基于声明的身份验证,具有活动目录,无ADFS [英] Claims based authentication, with active directory, without ADFS
问题描述
我有一个客户要求使用自定义角色/成员资格架构的基于集成身份验证的解决方案.我最初的计划是使用基于声明的身份验证机制和集成身份验证.但是,我的初步研究并没有发现很多有用的信息.
I have a client asking for an integrated authentication based solution utilizing a custom role/membership schema. My original plan was to use claims based authentication mechanism with integrated authentication. However, my initial research is not turning up a whole lot of useful information.
到目前为止,我有一个ASP.NET(不是核心也不是owin)WebAPI应用程序,该应用程序具有基于基于角度SPA(asp.net)的Web应用程序使用的api操作.我正在尝试使用集成身份验证来授权api调用.我最初的工作集中在定制的AuthorizationAttribute和ClaimsAuthenticationManager实现上.但是,随着我深入了解这个问题,我开始遇到自定义ClaimsAuthenticationManager的问题,这时我不确定这是正确的选择.
To the point, I have an ASP.NET (not core nor owin) WebAPI application, which has api actions used by angular SPA based (asp.net) web application. I am attempting to authorize the api calls using integrated authentication. My initial effort was focused around a custom AuthorizationAttribute and ClaimsAuthenticationManager implementation. However as I got deeper into that I started running into issues with the custom ClaimsAuthenticationManager, at this point I'm not sure that is the proper route to take.
所以我对大家的问题是,您至少可以给我一些实现此目标的想法吗?我不需要代码的具体帮助,只需要弄清楚适当的堆栈"即可.
So my question for you all is, can you at least give me some ideas of what it would take to make this happen? I don't need help with secific bits the code, just need to figure out the appropriate "stack" so to speak.
唯一真正的要求是可以授权WebAPI调用,并使用自定义属性传递要授权的声明的名称,但是即使使用Windows身份验证,该声明也不在AD中,声明本身将来自数据库.
The only real requirement is WebAPI calls can be authorized, with a custom attribute passing a name of a claim to authorize on, but the claim is not in AD even though it is using windows authentication, the claims themselves would come from a database.
谢谢大家!
推荐答案
Your scenario isn't much different:
- 您正在使用AD进行身份验证
- 您正在使用数据库进行授权
简单地说,可以通过将web-api配置为使用Windows身份验证来解决此问题.
Simply put this can be addressed by configuring web-api to use windows authentication.
<system.web>
<authentication mode="Windows" />
</system.web>
并将您自己的IAuthorizationFilter添加到Web API管道中,它将检查当前主体(应设置),然后用您自己的主体(即查询数据库-获取声明,并用您的自定义声明主体覆盖它)通过设置HttpContext.Current.User和Thread.CurrentPrincipal).
有关如何将过滤器添加到WebAPI管道的信息,请查看如何添加全局ASP.Net Web Api筛选器?
And add your own IAuthorizationFilter to Web API pipeline, that will check current principal (should be set), and then override this principal with your own (i.e. query db - get claims, and override it with your custom claims principal by setting HttpContext.Current.User and Thread.CurrentPrincipal).
For how to add filter to WebAPI pipe line check out How to add global ASP.Net Web Api Filters?
public class CustomAuthenticationFilter : IAuthenticationFilter {
public bool AllowMultiple { get { return true; } }
public Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken) {
var windowsPrincipal = context.Principal as WindowsPrincipal;
if (windowsPrincipal != null) {
var name = windowsPrincipal.Identity.Name;
// TODO: fetch claims from db (i guess based on name)
var identity = new ClaimsIdentity(windowsPrincipal.Identity);
identity.AddClaim(new Claim("db-crazy-claim", "db-value"));
var claimsPrincipal = new ClaimsPrincipal(identity);
// here is the punchline - we're replacing original windows principal
// with our own claims principal
context.Principal = claimsPrincipal;
}
return Task.FromResult(0);
}
public Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken) {
return Task.FromResult(0);
}
}
public static class WebApiConfig {
public static void Register(HttpConfiguration config) {
config.Filters.Add(new CustomAuthenticationFilter());
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute( ... );
}
}
也不需要自定义授权属性-使用默认属性-每个人都可以理解它,并使您的代码更具可读性.
Also there is no need for custom authorization attribute - use default one - its understood by everyone, and makes your code more readable.
这篇关于基于声明的身份验证,具有活动目录,无ADFS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
