HttpContext.Current.User！= HttpContext.User中？ [英] HttpContext.Current.User != HttpContext.User?

问题描述

为 HttpContext.Current.User 中的操作方法ASAX全球不一样的 HttpContext.User中？我分配的用户有一定作用，但他们似乎迷路。

Is HttpContext.Current.User in global asax not the same as HttpContext.User in an action method? I assigned the user some roles, but they seem to get lost.

下code证明了这种情况。这两个断言，当用户登录时被击中，首先在全球ASAX，那么操作方法。不过，他们得出不同的结果。

The code below shows what is happening. Both Asserts get hit when a user is logged on, first in global asax, then the action method. However they give different results.

首先这样的：

protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
    // ... omitted some code to check user is authenticated
    FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;

    string[] roles = new string[] { "admin", "user" };

    HttpContext.Current.User =
        new System.Security.Principal.GenericPrincipal(identity, roles);

    Assert(HttpContext.User.IsInRole("admin"));
}

然后这在我的操作方法：

Then this in my action method:

public ActionResult Index()
{
    bool isAdmin = HttpContext.User.IsInRole("admin");

    Assert(isAdmin); // this fails, isAdmin is false

    // ...
}

我用下面的资源

会这样回答

<一个href=\"http://csharpdotnetfreak.blogspot.com/2009/02/formsauthentication-ticket-roles-aspnet.html\">http://csharpdotnetfreak.blogspot.com/2009/02/formsauthentication-ticket-roles-aspnet.html

推荐答案

您的问题标签说ASPNET-MVC（3,4），所以你必须使用以下，使您的生活更轻松的选择吗？如果您正在使用<一个href=\"http://msdn.microsoft.com/en-us/library/webmatrix.webdata.simplemembershipprovider%28v=vs.111%29.aspx\">Simple从VS2012的MVC 4互联网应用程序模板成员这将只是工作开箱即你）：

Your question tags say "aspnet-mvc (3 and 4)", so do you have the option of using the following to make your life easier? If you are using Simple Membership from the MVC 4 Internet Application template in VS2012 this will just work out of the box for you):

• <$c$c>WebSecurity.CreateUserAndAccount(name,密码） - 创建一个用户


• <$c$c>Roles.AddUserToRole （和<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.security.roles.addusertoroles.aspx\"><$c$c>AddUserToRoles) - 将用户添加到角色


• <$c$c>Roles.IsUserInRole - 测试用户是在一个角色


• <$c$c>[Authorize(Roles =管理员）] - [授权] 可整个控制器上执行的角色，或者一个动作

• WebSecurity.CreateUserAndAccount(name, password) - to create a user
• Roles.AddUserToRole (and AddUserToRoles) - add a user to a role
• Roles.IsUserInRole - tests if a user is in a role
• [Authorize(Roles = "admin")] - [Authorize] can enforce roles on an entire controller, or on an action

CreateUserAndAccount 的优点是很容易设置的用户配置属性为好，例如：

CreateUserAndAccount has the advantage that it's easy to set properties for the UserProfile as well, for example:

WebSecurity.CreateUserAndAccount(newUser.UserName, newUser.Password,
    new { FullName = newUser.FullName, Email = newUser.Email, Timezone = newUser.TZ });
Roles.AddUserToRoles(newUser.UserName, new[] {"admin", "user"});

修改，我知道上面没有回答你原来的问题关于。用户属性等效。

Edit, I realise the above doesn't answer your original question about .User property equivalence.

的HttpContext 在控制器是一个属性：<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.mvc.controller.httpcontext.aspx\"><$c$c>Controller.HttpContext. 的HttpContext 中的global.asax.cs是静态类，所以这就是为什么你使用 HttpContext.Current 。它们指的是同一件事。

HttpContext in a Controller is a property: Controller.HttpContext. HttpContext in global.asax.cs is the static class, so that's why you use HttpContext.Current. They refer to the same thing.

如果您运行下面的code，你可以看到，他们显然是同一主体。所以，问题是你怎么了分配的角色？

If you run the following code, you can see they are apparently the "same principal". So the question is what happened to the roles you assigned?

protected void Application_AuthenticateRequest(object sender, EventArgs e) {
    ...
    FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
    string[] roles = new string[] { "admin", "user" };
    identity.Label = "test label";
    System.Security.Principal.GenericPrincipal ppl = new System.Security.Principal.GenericPrincipal(identity, roles);            
    HttpContext.Current.User = ppl;
... }

public ActionResult Index() {
    bool isAdmin = HttpContext.User.IsInRole("admin");
    bool isAdmin2 = System.Web.HttpContext.Current.User.IsInRole("admin");
    System.Web.Security.FormsIdentity identity = (System.Web.Security.FormsIdentity)HttpContext.User.Identity;

    // The label is carried through from Application_AuthenticateRequest to Index.
    string label = identity.Label;
}

问题是，您分配了的GenericPrincipal 到。用户。根据 RoleProvider ，这可以被覆盖（例如，通过在 RoleManagerModule ）在 PostAuthenticateRequest 键，（例如）变成了 RolePrincipal 。那么这可以推迟到数据库中（同样取决于供应商）来获得角色，因此过度写你的角色。如果你做 Application_OnPostAuthenticateRequest 的工作，你可能是好的。

The problem is, you assigned a GenericPrincipal to .User. Depending on the RoleProvider, this can be overwritten (e.g. by the RoleManagerModule) during PostAuthenticateRequest and (for example) turned into a RolePrincipal. This can then defer back to the database (again depending on provider) to get the roles, so over-writing your roles. If you do the work in Application_OnPostAuthenticateRequest you might be ok.

这篇关于HttpContext.Current.User！= HttpContext.User中？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！