ASP.NET 中的 Membership、MembershipProvider 和 MembershipUser 关系?
我将用户数据存储在名为 Users 的 MSSQL 表中。 我想要的是访问实际登录用户的所有用户数据(电子邮件、地址、电话、如果用户是订阅者等)。
我不想使用配置文件,所以我决定使用自定义 MembershipProvider (或者你知道一些更好、更轻松的方法吗?)。
我不明白的是MembershipUser和Membership。 如果我从 MembershipProvider 继承,则在重写方法中我控制对数据库的访问数据。
但是如何使用从 MembershipProvider 继承的类呢? 如果我想使用会员身份验证用户身份,我应该这样做:
if(Membership.ValidateUser(string username, string password))
{
FormsAuthentication.RedirectFromLoginPage(string username, string password);
}
但是从 MembershipProvider 继承的类在哪里? 何时使用从 MembershipUser 继承的类? Membership 和 MembershipProvider 之间有什么关系?
I store user data in a MSSQL table called Users. What I want to is to have accessible all user's data for actually logged user (email, address, phone, if the user is subscriber etc.).
I don't want to use profiles so I decided to use custom MembershipProvider (or do you know some better, less painful way?).
What I don't understand is MembershipUser and Membership.
If I inherite from MembershipProvider, in overriden methods I control access data from and to database.
But how do I use inherited class from MembershipProvider?
If I want to authenticate user by using membership, I should do:
if(Membership.ValidateUser(string username, string password))
{
FormsAuthentication.RedirectFromLoginPage(string username, string password);
}
But where is class inherited from MembershipProvider? And when to use a class inherited from MembershipUser? And what is relation between Membership and MembershipProvider?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
虽然MSDN 上的描述不是很清楚,但其实并没有那么复杂。 有三个类:
根据应用程序的配置(configuration/system.web/membership)选择自定义 MembershipProvider(通过 Membership 中的代码)。 这是您让您的提供商发挥作用的地方。 必须编写您的 MembershipProvider 实现来访问您喜欢为用户提供的任何数据存储:在本例中为您的 User 表。
MembershipUser 对象仅通过您的 MembershipProvider 创建。 MembershipProvider.ValidateUser() 方法应根据您的数据存储检查用户/密码组合是否有效。 MembershipProvider.GetUser() 检索用户信息 - 在访问受保护的页面中使用它并传入 System.Web.HttpContext.Current.User.Identity.Name 作为当前经过身份验证的用户。
这就是说,我希望您确定您不想使用配置文件,并且确实希望有一个单独的用户表。 如果您正在编写内部应用程序,请使用现有的 Active Directory 或 支持 LDAP 的数据存储将降低管理成本并可能降低安全风险。 当采用 MembershipProvider 路线时,您很容易犯上数百个错误。 您使用加盐哈希吗? 如何保护 User 表不被操纵? MSDN 仅涵盖您可能面临的安全问题的一小部分。
While it's not crystal clear on MSDN, it's not all that complicated. There's a trio of classes:
A custom MembershipProvider is selected (by code in Membership) based on your application's configuration: configuration/system.web/membership. Here's where you bring your provider into play. Your MembershipProvider implementation must be written to access whatever data store you prefer for users: your User table in this case.
MembershipUser objects are only created through your MembershipProvider. The MembershipProvider.ValidateUser() method should check against your data store that the user/password combination is valid. The MembershipProvider.GetUser() retrieves user information -- use it within an access protected page and pass in System.Web.HttpContext.Current.User.Identity.Name as the current authenticated user.
This said, I hope you are sure you don't want to use Profiles, and really want to have a separate User table. If you are writing an internal application, using an existing Active Directory or LDAP-enabled data store would reduce administration costs and probably security risks. There are hundreds of things you can easily do wrong when going the MembershipProvider route. Do you use salted hashes? How are you protecting the User table against manipulation? MSDN covers only a fraction of the security issues you may face.
使用的特定提供程序由 web.config 控制。 您实际上可以设置多个提供者,并且有一个默认提供者。 检查:http://msdn.microsoft.com/en-us/library/ 6e9y4s5t.aspx。
当这样调用时,成员资格仅使用默认提供程序。 如果您想为用户提供额外信息,您将继承 MembershipUser,但这会将其余代码与您的特定提供者联系起来。
The specific provider used is controlled on the web.config. You can actually set more than 1 provider, and have a default one. Check: http://msdn.microsoft.com/en-us/library/6e9y4s5t.aspx.
When called like that, membership just uses the default provider. You would inherit MembershipUser, if you wanted to provide extra info for the user, but that will tie the rest of your code to your specific provider.