在ASP.NET MVC4基于配置的身份验证 [英] Config-based authentication in ASP.NET MVC4
问题描述
我有一个ASP.NET MVC4网页即,在大多数情况下,不进行认证访问。还有的是,我要保护只有管理员权限(ELMAH的错误日志,特别是)一个页面。因为我只需要一个管理员登录,我想避免维护用户/密码数据库的复杂性。
I have an ASP.NET MVC4 web page that is, for the most part, accessed without authentication. There is a single page that I want to protect for admin-only access (ELMAH's error log, specifically). Since I only require a single admin login, I'd like to avoid the complexity of maintaining a user/password database.
我做了一些研究,我发现,ASP.NET的previous版本提供了使用窗体身份验证在web.config中加密的密码的功能:
I've done some research, and I've found that previous versions of ASP.NET provide the ability to use Forms Authentication with a password encrypted in the web.config:
<forms loginUrl="Admin" name=".ASPXFORMSAUTH">
<credentials passwordFormat="SHA1">
<user name="admin" password="encryptedPassword" />
</credentials>
</forms>
然后,认证控制器使用 FormsAuthentication.Authenticate 和 FormsAuthentication.RedirectFromLoginPage 来验证输入凭据。不过,我犹豫要使用此解决方案,因为:
Then, the authentication controller uses FormsAuthentication.Authenticate and FormsAuthentication.RedirectFromLoginPage to validate entered credentials. However, I'm hesitant to use this solution because:
- 的
FormsAuthentication.AuthenticateAPI现在<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.authenticate.aspx\"相对=nofollow>过时。 -
FormsAuthentication.RedirectFromLoginPage将用户重定向直接,而不是返回RedirectResult。这并不遵循MVC控制器管线等之类的单元测试会比较困难。
- The
FormsAuthentication.AuthenticateAPI is now obsolete. FormsAuthentication.RedirectFromLoginPagewill redirect the user directly, rather than returning aRedirectResult. This doesn't follow the MVC controller pipeline, and so things like unit testing would be more difficult.
通过MSDN样品和默认模板寻找,看来WebMatrix中的<一href=\"http://msdn.microsoft.com/en-us/library/webmatrix.webdata.websecurity.login%28v=vs.111%29.aspx\"相对=nofollow> WebSecurity.Login API是在MVC应用做Forms身份验证的新标准。但是,我还没有找到一种方法来使用本地(即基于配置 - )身份验证提供者。
Looking through MSDN samples and the default template, it appears that WebMatrix's WebSecurity.Login API is the new standard for doing Forms Authentication in MVC applications. But, I haven't found a way to use a local (i.e. config-based) authentication provider.
有没有做本地认证推荐的方式,或者这被认为是一种不好的做法?什么是最简单的方法来提供admin认证不考虑外部的依赖?
Is there a recommended way to do local authentication, or is this considered a bad practice? What's the simplest method to provide admin authentication without taking on external dependencies?
推荐答案
WebSecurity.Login 不是新标准的认证。它更喜欢新的新手友好的标准。 WebSecurity只有真正支持SimpleMembership,那就是真的只是用于简单的应用程序。
WebSecurity.Login is not "the new standard" for authentication. It's more like the new "newbie friendly standard". WebSecurity only really supports SimpleMembership, and that is really simply designed for simple applications.
FormsAuthentication.Authenticate 一直没有很长一段时间的好选择,所以实际上它现在是正式去precated不是什么大不了的事。
FormsAuthentication.Authenticate has not been a good choice for a long time, so the fact that it's now officially deprecated is not a big deal.
您也许应该使用反正成员,并使用Membership.ValidateUser验证凭据。或者,使用类似Windows标识基础。
You should probably be using Membership anyways, and use Membership.ValidateUser to validate credentials. Or, use something like Windows Identity Foundation.
这篇关于在ASP.NET MVC4基于配置的身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
