ASP.NET MVC控制器的构造方法中调用认证前 [英] ASP.NET MVC Controller Constructor Called Before Authentication
问题描述
我有一个控制器,一个ASP.NET MVC应用程序,它看起来是这样的:
I have an ASP.NET MVC application with a controller that looks something like this:
[Authorize]
public class MyController : Controller
{
IMyRepository myRepository;
public MyController(IMyRepository myRepository)
{
this.myRepository = myRepository;
}
...
}
我注意到,这个构造函数将之前验证用户调用,因此如果你正在访问的页面首次构造函数之前重定向到登录屏幕调用。有很多问题,这一点,在登录页面加载速度较慢,该网站有更多地接触DOS攻击,我有点担心未经身份验证的,未经授权的用户能够调用code之类的说话的墙后面
I have noticed that this constructor gets called prior to authenticating the user, so if you are visiting the page for the first time the constructor is called prior to redirecting you to the login screen. There are many problems with this, the login page loads slower, the site has greater exposure to DOS attacks, and I'm a little nervous about unauthenticated, unauthorized users being able to invoke code 'behind the walls' sort of speak.
除非用户授权我可以检查在构造函数和保释进来的请求,但我使用IOC(温莎),使这有点棘手,我的仓库是怎么回事无论与否我店进行初始化实例,所以我会留在检查每个存储库的构造认证。有没有一种简单的方法来获取.NET MVC用户的前的在调用构造函数进行身份验证?我想类似的东西加入 [的PrincipalPermission(SecurityAction.Demand,认证= TRUE)] 来控制器,但有可能是一个更好的办法仍。
I could check the incomming request in the constructor and bail unless the user is authorized, but I'm using IOC (Windsor) which makes that a bit tricky, my repository is going to be initialized regardless of whether or not I store the instance, so I'd be left checking authentication in each repository's constructor. Is there an easy way to get .NET MVC to authenticate the user prior to invoking the constructor? I'm thinking something like adding [PrincipalPermission(SecurityAction.Demand, Authenticated = true)] to the controller, but there might be a better way still.
编辑:
好吧,不要太高兴,但演出必须继续现在。我不能耽误初始化存储库,直到从控制器内的某个时间后的点。当你的控制器使用国际奥委会在我的例子,你控制器被实例化的时候得到一个已经实例化的实现你的资料库界面。如果我有被创造了库控制,我可以很容易只需要调用IsAuthenticated,没有必要的新方法。为了充分利用资源库初始化的控制权,你将不得不实行某种形式的库本身在每个实施懒/晚的初始化。因为它增加了不必要的复杂性和控制器和存储库之间更重要的是耦合我不喜欢这种解决方案。该仓库实现(S)可能会在其他的地方延迟初始化无厘头恕我直言使用。
Ok, not too happy about it, but the show must go on for now. I cannot delay initializing the repository until some later point in time from within the controller. When your controller uses IOC as in my example, you get an already instantiated implementation of your repository interface at the time that the controller is instantiated. If I had control over the repository being created, I could easily just call IsAuthenticated, no need for a new method. In order to take control of the repository initialization you would have to implement some sort of lazy/late initialization in the repository itself in each implementation. I do not like this solution because it adds needless complexity and more importantly coupling between the controller and repository. The repository implementation(s) may be used in other contexts where lazy initialization doesn't make sense IMHO.
推荐答案
您可以使用的HttpModules(或HttpHandler的)前面的管道验证请求。
You can use HttpModules (or HttpHandler) to authenticate the request earlier in the pipeline.
- MSDN: Introduction to HTTP Modules
- MSDN: Implementing Intercepting Filter in ASP.NET Using HTTP Module
修改
通过引进的OWIN 可以配置整个请求管道中间件,并把授权在任何你想要的阶段。同样的想法如上但有点更容易实现。
With the introduction of OWIN you can configure the entire request pipeline middleware and put authorization at whatever stage you want. Same idea as above but a bit easier to implement.
这篇关于ASP.NET MVC控制器的构造方法中调用认证前的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
