如果身份验证票证还包含有关角色的信息,那么为什么......?
Q1 – 原生 UrlAuthorizationModule 不理解角色的原因是角色信息存储在实现 IPrincipal 接口的托管对象中,而原生模块不支持该接口无法访问。
A) 但是,如果本机 UrlAuthorizationModule 理解身份验证票证,因此可以与 FormsAuthenticationModule 结合使用,那么为什么它不能与 Roles 模块一起使用?
也就是说,这张票不是还包含有关用户所处角色的信息吗? 如果是这样,那么 UrlAuthorizationModule 可以从票证中获取有关角色的所有信息,因此不需要访问 IPrincipal 对象?!
Q2 以下文章http://www.asp.net/ learn/security/tutorial-11-vb.aspx 声明:
如果匿名用户访问该站点,FormsAuthenticationModule 和 RoleManagerModule 都不会创建主体对象。
A) 如果上述声明成立,那么以下代码不会抛出异常,因为 User 属性将包含空引用:
if (User.Identity.IsAuthenticated)
Label1.Text = "user is authenticated";
else Label1.Text = "user is not authenticated";
Label1 显示“ 用户未经过身份验证”,这表明 User 属性已分配给实现 IPrincipal 的对象,即使用户未经过身份验证?!
谢谢
Q1 – Reason as to why native UrlAuthorizationModule doesn’t understand roles is due to the fact that roles information is stored in managed object implementing IPrincipal interface, to which native modules don’t have access to.
A) But if native UrlAuthorizationModule understands authentication ticket, and thus can work in conjunction with FormsAuthenticationModule, then why can’t it also work with Roles module?
Namely, doesn’t this ticket also contain information about the roles user is in? If so, then UrlAuthorizationModule could get all the information about roles from the ticket and thus wouldn’t need to have access to IPrincipal object?!
Q2
The following article http://www.asp.net/learn/security/tutorial-11-vb.aspx claims:
If an anonymous user visits the site, neither the FormsAuthenticationModule nor the RoleManagerModule creates a principal object.
A) If the above claim was true, then wouldn’t then the following code throw an exception, since User property would contain a null reference:
if (User.Identity.IsAuthenticated)
Label1.Text = "user is authenticated";
else Label1.Text = "user is not authenticated";
Label1 displays “User is not authenticated”, which would suggest that User property is assigned object implementing IPrincipal, even if user is not authenticated?!
Thanx
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
关于问题 1:如果将 CacheRolesInCookie 设置为 false,那么将没有足够的信息来确定角色,该怎么办?
关于 Q2:引用 http://msdn.microsoft.com/en-us /library/aa302376.aspx
"激活的身份验证模块负责创建 IPrincipal 对象并将其存储在 HttpContext.User 属性中。这一点至关重要,因为下游授权模块使用此 IPrincipal 对象来进行授权决定。
在没有身份验证的情况下(例如,在 IIS 中启用匿名访问并且使用 ASP.NET 配置),有一个特殊的未配置模块将默认的匿名主体放入 HttpContext。 用户财产。 因此,在身份验证后,HttpContext.User 始终为非空。”
Regarding Q1: What if CacheRolesInCookie would be set to false, then there would not be enough info to determine the roles.
Regarding Q2: quoting from http://msdn.microsoft.com/en-us/library/aa302376.aspx
"The activated authentication module is responsible for creating an IPrincipal object and storing it in the HttpContext.User property. This is vital, because the downstream authorization modules use this IPrincipal object in order to make authorization decisions.
In the absence of authentication (for example, where anonymous access is enabled within IIS and ASP.NET is configured with ), there's a special non configured module that puts a default anonymous principal into the HttpContext. User property. As a result, HttpContext.User is always non-null after authentication."