourself, clone it, change it etc. You should take your own view on the benefits and drawbacks of open source security, and cook that up up with a pinch of NIH. (Personal view: I use it sometimes, I don't use it other times)
ExtendedMembershipProvider
本身就增加了像 GeneratePasswordResetToken
命令老成员提供的API。
ExtendedMembershipProvider
in itself adds commands like GeneratePasswordResetToken
to the old membership provider apis.
<一个href=\"http://msdn.microsoft.com/en-us/library/gg547905%28v=vs.111%29.aspx\"><$c$c>WebSecurity$c$c>仅仅是一个门面,或辅助类,提供简单的访问 SimpleMembershipProvider
,使任务变得容易和方便在一个地方。它的存在既帮助并且由于原有的框架内通过 ExtendedMembershipProvider
扩展意味着一些原来的类如成员
现在是不够的。例如:
WebSecurity
is simply a facade, or helper class, to provide simple access to SimpleMembershipProvider
and make common tasks easy and accessible in one place. It is there both to help and because the extension of the original framework through ExtendedMembershipProvider
means some of the original classes like Membership
aren't enough now. Examples:
- <$c$c>WebSecurity.CurrentUserName$c$c> - 获取当前登录的用户 的名称
- <$c$c>WebSecurity.CreateUserAndAccount$c$c>.同时创建一个用户,并设置用户配置文件属性(例如
WebSecurity.CreateUserAndAccount(用户名,私服,新的{电子邮件= model.Email});
- <$c$c>WebSecurity.InitializeDatabaseConnection$c$c> - 快速设置一个新的/现有的数据库与会员使用,请选择您的用户ID列,用户自然键标识等
-
ResetPassword
重置用户密码,GeneratePasswordResetToken
和多
WebSecurity.CurrentUserName
- gets the name of the currently logged in userWebSecurity.CreateUserAndAccount
. Simultaneously create a user and set user profile properties (e.g.WebSecurity.CreateUserAndAccount(userName, pw, new { Email = model.Email });
WebSecurity.InitializeDatabaseConnection
- Quickly setup a new/existing database for use with membership, choose your user id column and user natural key identifier etc.ResetPassword
to reset a user password,GeneratePasswordResetToken
and many more
这些方法通常推迟的给供应商使用的是的,他们不只是依赖于SimpleMembership,他们像绑你的供应商和成员$ C对象组合在一起$ c>来提供一个共同的一点上做的隶属度函数。
These methods generally defer to the provider you are using, they don't just depend on SimpleMembership, and they tie together objects like your provider and Membership
to provide a common point to do membership functions.
请注意也有<一个href=\"http://msdn.microsoft.com/en-us/library/microsoft.web.webpages.oauth.oauthwebsecurity%28v=vs.111%29.aspx\"><$c$c>OAuthWebSecurity$c$c>这是 WebSecurity
对OAuth认证的等价物。
Note there is also OAuthWebSecurity
which is the equivalent of WebSecurity
for OAuth authentication.
成员
是从原来的执行;它管理用户设置和执行使用的 ExtendedMembershipProvider
现在扩展了基本的MembershipProvider
实现对用户的相关操作。这是一个静态类,所以可在任何地方,你声明命名空间,因此是一种简单的方法,例如,检索当前用户: Membership.GetUser
Membership
is from the original implementation; it manages user settings and performs user-related operations using the basic MembershipProvider
implementation which ExtendedMembershipProvider
now extends. It is a static class, so is available anywhere you declare the namespace, and is therefore an easy way to, for example, retrieve the current user: Membership.GetUser
有是由一个事实,即 WebSecurity
做一些事情,而不是别人,而成员
混乱确实有些东西而不是别人。如果您查看 WebSecurity
作为更高级别操作的工具,而成员
作为工具做事情给用户,你会没事的;他们对你的供应商一起工作。
There is confusion caused by the fact that WebSecurity
does some things and not others, and Membership
does some things and not others. If you view WebSecurity
as a toolkit for higher level operations, and Membership
as a toolkit to do things to a user, you'll be ok; they work together on your provider.
-
webpages_Membership
是一个固定的模式,我们先不谈一个表,并允许供应商做基本账户业务,主要存储凭据。 -
用户配置
是我们自定义存储对用户帐户的信息,并在一个强类型的格式通过提供一个表中的用户配置
类。 - 有
webpages_OAuthMembership
称为一个额外的表,做同样的工作作为webpages_Membership
,但对OAuth的登录提供商要与集成。
webpages_Membership
is a table with a fixed schema that we leave alone, and allows the provider to do the basic account operations, mainly storing credentials.UserProfile
is a table that we customise to store information against a user account, and have that made available in a strongly typed format through theUserProfile
class.- There is an extra table called
webpages_OAuthMembership
which does the same job aswebpages_Membership
, but for OAuth login providers that you want to integrate with.
