ASP.NET MVC 3自定义验证/授权 [英] ASP.NET MVC 3 Custom Authentication/Authorization

问题描述

我已搜查所有在互联网上和左右，我发现关于这个主题的一些优秀的东西，但我有我仍然不确定的几个问题：

I have searched all over the internet and SO, and I have found some good stuff on this topic, but I have a few questions that I am still unsure about:

1）我使用窗体身份验证使用自定义身份验证提供程序。于是我使用授权属性，并在web.config中仍部分，但基本上当的FormsAuthenticationTicket 不存在，我重定向到一个登录页面（在web.config中指定），然后利用自定义身份验证提供权威性地对一个数据库用户，然后发出的FormsAuthenticationTicket 。这是正确的？

1) I am using Forms Authentication with a custom Authentication provider. So I use the Authorize attribute and the section in the web.config still, but basically when the FormsAuthenticationTicket does not exist, I redirect to a login page (specified in the web.config) which then utilizes the custom Authentication Provider to auth the user against a db and then issues the FormsAuthenticationTicket. Is this correct?

2）我应该使用自定义的授权属性，或者我应该只是注入的GenericPrincipal 到的HttpContext 从在Global.asax页面中的 Application_AuthenticateRequest 事件处理程序？或者我应该使用 User.IsInRole insode控制器操作？

2) Should I be using a custom Authorize attribute or should I just inject a GenericPrincipal into the HttpContext from the Application_AuthenticateRequest event handler in the global.asax page? Or should I be using User.IsInRole insode of the controller actions?

我只需要基于角色的授权，我认为我的身份认证方案是pretty不错。

I just need role based authorization, and I think my Authentication Scheme is pretty good.

任何指针/建议吗？

谢谢，
山姆

修改

所以，从我已阅读，这是最好的选择是创建一个自定义的 AuthorizeAttribute 并重写 AuthorizeCore 。

So from what I have read, the best option for this is to create a custom AuthorizeAttribute and override the AuthorizeCore.

所以我做了什么是这样的：

So what I have done is this:

public class CustomAuthorize : System.Web.Mvc.AuthorizeAttribute
    {
        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            if (httpContext.User.Identity.IsAuthenticated)
            {
                var model = AdminUserViewModel.FromJsonString(((FormsIdentity)httpContext.User.Identity).Ticket.UserData);
                httpContext.User = new GenericPrincipal(HttpContext.Current.User.Identity, model.SecurityGroups.Select(x => x.Name).ToArray());
            }
            return base.AuthorizeCore(httpContext);
        }

        protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
        {
            //base.HandleUnauthorizedRequest(filterContext);
            filterContext.Result = new System.Web.Mvc.RedirectResult("/Authentication/NotAuthorized", false);
        }
    }

简单地注入与存储在的FormsAuthenticationTicket 的UserData 属性中的角色新主体/身份。然后让基做休息。

Simply inject a new principal/identity with the roles that are stored in the FormsAuthenticationTicket UserData property. Then let the base do the rest.

这个问题似乎可以吗？

编辑＃2

我使用的是 Application_AuthenticateRequest 在IIS7在Global.asax，因为综合管线的有点疲惫，每个请求触发这个事件，图像，CSS，JS ...

I am a little weary of using the Application_AuthenticateRequest in the global.asax with IIS7, because of the integrated pipeline, every request fires that event, images, css, js...

这是正确的？

推荐答案

1）我做同样的事情。

1) I do the same thing.

2）我使用授权属性和Application_AuthenticateRequest事件处理程序。

2) I use Authorize attribute and Application_AuthenticateRequest event handler.

在Application_AuthenticateRequest事件处理程序，我做这样的事情：

In Application_AuthenticateRequest event handler I do something like this:

    string[] roles = authenticationTicket.UserData.Split(',');

    if (Context.User != null)
        Context.User = new GenericPrincipal(Context.User.Identity, roles);

和在控制器或行动水平我做这样的事情：

And at controller or action level I do something like this:

    [Authorize(Roles = "Admin, SuperAdmin")]

这篇关于ASP.NET MVC 3自定义验证/授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！