ASP.NET MVC 3自定义验证/授权 [英] ASP.NET MVC 3 Custom Authentication/Authorization
问题描述
我已搜查所有在互联网上和左右,我发现关于这个主题的一些优秀的东西,但我有我仍然不确定的几个问题:
I have searched all over the internet and SO, and I have found some good stuff on this topic, but I have a few questions that I am still unsure about:
1)我使用窗体身份验证使用自定义身份验证提供程序。于是我使用授权
属性,并在web.config中仍部分,但基本上当的FormsAuthenticationTicket
不存在,我重定向到一个登录页面(在web.config中指定),然后利用自定义身份验证提供权威性地对一个数据库用户,然后发出的FormsAuthenticationTicket
。这是正确的?
1) I am using Forms Authentication with a custom Authentication provider. So I use the Authorize
attribute and the section in the web.config still, but basically when the FormsAuthenticationTicket
does not exist, I redirect to a login page (specified in the web.config) which then utilizes the custom Authentication Provider to auth the user against a db and then issues the FormsAuthenticationTicket
. Is this correct?
2)我应该使用自定义的授权
属性,或者我应该只是注入的GenericPrincipal
到的HttpContext
从在Global.asax页面中的 Application_AuthenticateRequest
事件处理程序?或者我应该使用 User.IsInRole
insode控制器操作?
2) Should I be using a custom Authorize
attribute or should I just inject a GenericPrincipal
into the HttpContext
from the Application_AuthenticateRequest
event handler in the global.asax page? Or should I be using User.IsInRole
insode of the controller actions?
我只需要基于角色的授权,我认为我的身份认证方案是pretty不错。
I just need role based authorization, and I think my Authentication Scheme is pretty good.
任何指针/建议吗?
谢谢,
山姆
修改
所以,从我已阅读,这是最好的选择是创建一个自定义的 AuthorizeAttribute
并重写 AuthorizeCore
。
So from what I have read, the best option for this is to create a custom AuthorizeAttribute
and override the AuthorizeCore
.
所以我做了什么是这样的:
So what I have done is this:
public class CustomAuthorize : System.Web.Mvc.AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext.User.Identity.IsAuthenticated)
{
var model = AdminUserViewModel.FromJsonString(((FormsIdentity)httpContext.User.Identity).Ticket.UserData);
httpContext.User = new GenericPrincipal(HttpContext.Current.User.Identity, model.SecurityGroups.Select(x => x.Name).ToArray());
}
return base.AuthorizeCore(httpContext);
}
protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
{
//base.HandleUnauthorizedRequest(filterContext);
filterContext.Result = new System.Web.Mvc.RedirectResult("/Authentication/NotAuthorized", false);
}
}
简单地注入与存储在的FormsAuthenticationTicket
的UserData code>属性中的角色新主体/身份。然后让基做休息。
Simply inject a new principal/identity with the roles that are stored in the FormsAuthenticationTicket
UserData
property. Then let the base do the rest.
这个问题似乎可以吗?
编辑#2
我使用的是 Application_AuthenticateRequest
在IIS7在Global.asax,因为综合管线的有点疲惫,每个请求触发这个事件,图像,CSS,JS ...
I am a little weary of using the Application_AuthenticateRequest
in the global.asax with IIS7, because of the integrated pipeline, every request fires that event, images, css, js...
这是正确的?
推荐答案
1)我做同样的事情。
1) I do the same thing.
2)我使用授权属性和Application_AuthenticateRequest事件处理程序。
2) I use Authorize attribute and Application_AuthenticateRequest event handler.
在Application_AuthenticateRequest事件处理程序,我做这样的事情:
In Application_AuthenticateRequest event handler I do something like this:
string[] roles = authenticationTicket.UserData.Split(',');
if (Context.User != null)
Context.User = new GenericPrincipal(Context.User.Identity, roles);
和在控制器或行动水平我做这样的事情:
And at controller or action level I do something like this:
[Authorize(Roles = "Admin, SuperAdmin")]
这篇关于ASP.NET MVC 3自定义验证/授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!