如何在ASP.NET MVC 3 Intranet应用程序中对用户进行重新身份验证? [英] How do I re-authenticate a user in an ASP.NET MVC 3 Intranet application?
问题描述
该应用程序已在使用Windows集成安全性,而不是Forms.我要完成的工作是针对以下情况的所谓的逐步"身份验证或强制重新身份验证":
The application is already using Windows integrated security, not Forms. What I am trying to accomplish is a so called "step-up" authentication, or "force re-authentication" for the following scenario:
- 用户正在浏览网站,进行一些琐碎的事情
- 突然,用户必须执行敏感操作,例如授权 资源分配或确认汽车贷款或类似的东西
- 在将用户重定向到之前,系统会提示用户输入凭据 敏感页面,其方式类似于SharePoint的登录为 其他用户"
- 当且仅当输入的凭据为 与当前登录用户的应用程序相同 进入敏感区域.
- the user is browsing the site doing common, trivial stuff
- suddenly, the user has to do a sensitive action such as authorizing a resource allocation or confirming a car loan or something similar
- the user is prompted for the credential before (s)he's redirected to the sensitive page, in a manner similar to SharePoint's "Sign In as a Different User"
- if, and only if, the credentials entered are the same as for the currently logged-in user the application proceeds to the sensitive area.
这将防止以下两个问题:
This would prevent the following two issues:
- 用户去开会或喝咖啡,却忘记锁定 工作站和同事使用会话访问敏感 区域
- 用户输入其老板的凭据(因为 说他偷看老板的肩膀)进入敏感区域.
- The user goes for a meeting or a coffee and forgets to lock the workstation and a colleague uses the session to access the sensitive area
- The user enters the credentials of his or her boss (because, let's say he peeked over the boss' shoulder) to access the sensitive area.
我知道,有人会认为这是偏执狂",但也有人会说这是常识,应该在某个框架(jQuery或.NET)中构建
I know, some would look at this as "being paranoid", but also some would say it's common sense and should be build in a framework somewhere (jQuery or .NET)
推荐答案
让表单将凭据与请求一起发送以执行该操作,即某些操作要求您提供用户名/密码.使用PrincipalContext ValidateCredentials 方法来确保已输入正确的凭据并检查提供的用户名是否与User.Identity对象中的当前用户名匹配.
Have the form send the credentials along with the request to perform the action, i.e., some actions require that you provide username/password. Use the PrincipalContext ValidateCredentials method to ensure that the proper credentials have been entered and check that the username supplied matches the current username in the User.Identity object.
public ActionResult SensitiveAction( SensitiveModel model, string username, string password )
{
using (var context = new PrincipalContext(ContextType.Domain))
{
if (!string.Equals(this.User.Identity.Name,username,StringComparison.OrdinalIgnoreCase)
|| !context.ValidateCredentials(username,password))
{
return View("PermissionDenied");
}
}
...
}
这篇关于如何在ASP.NET MVC 3 Intranet应用程序中对用户进行重新身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
