简单的声明转换和缓存瓦特/ windows身份验证 [英] Simple claims transformation and caching w/ windows authentication

问题描述

在过去的几天我一直在阅读有关Windows标识基础，它是如何这么好，灵活，内置在.NET 4.5。尽管去了几十个的API，博客文章，怎么对的等等。我不能为我的生命得到一个简单的实施工作。

For the past few days I've been reading about the windows identity foundation and how it's so good and flexible and built right into .net 4.5. Despite going over dozens of apis, blog posts, how-to's etc. I can't for the life of me get a simple implementation working.

我使用Windows身份验证只能，我可以得到本金并查看附带的索赔（这是每一个例子似乎要结束了）。不过，我想，然后将其转化为有用的索赔和缓存的结果，这样的转变不会发生在每一个请求。

I'm using windows authentication only and I can get the principal and view the claims that come with it (which is where every example seems to end). However I want to then transform them into useful claims and cache the results so that the transformation doesn't happen on every single request.

在我的web.config我有：

In my web.config I have:

  <configSections>
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
  </configSections>

  <system.identityModel>
    <identityConfiguration>
      <claimsAuthenticationManager type="SecurityProj.MyClaimsTransformationModule,SecurityProj" />
      <claimsAuthorizationManager type="SecurityProj.MyClaimsAuthorizationManager,SecurityProj" />
    </identityConfiguration>
  </system.identityModel>

然而，认证管理器永远不会被调用。我可以得到它的排序工作的唯一方法是通过添加：

However the authentication manager never gets called. The only way I can get it to sort of work is by adding:

protected void Application_PostAuthenticateRequest()
{
    ClaimsPrincipal currentPrincipal = ClaimsPrincipal.Current;
    ClaimsTransformationModule customClaimsTransformer = new MyClaimsTransformationModule();
    ClaimsPrincipal tranformedClaimsPrincipal = customClaimsTransformer.Authenticate(string.Empty, currentPrincipal);
    HttpContext.Current.User = tranformedClaimsPrincipal;
}

要我的global.asax.cs文件。它的工作原理上的第一个请求，但后来我得到安全把手已关闭后的错误和不知道是什么原因造成的。显然，这是不是做了正确的方法，所以没有人知道什么是最好的或者只是工作的做法是？这是专门为Windows身份验证，我不需要什么比这更复杂。

To my global.asax.cs file. It works on the first request but then I get "Safe handle has been closed" errors after that and have no idea what is causing it. Clearly this isn't the correct way to do it, so does anyone know what a best or simply working practice is? This is just for windows authentication, I don't need anything more complicated than that.

有关缓存，我尝试使用：

For the caching, I was trying to use:

        SessionSecurityToken token = FederatedAuthentication.SessionAuthenticationModule
            .CreateSessionSecurityToken(
            currentPrincipal,
            "Security test",
            System.DateTime.UtcNow,
            System.DateTime.UtcNow.AddHours(1),
            true);

        if (FederatedAuthentication.SessionAuthenticationModule != null &&
            FederatedAuthentication.SessionAuthenticationModule.ContainsSessionTokenCookie(HttpContext.Current.Request.Cookies))
        {
            return;
        }
        FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(token);

但我不知道那一部分要么，需要改造问题需要先解决。

but I'm not sure about that part either and the transformation problems need to be fixed first.

任何帮助将是AP preciated。只需要查找/变换被调用，一个cookie设置，谢谢。

Any help would be appreciated. Just need the lookup/transform to be called and a cookie set, thanks.

推荐答案

我有现在的一切工作，这里就是我去一下吧：

I've got everything working now, here's how I went about it:

在本页面：<一href="http://msdn.microsoft.com/en-us/library/ee517293.aspx">http://msdn.microsoft.com/en-us/library/ee517293.aspx是一个关键段落：

On this page: http://msdn.microsoft.com/en-us/library/ee517293.aspx Was a key paragraph:

（例如，RP使用窗体身份验证或Windows集成身份验证），则可以使用ClaimsPrincipalHttpModule。该模块坐在你的应用程序的HTTP管道和截获的认证信息。它会产生一个IClaimsPrincipal基于用户的用户名，组成员，和其他认证信息，每个用户。的HttpModules＆GT; 管道，这是第一个元素的＆LT;模块＆gt; ＆LT的末尾插入对C>部分＆LT; system.webServer＆GT; 在IIS 7

If you want to make your RP application claims-aware, but you do not have an STS (for example, the RP uses Forms authentication or Windows integrated authentication), you can use the ClaimsPrincipalHttpModule. This module sits in your application’s HTTP pipeline and intercepts authentication information. It generates a IClaimsPrincipal for each user based on that user’s username, group memberships, and other authentication information. ClaimsPrincipalHttpModule must be inserted at the end of the <httpModules> pipeline, which is the first element in the <modules> section of <system.webServer> on IIS 7.

和本页面：

<一个href="http://leastprivilege.com/2012/04/04/identity-in-net-4-5part-2-claims-transformation-in-asp-net-beta-1/">http://leastprivilege.com/2012/04/04/identity-in-net-4-5part-2-claims-transformation-in-asp-net-beta-1/

为您提供了全班同学。现在，类添加到web.config中：

Gives you the whole class. Now add that class to the web.config:

<modules>
  <add name="ClaimsTransformationHttpModule" type="TestSecurity.ClaimsTransformationHttpModule" />
</modules>

现在，它会调用转型，我可以在Global.asax中取出后进行身份验证的方法。

Now it will call the transformation and I can remove the post authenticate method in global.asax.

在身份验证方法，我称这种设置cookie：

In the authenticate method, I call this to set the cookie:

private void CreateSession(ClaimsPrincipal transformedPrincipal)
{
    SessionSecurityToken sessionSecurityToken = new SessionSecurityToken(transformedPrincipal, TimeSpan.FromHours(8));
    FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionSecurityToken);
}

从之前的模块已设置来看待它，并跳过验证，如果它是present。

The module from before is already set up to look at it and skip authentication if it's present.

最后的，我一直得到安全处理错误。我并不完全确定的原因，但我发现，如果我修改了被传递到验证，然后返回它（这就是它显示了MSDN）的校长，然后错误会显示在所有后续请求。但是，如果我创建并返回一个新的主体那就不会发生。这也证明是有益的下降声称不需要。

Lastly for the safe handle error that I kept getting. I'm not exactly sure of the cause, but I discovered that if I modified the principal that gets passed to Authenticate and then returned it (which is what it shows on msdn), then the error would show up on all subsequent requests. However if I created and returned a new principal then it would not occur. This also turns out to be useful for dropping claims that you don't need.

List<Claim> newClaims = new List<Claim>();

var keeper = ((ClaimsIdentity)incomingPrincipal.Identity).Claims.First(c =>
    c.Type == ClaimTypes.Name);
newClaims.Add(keeper);

ClaimsIdentity ci = new ClaimsIdentity(newClaims, "Negotiate");

return new ClaimsPrincipal(ci);

所以，现在我可以验证的窗户，引入自定义声明，并让他们用一个cookie缓存。希望这有助于任何人试图做同样的，如果我没有做正确的事情，请让我知道。

So now I can windows authenticate, bring in custom claims, and have them cached with a cookie. Hope this helps anyone else trying to do the same and if I'm not doing something right please let me know.

这篇关于简单的声明转换和缓存瓦特/ windows身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！