处理 mvc 安全性...覆盖成员资格提供程序、操作过滤器或其他内容?不知道如何处理这个问题
我现在对如何处理 ASP .NET MVC 应用程序中的安全性感到非常困惑。这是我知道我想要做的:
1)我想要自己的模式布局,这样我就可以按照我想要的方式实现安全性,而不是与微软的默认数据库模式绑定(我已经看到其他数据库管理系统几乎不支持该模式) 。
2) 这听起来像是一个矛盾,但我想使用实体框架,是的,还有 MS Sql Server 2005。仅仅因为我正在这样做,并不意味着我想被这些决定所束缚。我见过许多其他 dbms 供应商提供 EF 支持,因此这似乎是一个更好的方法。
基本的安全设置相当简单。有用户。用户有角色。我有 3 个基本表:User、Role、UserRoles。
那么,如果这是我签约创建的专业 Web 应用程序,那么执行此操作的好方法是什么?创建自定义会员资格提供程序实现似乎是最彻底的,而且似乎是一个相当可移植的解决方案。我看过几篇文章讨论创建 ActionFilter 或 CustomAttribute。两者可能是同一件事;就像我说的,我真的很困惑。
这里的底线是我正在努力尝试这项技术,但我希望有远见地知道这在现实世界中是如何实现的。我已经查看了书呆子晚餐示例,它使用默认的会员提供程序设置(包括架构),这不是我想要的。
我用谷歌搜索过这个。我读了几十篇文章并发现了很多实现。我已经阅读了 ASP .NET Unleashed,其中只有标准的会员资格提供程序解释。我真的只是想从那些曾经在行业中做过或曾经做过这件事的人那里找到一些可靠的专业建议。
感谢您抽出时间。
更新。
我已经设法使 CSS 文件免于身份验证。我将以下内容添加到 web.config (应用程序级别)。
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="~/Views/Account">
<system.web>
<authorization >
<allow users="*" />
</authorization>
</system.web>
</location>
现在有一个逻辑问题。我之前已在 web.config 中指示应用程序登录 URL 为:LogOn.aspx。因为,我已经实现了自定义会员资格和提供商,所以我想我应该使用默认帐户登录页面。该页面为您提供了注册新帐户的选项;但是,单击“注册”超链接只会使您停留在“登录”页面上。显然新用户对此不会很高兴。我尝试使 Views/Account 文件夹中的所有页面不通过上面的 xml 进行身份验证,但它似乎不起作用。想法?
************************************** 再次更新 ******** ********************************
显然,位置标记只需要目录名称,而不是目录树。至少对我来说似乎是这样。我将第二个位置标记更改为如下所示:
<location path="Account">
<system.web>
<authorization >
<allow users="*" />
</authorization>
</system.web>
</location>
现在我可以访问帐户视图文件夹中的所有文件以及所有帐户控制器操作。这里有一个有趣的讽刺:我已经着手创建了一个自定义会员资格提供程序实现(我很高兴我做到了),所以我可以使用普通的 Register & 服务。 ASP .NET MVC 附带的登录页面。我想,如果它没有坏,就不要修理它。那么请告诉我...你们中的任何一个人将这些页面放入生产环境中并进行最小的更改有多舒服?只是好奇。我现在只是想弄清楚如何做这件事;我还不能真正评估做或使用 X 是否是一件好事或不是一件好事。
I'm at a point where I'm really confused about how to go about handling security in my ASP .NET MVC application. Here's what I know I want to do:
1) I want my own schema layout so I can implement security how I want it and not be tied to Microsoft's default db schema (which I've seen next to no support for on other dbms's).
2) This is going to sound like a contradiction, but I want to use Entity Framework, and, yes, MS Sql Server 2005. Just because I am doing this, does not mean I want to be locked into these decisions. I've seen a number of other dbms vendors provide EF support, so this seems like a much better way to go.
The basic security setup is rather simple. There are users. Users have roles. I have 3 basic tables from this: User, Role, UserRoles.
So, if this was a professional web application I was contracted to create, what would be a good way to do this? Creating a custom membership provider implementation seems the most thorough and it seems like it's a rather portable solution. I have seen several articles talk about just creating an ActionFilter or CustomAttribute. It might be the two are the same thing; like I said, I'm really confused.
The bottomline here is I'm trying to get my feet wet on this technology, but I want the foresight of knowing how this would be done in the real world. I've gone over the nerd diner example and that uses the default membership provider setup (schema included), which is not what I want here.
