自定义的IIdentity和IPrincipal的使用MVC2的FormsAuthenticationTicket饼干 [英] Custom IIdentity and IPrincipal using FormsAuthenticationTicket cookie in MVC2

问题描述

我目前想实现在ASP.NET MVC2 Web应用程序的一些自定义的安全性。

I am currently trying to implement some custom security in an ASP.NET MVC2 web application.

我试图做一些非常简单的，如下所示我的code，但由于某些原因，如果我使用 [授权（角色=管理员）] 属性对我的控制器动作之一，检查 Context.User.IsInRole（管理员）或 Page.User.IsInRole（管理员） 它始终是假的。

I am trying to do something really simple as my code below shows but for some reason if I use the [Authorize(Roles="Admins")] attribute on one of my controller actions, check the Context.User.IsInRole("Admins") or Page.User.IsInRole("Admins") it is always false.

这也是奇怪的是， User.Identity.Name 也是空白的。

It is also weird that the User.Identity.Name is also blank.

请参阅我的code以下，我使用一个cookie中的一个的FormsAuthenticationTicket，然后我在 Application_AuthenticateRequest 事件句柄我Gloabl.asax中使用设置上下文。用户使用的GenericPrincipal 对象。

See my code below, I am using a FormsAuthenticationTicket within a cookie which I then use in the Application_AuthenticateRequest event handle within my Gloabl.asax to set the Context.User with a GenericPrincipal object.

我的登录code：

[AcceptVerbs(HttpVerbs.Post)]
        public ActionResult Login(string username, string password)
        {  

            //this would obviously do a check against the supplied username and password
            if (true)
            {
                FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, username, DateTime.Now,
                DateTime.Now.AddMinutes(15), false, "Admins|Users|Members");

                string encTicket = FormsAuthentication.Encrypt(ticket);

                HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);

                this.Response.Cookies.Add(cookie);
                string url = FormsAuthentication.GetRedirectUrl(username, false);

                Response.Redirect(url);               
            }


            return View();

        }

我的Global.asax code：

My Global.asax Code:

        void MvcApplication_AuthenticateRequest(object sender, EventArgs e)
        {
            HttpApplication application = (HttpApplication)sender;
            HttpContext context = application.Context;

            var cookie = context.Request.Cookies[FormsAuthentication.FormsCookieName];

            if (cookie != null)
            {                  

                // Get the authentication ticket 
                // and rebuild the principal & identity
                FormsAuthenticationTicket authTicket =
                  FormsAuthentication.Decrypt(cookie.Value);
                string[] roles = authTicket.UserData.Split(new Char[] { '|' });
                GenericIdentity userIdentity = new GenericIdentity(authTicket.Name);
                GenericPrincipal userPrincipal =
                    new GenericPrincipal(userIdentity, roles);

                context.User = userPrincipal;

            }

在我设置context.User以上我可以在监视窗口中查看和对象设置完美，在用正确的名称等，正确的角色，但是如果我试图锁定控制器动作，或从任何地方使用校长在我的网站它总是被设置为无指定!!角色一个空字符串

Once I set the context.User above I can view in the watch window and the object is set perfectly, in the correct roles with the right name etc, however if i try and lock down controller actions or use the Principal from anywhere in my site it is always set to an empty string with no roles assigned!!

我猜我做一些非常愚蠢的在这里，但如果有人能指出这一点，我真的AP preciate它。

I'm guessing i'm doing something really stupid here but if someone could point this out I would really appreciate it.

推荐答案

检查是否要在分配新userPrincipal双方的HttpContext，并在Global.asax中OnPostAuthenticate请求中当前线程：

Check that you are assigning your new userPrincipal to both the HttpContext and the current thread within the OnPostAuthenticate request in global.asax:

HttpContext.Current.User = userPrincipal;
Thread.CurrentPrincipal = userPrincipal;

这篇关于自定义的IIdentity和IPrincipal的使用MVC2的FormsAuthenticationTicket饼干的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！