使用Windows身份验证的Intranet应用是否需要ASP.NET Core身份 [英] Is ASP.NET Core Identity needed for Intranet app using Windows Authentication
问题描述
在Intranet Web应用程序中使用Windows身份验证,我想要实现以下目标:
Using Windows Authentication in an Intranet web application I want to achieve the following:
- 从广告中收集其他属性(姓名,员工编号)
- 从数据库表中收集其他属性(工作时间,工资)
- 根据应用程序角色(不是AD组)进行授权
- 基于AD属性(具有直接报告)进行授权
- 用户未提供用户名/密码
在寻找答案时,建议我需要在应用程序中添加ClaimsTransformation
:
In my search for an answer it is suggested that I need to add ClaimsTransformation
to my application:
从SQL中填充自定义声明.Net Core中使用Windows身份验证的应用程序
尽管我不完全了解解决方案以及为什么每个请求都出现ClaimsTransformation
的原因,所以我正在寻找以下方面的答案:
Though I don't fully understand the solution and why ClaimsTransformation
happens on every request so I'm looking for answers to the following:
-
ClaimsTransformation
正常运行需要ASP.NET Core身份吗? - 使用Windows身份验证还是基于表单的身份验证,每个请求都发生
ClaimsTransformation
吗? - 这是否必须在每个请求中发生?
- 缓存诸如GivenName,Surname之类的声明似乎很简单,但是角色呢?需要采取什么步骤来确保每次都不会命中数据库,但是在发生更改时角色确实会更新.
- 我要尝试做的事情有没有更简单的选择?
- Is ASP.NET Core Identity required for
ClaimsTransformation
to work? - Does
ClaimsTransformation
happen on every request with just Windows Authentication or also with form based authentication? - Does this have to happen on every request?
- Caching claims like GivenName, Surname seem simple but what about roles? What steps need to be taken to ensure the database isn't hit every time but roles do get updated when there are changes.
- Is there a simpler alternative for what I'm trying to do?
推荐答案
This article gave me some ideas and here is a possible solution.
控制器将继承自具有要求Authenticated
声明的策略的基本控制器.如果不存在此消息,则转至AccessDeniedPath
并以静默方式执行添加Authenticated
声明以及任何其他声明的登录,如果已经存在,则将出现访问被拒绝"消息.
Controllers would inherit from a base controller which has a policy that requires the Authenticated
claim. When this isn't present it goes to the AccessDeniedPath
and silently performs the login adding the Authenticated
claim along with any other claims, if this is already present then the Access Denied message would appear.
在创建新的ClaimsIdentity
时,我不得不以原始身份剥离大多数索赔,因为我得到了
When creating the new ClaimsIdentity
I've had to strip most of the Claims in the original identity as I was getting a HTTP 400 - Bad Request (Request Header too long) error message.
这种方法是否存在明显的问题?
Are there any obvious issues with this approach?
Startup.cs
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.LoginPath = "/Home/Login";
options.AccessDeniedPath = "/Home/AccessDenied";
});
services.AddAuthorization(options =>
{
options.AddPolicy("Authenticated",
policy => policy.RequireClaim("Authenticated"));
options.AddPolicy("Admin",
policy => policy.RequireClaim("Admin"));
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseBrowserLink();
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
}
控制器
[Authorize(Policy = "Authenticated")]
public class HomeController : Controller
{
public IActionResult Index()
{
return View();
}
[Authorize(Policy = "Admin")]
public IActionResult About()
{
return View();
}
[AllowAnonymous]
public async Task<IActionResult> Login(string returnUrl)
{
var identity = ((ClaimsIdentity)HttpContext.User.Identity);
var claims = new List<Claim>
{
new Claim("Authenticated", "True"),
new Claim(ClaimTypes.Name,
identity.FindFirst(c => c.Type == ClaimTypes.Name).Value),
new Claim(ClaimTypes.PrimarySid,
identity.FindFirst(c => c.Type == ClaimTypes.PrimarySid).Value)
};
var claimsIdentity = new ClaimsIdentity(
claims,
identity.AuthenticationType,
identity.NameClaimType,
identity.RoleClaimType);
await HttpContext.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new ClaimsPrincipal(claimsIdentity),
new AuthenticationProperties());
return Redirect(returnUrl);
}
[AllowAnonymous]
public IActionResult AccessDenied(string returnUrl)
{
if (User.FindFirst("Authenticated") == null)
return RedirectToAction("Login", new { returnUrl });
return View();
}
}
这篇关于使用Windows身份验证的Intranet应用是否需要ASP.NET Core身份的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!