I've googled this. I've read dozens of articles and found a great many implementations. I've gone through ASP .NET Unleashed, which just has the standard Membership provider explanation. I'm really just trying to find some solid professional advice here from those of you whom have been in industry and done this a time or to.
Thanks for your time.
Update.
I've managed to get the CSS file to be exempt from authentication. I added the following to the web.config (app level).
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="~/Views/Account">
<system.web>
<authorization >
<allow users="*" />
</authorization>
</system.web>
</location>
Now there is a logic issue. I've instructed the application earlier in the web.config that the login url is: LogOn.aspx. Since, I've implemented a custom membership and provider, I figured I'd go w/ the default account logon page. The page gives you the option to Register for a new account; however, clicking the Register hyperlink just keeps you on the LogOn page. Obviously new users won't be very happy about that. I tried to make all pages in the Views/Account folder not be authenticated with the xml above, but it doesn't seem to have worked. Thoughts?
**************************************** UPDATED AGAIN ****************************************
Apparently, the Location tag just needs the directory name and not the directory tree. At least that seems to be the case for me. I changed the 2nd location tag to look like this:
<location path="Account">
<system.web>
<authorization >
<allow users="*" />
</authorization>
</system.web>
</location>
And now I can access all files in the Account views folder, as well as all Account controller actions. There's an interesting irony here: I've gone about and created a custom membership provider implementation (which I'm very glad I did), so I can use the vanilla Register & LogOn pages that ship with ASP .NET MVC. I suppose, if it's not broken, don't fix it. So tell me...how comfortable would any of you be putting theses pages into a production environment with minimal changes? Just curious. I'm at a point where I'm just trying to figure out HOW to do this stuff; I can't really assess if doing or using X is a good thing or not quite yet.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
据我所知,您应该能够轻松完成您正在谈论的事情...
因为 ASP.Net MVC 是构建在 ASP.Net 之上的,您应该能够利用 ASP.Net 的能力正如您所描述的,在您自己的自定义会员资格提供商中。创建后,要让 ASP.Net MVC 使用此提供程序,您所需要做的就是在 web.config 中注册您的提供程序,然后将现有的 Authorize 属性添加到您想要锁定的控制器中。
这个现有的授权属性并不与给定的提供程序绑定,它只是查看哪个提供程序是当前的,并且在您的情况下,您的自定义提供程序将是当前的。
您说您已经阅读了有关创建自定义提供程序的文章,因此我不会在那里详细介绍,并且您不必创建自定义属性/过滤器(ActionFilter 是一个属性,但属性并不总是 ActionFilter - ActionFilter 是MVC 概念,属性是 .Net 概念 - 希望有帮助)。
所以看起来您应该拥有实施所需的一切。
如果您需要更多,请告诉我。
更新:
我猜测以下是 css 的问题 - 我刚刚经历了一个非常相似的问题...简而言之,我认为 MVC 正在尝试验证 CSS 文件的获取,因为你没有尚未登录,它不允许您下载 CSS。
验证这一点的方法是执行类似于以下内容的操作(请注意代码位于 global.asax 中):
当您调试应用程序时,尝试在此处放置一个断点,并查看每次加载时调用它的次数登录页面以及每个的“Request.Path”是什么...如果您发现它正在尝试验证这些资产,那么这就是您的问题。
As far as I know you should be able to do what you are talking about without too much fuss...
Because ASP.Net MVC is built on top of ASP.Net you should be able to take advantage of ASP.Net's ability to put in your own custom membership provider as you described. Once created, to get ASP.Net MVC to use this provider all you should have to do is register your provider in the web.config and simply add the existing Authorize attribute to what ever controllers you want to lock down.
This existing Authorise attribute isn't tied to a given provider it just looks to see which provider is current and in your case your custom provider will be the current on.
You said that you have read articles on creating custom providers so I wont go into detail there and you shouldn't have to create a custom attribute/filter (which an ActionFilter is an attribute but an attribute isn't always an ActionFilter - ActionFilter's are an MVC concept, attributes are a .Net concept - hope that helps).
So it looks like you should have everything you need to implement.
Let me know if you need more.
UPDATE:
I would have it a guess that the following is what is wrong with css - I have just gone through a very similar problem... In short I think MVC is trying to authenticate the getting of the CSS file and becasue you are not logged in yet, its not letting you download the CSS.
The way to verify this is by doing something similar to the following (note the code goes in the global.asax):
When you debug your app, try putting a break point in here and see how many times it gets called per load of the login page and what the "Request.Path" is for each... If you see that it is trying to authenticate these assets then at is your problem.