此设置的魔力在于一个用户可以拥有自己的网站上会员登录,以及任意数量的不同的供应商,如谷歌,Facebook的OAuth登录,他们都有一个共同的配置文件存储在用户配置
The magic of this setup is that a single user can have a membership login on your own site, and any number of OAuth logins with different providers like google, facebook, and they all share a common profile stored in UserProfile
通常,如果一个表网页_
启动,这意味着有访问它的API。在用户配置
表是由用户配置
类在 UsersContext (如果使用默认的MVC Internet应用程序模板)。因此,我们访问此通过,我们将与包含在任何类使用通常的方法
的DbContext
。
Generally if a table starts with webpages_
, it means there is an API to access it. The UserProfile
table is represented by the UserProfile
class in your UsersContext
(if you use the default MVC Internet Application template). Therefore we access this through the usual methods we would use with any class contained in a DbContext
.
用户配置
很code-第一友好:你可以添加列(如用户的电子邮件
地址),然后设置迁移到包括你的下一个版本在你的数据库中列(如果你喜欢使用迁移)。事实上,用户配置
表没有被称为 - 你可以改变使用 WebSecurity.InitializeDatabaseConnection
通话, [表(用户配置)]公共类用户配置
,和你自己的迁移。
UserProfile
is very code-first friendly: you can add columns (like the user's Email
address), and then set up a migration to include that column in your database on your next release (if you like using migrations). In fact, the UserProfile
table does not have to be called that - you can change that using the WebSecurity.InitializeDatabaseConnection
call, [Table("UserProfile")] public class UserProfile
, and your own migrations.
这是在Visual Studio中新建项目提供的MVC互联网应用程序模板。我做的第一件事就是确保它的股票与我自己的数据库环境的共同连接字符串(假设成员表是在同一个数据库)。你可以改变这一点,以后如果你想要去耦。
This is from the MVC Internet Application template provided in Visual Studio New Project. The first thing I do is make sure that it shares a common connection string with my own database context (assuming the membership tables are in the same database). You can change this and decouple them later if you want.
您不需要有单独给你自己的上下文 - 如果你想存储在不同的数据库成员信息,现在还是将来如果你摆脱它你可以改变为参考,这只是必要 UsersContext
来自己的情况下,调整 Database.SetInitializer
。
You don't need to have it separate to your own context - that is only necessary if you want to store membership information in a different database now or in the future If you get rid of it you can just change references to UsersContext
to your own context, adjusting Database.SetInitializer
.
参考文献:
使用SimpleMembership在ASP.NET网页 - 马修·奥斯本
- 这是关于SimpleMembership原来的参考和它是什么,为什么要这样,和它做什么:
Using SimpleMembership With ASP.NET WebPages - Matthew Osborn - This is the original reference about SimpleMembership and what it is, why it is, and what it does:
MSDN - 介绍会员
- 会员仍处于SimpleMembership的核心,所以它有助于理解这件事有点
MSDN - Introduction to Membership - Membership is still at the core of SimpleMembership, so it helps to understand a bit about it.
- codePLEX源(镜像的在github )。
- <$c$c>WebSecurity$c$c>
- <$c$c>OAuthWebSecurity$c$c>
- <$c$c>SimpleMembershipProvider$c$c>
- <$c$c>ExtendedMembershipProvider$c$c>
- <$c$c>SimpleRoleProvider$c$c>
- <$c$c>Membership$c$c>
- <$c$c>Roles$c$c>
- <$c$c>DbContext$c$c>和的DbContext API
- codeplex source (mirrored on github).
WebSecurity
OAuthWebSecurity
SimpleMembershipProvider
ExtendedMembershipProvider
SimpleRoleProvider
Membership
Roles
DbContext
and the DbContext API
修改脚注:细节做滚动密码升级
EDIT Footnote: the detail for doing a rolling password upgrade
- 属性添加到
用户配置
其中存储账户上(例如1遗产,2 SimpleMembership) 密码是什么版本 - 在登录行动,写code,因此:
- 如果他们是你的SimpleMembership密码版本,你做一个正常登录
- 如果他们是在传统的密码版本,您可以:
- 检查它使用旧的方法
- 如果它是正确的,你使用重置
ResetPassword
然后的ChangePassword
使用SimpleMembership版本,这将更新现场为新密码版本 - 最后更新于
用户配置
密码版
- Add a property to
UserProfile
which stores what password version the account is on (e.g. 1 for legacy, 2 for SimpleMembership) - In the "Login" Action, write code so that:
- If they are on your SimpleMembership password version, you do a normal login
- If they are on the legacy password version, you:
- check it using your old method
- if it is correct you reset it using
ResetPassword
thenChangePassword
to use the SimpleMembership version, this will update the field to the new password version - and finally update the Password version on the
UserProfile
有可能使这一切事务与<一个href=\"http://msdn.microsoft.com/en-us/library/system.transactions.transactionscope.aspx\"><$c$c>TransactionScope$c$c>.怎么回事唯一讨厌的事情是在控制器中的额外的code和耦合到
webpages_Membership
。It is possible to make all this transactional with
TransactionScope
. The only nasty thing going on is the extra code in the controller, and the coupling towebpages_Membership
.这篇关于我如何使用我自己的数据库SimpleMembership和WebSecurity?什么是MVC4安全一回事呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!