当前位置：文江博客话题详情

Asp.net 安全性：IIdentity.IsAuthenticated 默认实现

发布于 2024-08-30 15:12:39 字数 202 浏览 3 评论 0原文

我正在编写自己的自定义 Identity 类，它实现 IIdentity。我不需要更改默认方法 IsAuthenticated 但现在我想知道默认 IIdentity 如何确定它应该返回 true 还是 false？

我想在我正在使用的 FormsAuthenticationTicket 中找到答案，但不确定这是否正确。

预先感谢，

皮克斯

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

情话难免假 2024-09-06 15:12:39

ASP.Net 处理程序的上下文中没有“默认 IIdentity”。

有一个 GenericIdentity 传递给 GenericPrincipal，它是 ASP.Net 处理程序的默认 User，它的行为是，如果它使用非空用户名实例化，然后进行身份验证。

也就是说

public virtual bool IsAuthenticated
{
    get
    {
        return !this.m_name.Equals("");
    }
}

，IsAuthenticated 的确定完全是任意的，实现 IIdentity 的类完全负责实现此逻辑。

通常，没有实例化未经身份验证的主体/身份的用例，因为这是由 asp.net 运行时自动完成的，因此使用“哑”IsAuthenticated< 实现您的自定义 IIdentity在大多数情况下，返回 true 的 /code> 应该是合适的。

此外，虽然完全实现 IPrincipal 和 IIdentity 很简单，但您也可以简单地从 GenericPrincipal 和 GenericIdentity 派生，从而减少您需要维护的代码量。

在 FormsAuthentication 的上下文中，只有当用户经过身份验证时，您才会拥有一张票证，并且 User 将是具有以下身份的 RolePrincipal 实例类型 FormsIdentity ，它的 IsAuthenticated 实现非常复杂；-) ...

public bool IsAuthenticated
{
    get
    {
        return true;
    }
}

希望能帮助解决问题。

There is no 'default IIdentity' in the context of an ASP.Net handler.

There is a GenericIdentity that is pass to a GenericPrincipal which is the default User for an ASP.Net handler, and it's behavior is that if it is instantiated with a non-empty username then it is authenticated.

e.g.

public virtual bool IsAuthenticated
{
    get
    {
        return !this.m_name.Equals("");
    }
}

That said, the determination of IsAuthenticated is completely arbitrary and the class implementing IIdentity is fully responsible for implementing this logic.

Typically, there is no use case for instantiating an un-authenticated principal/identity as this is done automatically by the asp.net runtime, thus implementing your custom IIdentity with a 'dumb' IsAuthenticated that returns true should be appropriate in most cases.

Also, while fully implementing IPrincipal and IIdentity is trivial, you could also simply derive from GenericPrincipal and GenericIdentity reducing the amount of code you need to maintain.

In the context of FormsAuthentication you will only have a ticket if the user is authenticated and the User will be an instance of RolePrincipal with an identity of type FormsIdentity and it's implementation of IsAuthenticated is super complex ;-) ...

public bool IsAuthenticated
{
    get
    {
        return true;
    }
}

Hope that helps clear things up.

回复收藏 0 原文

花开半夏魅人心 2024-09-06 15:12:39

我使用自定义 UserPrinciple 在我的页面中嵌入比标准 GenericPrinciple 允许的更多有关当前用户的信息。我没有发现需要实现我自己的 IIdentity 因为您可以轻松地利用内置的 FormsIdentity 类似于我的方式（我不确定这是否与.NET Auth 的标准实践，但它在我自己的实践中效果很好）。我确实创建了一个自定义的 GuestIdentity ，它返回一个硬编码的 IsAuthenticated = false ，也许这可以用 GenericPrinciple 替换，我不确定是否可以立即使用它是否抽象。

public class UserPrincipal : IPrincipal
{            

  private readonly IIdentity _identity;

  public UserPrincipal()
        {
            _identity = new GuestIdentity();

            var guest = //my custom object
            User = guest;
        }        
    public UserPrincipal(HttpContext context)
    {
        var ident = context.User.Identity as FormsIdentity;
        string msg1 = "Context.User.Identity is null for authenticated user.";
        if (ident == null) throw new ApplicationException(msg1);

        _identity = ident;
        string msg2 = "Forms Identity Ticket is null";
        if (ident.Ticket == null) throw new AccessViolationException(msg2);

        var userData = ident.Ticket.UserData;

        ...

        User = jsonSerializer.Deserialize<User>(userJson);
    }    
    #region IPrincipal Members
    public bool IsInRole(string role)
    {
        return User.Roles.FirstOrDefault(x => x.RoleName == role) != null;
    }

    public IIdentity Identity
    {
        get { return _identity; }
    }
    #endregion
}

顺便说一句，您可以在表单身份验证票证中缓存数据，例如扩展的 UserData，如果您遵循这种类型的想法，但请确保您具有可以正确使过时数据过期的逻辑，因为它存储在客户端计算机上。

I use a custom UserPrinciple to embed more information about the current user into my pages than the standard GenericPrinciple allows. I didn't find a need to implement my own IIdentity as you can easily leverage the built in FormsIdentity similar to my fashion (I'm not sure if this is divergent from standard practices of Auth for .NET it's worked great in practice for myself though). I did create a custom GuestIdentity that returns a hardcoded IsAuthenticated = false perhaps this could be replaced by just GenericPrinciple I'm not sure off hand if it's abstract or not.

public class UserPrincipal : IPrincipal
{            

  private readonly IIdentity _identity;

  public UserPrincipal()
        {
            _identity = new GuestIdentity();

            var guest = //my custom object
            User = guest;
        }        
    public UserPrincipal(HttpContext context)
    {
        var ident = context.User.Identity as FormsIdentity;
        string msg1 = "Context.User.Identity is null for authenticated user.";
        if (ident == null) throw new ApplicationException(msg1);

        _identity = ident;
        string msg2 = "Forms Identity Ticket is null";
        if (ident.Ticket == null) throw new AccessViolationException(msg2);

        var userData = ident.Ticket.UserData;

        ...

        User = jsonSerializer.Deserialize<User>(userJson);
    }    
    #region IPrincipal Members
    public bool IsInRole(string role)
    {
        return User.Roles.FirstOrDefault(x => x.RoleName == role) != null;
    }

    public IIdentity Identity
    {
        get { return _identity; }
    }
    #endregion
}

Random aside, you can cache data in the Forms Authentication ticket like extended UserData, if you follow this type of idea though make sure you have logic in place that can correctly expire stale data since it's stored on the client computer.

回复收藏 0 原文

~没有更多了~