ASP.NET MVC4安全,认证和授权 [英] ASP.NET MVC4 Security, Authentication, and Authorization
问题描述
我正在使用Visual Studio 2011测试一个新的asp.net mvc4项目,我试图让我的头围绕整个安全的事情。它是最初将使用单点登录的内部Intranet应用,因此用户(还)没有被提示输入一个Windows ID /密码。公司拥有用于存储不同的应用角色的自定义应用程序,将通过一个存储过程调用可用。这将需要一个用户的登录ID和例如返回某种含集合角色的MyApp.Data,MyApp.User,MyApp.Admin那么,什么是这个被称为 - 这是一个自定义的成员提供者,自定义角色提供商或其他什么东西。
I'm working on a new asp.net mvc4 project using Visual Studio 2011 beta and am trying to get my head around the whole security thing. It's an internal Intranet application that will initially use single sign on, so the user will not (yet) be prompted for a Windows ID/password. The company has a custom application for storing roles for different applications and will be available via a stored procedure call. It will take a user's logon ID and return some sort of collection containing roles e.g. "MyApp.Data", "MyApp.User, "MyApp.Admin". So what is this referred to as - is this a custom Membership provider, custom Roles provider or something else?
我一直在授权,认证,成员,角色等所有的来龙去脉读了,我不能见木此刻的树木。我读过,现有的ASP.NET安全对象已经尝试和测试,除非有非常复杂的要求,内置的人就足够了,所以我很高兴用什么已经存在。
I've been reading up on all the ins and outs of Authorization, Authentication, Membership, Roles, etc. and I can't see the wood for the trees at the moment. I've read that the existing ASP.NET Security objects have been tried and tested, and unless there are very complex requirements the in-built ones will suffice, so I'm happy to use what's already there.
因此,如果用户已登录到网络上,这意味着他们进行身份验证 - 正确的?如果是这样的话,我只需要实现授权。是否有必要每个装饰或控制器行动的授权属性?如果是这样如何,如果我从我的自定义角色存储应用检索角色的ABC的一部分[授权(角色=ABC)被置?
So if a user is already signed in to the network this means they are authenticated - correct? If so then I just need to implement Authorization. Is it necessary to decorate each Controller or Action with the Authorize attribute? If so how does the "ABC" part of [Authorize(Roles = "ABC")] get set if I retrieve roles from my custom role storage app?
我读了几篇文章和博客文章包括本乔恩加洛韦但我迷路了接近尾声:
I read several articles and blog posts including this one from Jon Galloway but I got lost towards the end:
<一个href=\"http://weblogs.asp.net/jgalloway/archive/2012/05/04/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way.aspx\">Customizing身份验证和授权的正确方法
这么多的问题......如果任何人的这一切是如何一起挂好,然后高层次的描述知道我所有的耳朵:)
So many questions...if anyone knows of good high level description of how all this hangs together then I'm all ears :)
推荐答案
确定在没有答案给出了这一切是如何一起挂我以为我涂了我的发现至今的高级视图的:
Ok in the absence of an answer that gives a high level view of how all this hangs together I thought I'd scribble down my findings so far:
-
该公司使用Active Directory来存储用户的登录信息,从而为这用于会员我并不需要一个自定义的成员资格提供程序。一旦用户登录到公司网络,然后他们进行身份验证。添加全局授权过滤器确保访问系统的任何用户将需要验证。截至MSDN上从里克·安德森最新信息:
The company uses Active Directory to store user logon details, so as this is used for Membership I don't need a custom Membership provider. Once a user is logged on to the company network then they are authenticated. Adding a global Authorize filter ensures that any user accessing the system will need to be authenticated. Up to date info from Rick Anderson on msdn:
<一个href=\"http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx\">http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx
因此,在Global.asax中我想补充:
So in Global.asax I would add:
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new System.Web.Mvc.AuthorizeAttribute()); //new
}
-
一旦用户通过验证然后我需要采取授权的照顾。该公司对我不会有更新访问,只读访问角色现有的全球数据存储,这样我就可以通过一个存储过程调用检索给定用户的角色。它可以从几天到几个星期的服务台创建角色发出请求后,所以这个原因2标准角色将初步建立,用户和管理员,以及随后的角色将被存储在我们的应用程序数据库。
Once a user is authenticated I then need to take care of Authorization. The company have an existing global data store for roles that I won't have update access to, only read access, so I can retrieve the roles for a given user via a stored proc call. It can take from a few days to a couple of weeks for the helpdesk to create roles after a request is made, so for this reason 2 standard roles will be initially created, User and Admin, and subsequent roles will be stored in our application database.
