ASP .NET MVC 表单授权与 Active Directory 组 [英] ASP .NET MVC Forms authorization with Active Directory groups
问题描述
我正在尝试使用 ASP.NET MVC 中的用户和组对 Active Directory 进行身份验证.
我已将以下属性放在我所有的类(帐户类除外)上:
[授权(角色=SubcontractDB 用户")]该组位于活动目录中的 OU=Area->OU=Groups->OU=Company->CN=SubcontractDB 下.我假设我还需要在 web.config 中设置一个 RoleManager,我尝试按如下方式执行:
<提供者><清除/><add name="ADMembershipProvider"type="System.Web.Security.ActiveDirectoryMembershipProvider"connectionStringName="ADConnectionString"attributeMapUsername="sAMAccountName"/></提供者></roleManager> 我的连接字符串是:
显然我做错了,因为这不起作用.我想要做的就是允许访问属于 AD 中某个组成员的用户.
所以我最终实现了我自己的授权属性并使用它:
命名空间 Application.Filters{公共类 AuthorizeADAttribute : AuthorizeAttribute{公共字符串组{获取;放;}protected override bool AuthorizeCore(HttpContextBase httpContext){如果 (base.AuthorizeCore(httpContext)){/* 如果没有授权,立即返回真锁定到任何特定的 AD 组 */if (String.IsNullOrEmpty(Groups))返回真;//获取 AD 组var groups = Groups.Split(',').ToList();//验证用户是否在给定的 AD 组中(如果有)var context = new PrincipalContext(ContextType.Domain, "server");var userPrincipal = UserPrincipal.FindByIdentity(上下文,IdentityType.SamAccountName,httpContext.User.Identity.Name);foreach (var group in groups)if (userPrincipal.IsMemberOf(context, IdentityType.Name, group))返回真;}返回假;}}} 然后我可以简单地使用上面的控制器或函数
使用 Application.Filters;...[AuthorizeAD(Groups = "groupname")]注意:您可以简单地使用 new PrincipalContext(ContextType.Domain); 但是 .NET 4.0 中有一个错误会引发 (0x80005000) userPrincpal.IsMemberOf(...) 错误.有关详细信息,请参阅此处.
如果您想知道如何根据授权失败重定向到另一个页面,请在此处查看我的答案:在ASP.NET MVC中基于控制器属性向视图模型添加错误信息>
I'm attempting to authenticate using users and groups in ASP.NET MVC against Active Directory.
I have put the following attribute on all my classes (except the account class):
[Authorize (Roles="SubcontractDB Users")]
This group is found under OU=Area->OU=Groups->OU=Company->CN=SubcontractDB in active directory. I'm assuming I also need to setup a RoleManager in web.config which I've attempted to do as follows:
<roleManager defaultProvider="ADRoleProvider">
<providers>
<clear />
<add name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName" />
</providers>
</roleManager>
My connection string is:
<add name="ADConnectionString"
connectionString="LDAP://blah.com:389/DC=blah,DC=wateva,DC=com"/>
Obviously I'm doing it wrong as this doesn't work. All I want to do is allow access to users that are a member of a certain group in AD.
So I ended up implementing my own authorize attribute and using that:
namespace Application.Filters
{
public class AuthorizeADAttribute : AuthorizeAttribute
{
public string Groups { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (base.AuthorizeCore(httpContext))
{
/* Return true immediately if the authorization is not
locked down to any particular AD group */
if (String.IsNullOrEmpty(Groups))
return true;
// Get the AD groups
var groups = Groups.Split(',').ToList<string>();
// Verify that the user is in the given AD group (if any)
var context = new PrincipalContext(ContextType.Domain, "server");
var userPrincipal = UserPrincipal.FindByIdentity(context,
IdentityType.SamAccountName,
httpContext.User.Identity.Name);
foreach (var group in groups)
if (userPrincipal.IsMemberOf(context, IdentityType.Name, group))
return true;
}
return false;
}
}
}
And then I can simply use the following above controllers or functions
Using Application.Filters;
...
[AuthorizeAD(Groups = "groupname")]
NB: You could simply use new PrincipalContext(ContextType.Domain); however there is a bug in .NET 4.0 that throws a (0x80005000) error at userPrincpal.IsMemberOf(...). See here for details.
If you would like to know how to redirect to another page based on failed authorization, check my answer here: Adding an error message to the view model based on controller attribute in ASP.NET MVC
这篇关于ASP .NET MVC 表单授权与 Active Directory 组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
