使用自定义表在MVC和Web API中实现基于角色的授权 [英] Implementing role based authorization in MVC and Web API with custom table
问题描述
我已经继承了带有数据库的应用程序.该数据库具有以下与身份验证和授权相关的表.
I have inherited an application with database. The database has following tables related to authentication and authorization.
用户表
用户名
密码
UserTypeId
UserTypeId
用户类型表
UserTypeId
UserTypeId
UserTypeDesc
UserTypeDesc
用户类型"表存储了用户的角色,例如管理员,编辑者等
The User Type table stores the roles for the user e.g. Admin, Editor, etc.
如果我要实施如下所示的授权
If I want to implement authorization like below
[Authorize(Roles="Admin, Editor")]
public IHttpActionResult GetOrders()
{
//Code here
}
我应该在哪里编写什么代码,以便角色可用于authorize属性?
Where and what should I code so that the roles are available to the authorize attribute ?
修改
我已经有一个数据库.因此,我不能使用AspNetUserRoles或AspNetRoles表.我需要使用自定义表格设置角色.
I already have a database. So I cannot use the AspNetUserRoles or AspNetRoles tables. I need to set the roles using my custom tables.
Edit2
如@Nkosi所问,这是如何实现身份验证的代码段.实际的实现调用业务层服务并执行加密等操作,但是我简化了代码段
As asked by @Nkosi, here is code snippet of how authentication is implemented. The actual implementation calls the business layer service and performs encryption and other stuff but I have simplified the snippet
public HttpResponseMessage Authenticate(User user)
{
var isValid = myRepository.Exists(a => a.UserName == user.UserName && a.Password == user.Password);
if(isValid)
{
FormsAuthentication.SetAuthCookie(user.UserName,false);
}
}
从登录页面调用此方法,用户在其中输入用户名和密码
This method is called from the login page where user enters the UserName and Password
推荐答案
使用这些答案作为参考
像最初一样在登录时设置了身份验证cookie后,
After having set the auth cookie on login like you did originally,
您可以在 Global.asax.cs
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
var authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
if (authCookie != null)
{
var ticket = FormsAuthentication.Decrypt(authCookie.Value);
FormsIdentity formsIdentity = new FormsIdentity(ticket);
ClaimsIdentity claimsIdentity = new ClaimsIdentity(formsIdentity);
//get the user from your custom tables/repository
var user = myUserRepository.GetUserByEmail(ticket.Name);
if(user!=null){
var userTypeId = user.UserTypeId;
var role = myUserTypeRepository.GetUserTypeById(userTypeId);
if(role != null) {
//Assuming the roles for the user e.g. Admin, Editor, etc.
// is in the UserTypeDesc property
claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, role.UserTypeDesc));
}
}
ClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
System.Threading.Thread.CurrentPrincipal = claimsPrincipal ;
if (System.Web.HttpContext.Current != null) {
System.Web.HttpContext.Current.User = claimsPrincipal ;
}
}
}
关于它们如何实现的好处是,它使用 ClaimsIdentity 和 ClaimsPrincipal 对象处理基于Claims的角色,而无需将角色放在用户的cookie中.它还可以在 Global.asax.cs 文件中处理身份验证,而不必借助自定义授权属性.
The nice thing about how they implemented it is that it handles Claims based roles using the ClaimsIdentity and ClaimsPrincipal objects, without putting the roles in the user's cookie. It also handles authentication in the Global.asax.cs file without having to resort to putting in custom authorize attributes.
这篇关于使用自定义表在MVC和Web API中实现基于角色的授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