随着这些标准的2以后的角色,角色是必需的,如超级用户,等等。这些角色将根据业务规则等各项权利,将需要存储在我们的应用程序的数据库。因此,对于这个场景,我将需要创建一个自定义角色提供程序,添加相应的asp.net作用表我的应用程序的数据库,并将其插入到web.config中。这里的标题为管理授权使用我挑选出位的作用在MS页:
Along with these 2 standard roles subsequent roles are required such as Superuser, etc. These roles will have various rights depending on business rules etc. and will need to be stored in our application database. So for this scenario I will need to create a custom Role provider, add the appropriate asp.net role tables to my app database, and plug it into the web.config. Here's an ms page titled Managing Authorization Using Roles that I'm picking bits out of:
<一个href=\"http://msdn.microsoft.com/en-us/library/9ab2fxh0.aspx\">http://msdn.microsoft.com/en-us/library/9ab2fxh0.aspx
据我至今读我需要一个自定义的角色提供的唯一表是角色和UsersInRoles。
From what I've read so far the only tables I need for a custom role provider are Roles and UsersInRoles.
CREATE TABLE角色
(
ROLENAME文本(255)NOT NULL,
应用程序名称文本(255)NOT NULL,
约束PKRoles PRIMARY KEY(角色名,应用程序名称)
)CREATE TABLE Roles ( Rolename Text (255) NOT NULL, ApplicationName Text (255) NOT NULL, CONSTRAINT PKRoles PRIMARY KEY (Rolename, ApplicationName) )
CREATE TABLE UsersInRoles
(
用户名文本(255)NOT NULL,
ROLENAME文本(255)NOT NULL,
应用程序名称文本(255)NOT NULL,
约束PKUsersInRoles PRIMARY KEY(用户名,角色名,应用程序名称)
)CREATE TABLE UsersInRoles ( Username Text (255) NOT NULL, Rolename Text (255) NOT NULL, ApplicationName Text (255) NOT NULL, CONSTRAINT PKUsersInRoles PRIMARY KEY (Username, Rolename, ApplicationName) )
在这一切的设置,我需要弄清楚如何在2个标准的角色(用户和管理员)从存储在我的应用程序数据库中的自定义角色,全球数据存储合并,如果我可以使用(例如: )[授权(角色=管理员,超级用户)上的控制器/动作或者如果我需要继承AuthoriseAttribute,做一些更聪明。
Once all this is setup I need to figure out how to merge the 2 standard roles (User and Admin) from the global data store with the custom roles stored in my app database, and if I can use (e.g.) [Authorize(Roles="Admin, Superuser")] on a Controller/Action or if I need to subclass AuthoriseAttribute and do something more clever.
我刚刚意识到,我使用AD进行身份验证,我需要添加/注射的角色集合当前用户是其成员的一种方式。所以,虽然我不需要任何自定义的成员提供的功能我还是要与HttpContext.User中进行交互,以更新其角色的集合。
I just realised that as I use AD for authentication I need a way of adding / injecting the collection of roles the current user is a member of. So although I don't need any custom membership provider functionality I still have to interact with httpContext.User to update its Roles collection.
这篇关于ASP.NET MVC4安全,认证和授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
