如何实现基于会话数据的ASP.NET MVC授权检查？ [英] How to implement authorization checks in ASP.NET MVC based on Session data?

问题描述

这将是我的第一个ASP.NET MVC应用程序与窗体身份验证，所以我想确保我不会错过任何东西。该方案是这样的：公共/安全区域

This will be my first ASP.NET MVC application with forms authentication so I am trying to make sure I don't miss anything. The scenario is this: Public / Secured Areas.

在私营领域是进一步限制在特定区域/用户。这些区域是通过自定义设置是每个用户组定制的根据地​​定义。

Within the private area it is even further limited to specific areas / user. These 'Areas' are defined by customizations to the base area that is customized per user group.

因此​​，例如，用户可以到网址 /地区/控制器/动作。他们将需要有权限的安全区域，否则将被重定向到登录查看。

So for example a user could get to url /Area/Controller/Action. They would need to have permission to the secured area or they would be redirected to the sign-in view.

我一直在阅读有关 AuthorizeAttribute ，但我不知道如何/在哪里我应该做这些基本的检查。我最初的预感将存储在会话的用户对象成功登录与用户的IP和细节什么他们有机会获得等之后。

I have been reading about the AuthorizeAttribute but I am not sure how/where I should be doing these basic checks. My initial hunch would be to store a user object in the session after a successful sign-in with the user's IP and details about what they have access to etc.

对于每个安全控制器调用的授权检查将验证有效的用户对象在会话存在，IP地址仍然匹配，用户可以访问特定的区域。是否有任何明显的漏洞，以这种设置？

The authorization check for each secured controller call would verify that a valid user object exists in the session, the IPs still match up, and the user has access to the specific area. Is there any obvious holes to this setup?

编辑：在哪里/我该如何实现这些检查，这样，当一个控制器标记[授权]将执行这些会话对象检查

Where/how do I implement these checks so that when a controller is tagged with [Authorize] it will perform those session object checks?

任何指针或建议将是非常美联社preciated。谢谢你。

Any pointers or suggestions would be much appreciated. Thanks.

推荐答案

那么它看起来像我有一个自定义AuthorizeAttribute去了。这其实很简单。这里是code：

Well it looks like I went with a custom AuthorizeAttribute. It was actually very simple. Here is the code:

namespace MyApp.Custom.Security
{
    public class Secure : AuthorizeAttribute
    {
        /// <summary>
        /// Checks to see if the user is authenticated and has a valid session object
        /// </summary>        
        /// <param name="httpContext"></param>
        /// <returns></returns>
        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            if (httpContext == null) throw new ArgumentNullException("httpContext");

            // Make sure the user is authenticated.
            if (httpContext.User.Identity.IsAuthenticated == false) return false;

            // This will check my session variable and a few other things.
            return Helpers.SecurityHelper.IsSignedIn();
        }
    }
}

然后在我的控制器，我只是把一个 [安全] 属性，它使用上述任何时候该控制器访问我的功能。 pretty简单。我还做了一个 [SecureByRole] 属性以及做所有相同的东西，但检查我的自定义角色的信息也是如此。没有必要为所有建在巫术从罐头成员：）

Then on my controllers I just have to put a [Secure] attribute and it uses my function above anytime that controller is accessed. Pretty simple. I also made a [SecureByRole] attribute as well that does all the same stuff but checks for my custom role information as well. No need to for all that built in voodoo from the canned Membership :)

这篇关于如何实现基于会话数据的ASP.NET MVC授权检查？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！