使用Windows身份验证的Intranet应用是否需要ASP.NET Core身份 [英] Is ASP.NET Core Identity needed for Intranet app using Windows Authentication

查看:98
本文介绍了使用Windows身份验证的Intranet应用是否需要ASP.NET Core身份的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

在Intranet Web应用程序中使用Windows身份验证,我想要实现以下目标:

Using Windows Authentication in an Intranet web application I want to achieve the following:

  • 从广告中收集其他属性(姓名,员工编号)
  • 从数据库表中收集其他属性(工作时间,工资)
  • 根据应用程序角色(不是AD组)进行授权
  • 基于AD属性(具有直接报告)进行授权
  • 用户未提供用户名/密码

在寻找答案时,建议我需要在应用程序中添加ClaimsTransformation:

In my search for an answer it is suggested that I need to add ClaimsTransformation to my application:

如何对数据库中的用户使用Windows身份验证

从SQL中填充自定义声明.Net Core中使用Windows身份验证的应用程序

在.net core 2.0中缓存声明

尽管我不完全了解解决方案以及为什么每个请求都出现ClaimsTransformation的原因,所以我正在寻找以下方面的答案:

Though I don't fully understand the solution and why ClaimsTransformation happens on every request so I'm looking for answers to the following:

  1. ClaimsTransformation正常运行需要ASP.NET Core身份吗?
  2. 使用Windows身份验证还是基于表单的身份验证,每个请求都发生ClaimsTransformation吗?
  3. 这是否必须在每个请求中发生?
  4. 缓存诸如GivenName,Surname之类的声明似乎很简单,但是角色呢?需要采取什么步骤来确保每次都不会命中数据库,但是在发生更改时角色确实会更新.
  5. 我要尝试做的事情有没有更简单的选择?
  1. Is ASP.NET Core Identity required for ClaimsTransformation to work?
  2. Does ClaimsTransformation happen on every request with just Windows Authentication or also with form based authentication?
  3. Does this have to happen on every request?
  4. Caching claims like GivenName, Surname seem simple but what about roles? What steps need to be taken to ensure the database isn't hit every time but roles do get updated when there are changes.
  5. Is there a simpler alternative for what I'm trying to do?

推荐答案

This article gave me some ideas and here is a possible solution.

控制器将继承自具有要求Authenticated声明的策略的基本控制器.如果不存在此消息,则转至AccessDeniedPath并以静默方式执行添加Authenticated声明以及任何其他声明的登录,如果已经存在,则将出现访问被拒绝"消息.

Controllers would inherit from a base controller which has a policy that requires the Authenticated claim. When this isn't present it goes to the AccessDeniedPath and silently performs the login adding the Authenticated claim along with any other claims, if this is already present then the Access Denied message would appear.

在创建新的ClaimsIdentity时,我不得不以原始身份剥离大多数索赔,因为我得到了

When creating the new ClaimsIdentity I've had to strip most of the Claims in the original identity as I was getting a HTTP 400 - Bad Request (Request Header too long) error message.

这种方法是否存在明显的问题?

Are there any obvious issues with this approach?

Startup.cs 

public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc();

        services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
            .AddCookie(options =>
            {
                options.LoginPath = "/Home/Login";
                options.AccessDeniedPath = "/Home/AccessDenied";
            });

        services.AddAuthorization(options =>
        {
            options.AddPolicy("Authenticated",
                policy => policy.RequireClaim("Authenticated"));
            options.AddPolicy("Admin",
                policy => policy.RequireClaim("Admin"));
        });
    }

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseBrowserLink();
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
        }

        app.UseStaticFiles();
        app.UseAuthentication();

        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
        });
    }
}

控制器 

[Authorize(Policy = "Authenticated")]
public class HomeController : Controller
{
    public IActionResult Index()
    {
        return View();
    }

    [Authorize(Policy = "Admin")]
    public IActionResult About()
    {
        return View();
    }

    [AllowAnonymous]
    public async Task<IActionResult> Login(string returnUrl)
    {
        var identity = ((ClaimsIdentity)HttpContext.User.Identity);

        var claims = new List<Claim>
        {
            new Claim("Authenticated", "True"),
            new Claim(ClaimTypes.Name,
                identity.FindFirst(c => c.Type == ClaimTypes.Name).Value),
            new Claim(ClaimTypes.PrimarySid,
                identity.FindFirst(c => c.Type == ClaimTypes.PrimarySid).Value)
        };

        var claimsIdentity = new ClaimsIdentity(
            claims,
            identity.AuthenticationType,
            identity.NameClaimType,
            identity.RoleClaimType);

        await HttpContext.SignInAsync(
            CookieAuthenticationDefaults.AuthenticationScheme,
            new ClaimsPrincipal(claimsIdentity),
            new AuthenticationProperties());

        return Redirect(returnUrl);
    }

    [AllowAnonymous]
    public IActionResult AccessDenied(string returnUrl)
    {
        if (User.FindFirst("Authenticated") == null)
            return RedirectToAction("Login", new { returnUrl });

        return View();
    }
}

这篇关于使用Windows身份验证的Intranet应用是否需要ASP.NET Core身份的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