ASP .NET MVC窗体授权与Active Directory组 [英] ASP .NET MVC Forms authorization with Active Directory groups
问题描述
我在尝试使用的用户和组在ASP.NET MVC中对Active Directory进行身份验证。
I'm attempting to authenticate using users and groups in ASP.NET MVC against Active Directory.
我已经把我所有的类以下的属性(除账户类):
I have put the following attribute on all my classes (except the account class):
[Authorize (Roles="SubcontractDB Users")]
这组在OU =区域 - > OU =组 - > OU =公司 - > CN = SubcontractDB在Active Directory中找到。我假设我还需要设置在web.config中,我一直试图做一个RoleManager如下:
This group is found under OU=Area->OU=Groups->OU=Company->CN=SubcontractDB in active directory. I'm assuming I also need to setup a RoleManager in web.config which I've attempted to do as follows:
<roleManager defaultProvider="ADRoleProvider">
<providers>
<clear />
<add name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName" />
</providers>
</roleManager>
我的连接字符串是:
My connection string is:
<add name="ADConnectionString"
connectionString="LDAP://blah.com:389/DC=blah,DC=wateva,DC=com"/>
很显然,我做错了,因为这是行不通的。所有我想要做的就是允许访问是一组特定于公元成员的用户。
Obviously I'm doing it wrong as this doesn't work. All I want to do is allow access to users that are a member of a certain group in AD.
推荐答案
所以,我最终实现自己的授权属性,并使用:
So I ended up implementing my own authorize attribute and using that:
namespace Application.Filters
{
public class AuthorizeADAttribute : AuthorizeAttribute
{
public string Groups { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (base.AuthorizeCore(httpContext))
{
/* Return true immediately if the authorization is not
locked down to any particular AD group */
if (String.IsNullOrEmpty(Groups))
return true;
// Get the AD groups
var groups = Groups.Split(',').ToList<string>();
// Verify that the user is in the given AD group (if any)
var context = new PrincipalContext(ContextType.Domain, "server");
var userPrincipal = UserPrincipal.FindByIdentity(context,
IdentityType.SamAccountName,
httpContext.User.Identity.Name);
foreach (var group in groups)
if (userPrincipal.IsMemberOf(context, IdentityType.Name, group))
return true;
}
return false;
}
}
}
然后我可以简单地使用下面的上述控制器或功能
And then I can simply use the following above controllers or functions
Using Application.Filters;
...
[AuthorizeAD(Groups = "groupname")]
注::您可以简单地使用新PrincipalContext(ContextType.Domain);
然而,有抛出一个在.NET 4.0中的一个错误(0x80005000)
误差 userPrincpal.IsMemberOf(...)
。请参阅<一href="http://social.msdn.microsoft.com/Forums/en/csharplanguage/thread/4c9fea6c-1d0a-4733-a8ac-e3b78d10e999">here了解详细信息。
NB: You could simply use new PrincipalContext(ContextType.Domain);
however there is a bug in .NET 4.0 that throws a (0x80005000)
error at userPrincpal.IsMemberOf(...)
. See here for details.
如果你想知道如何重定向到基于授权失败的另一页,在这里检查我的答案是:<一href="http://stackoverflow.com/questions/7440208/adding-an-error-message-to-the-view-model-based-on-controller-attribute-in-asp-ne/7591678#7591678">Adding一个错误信息的基础上在ASP.NET MVC 控制器属性
If you would like to know how to redirect to another page based on failed authorization, check my answer here: Adding an error message to the view model based on controller attribute in ASP.NET MVC
这篇关于ASP .NET MVC窗体授权与Active Directory组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!