好奇大家有什么建议。
我有一个现有的 asp.net 表单应用程序,它执行表单身份验证并打开身份模拟。
该应用程序有一个调查问卷的链接,我想在 ASP.NET MVC 应用程序中单独开发该调查问卷,但我不希望用户单击该链接并提示输入用户名和密码,我希望他们能够无缝地开始填写调查问卷。
有没有一种方法可以将身份验证从一个 .net 应用程序转移到另一个应用程序?我希望能够传递像 UserRole 这样的东西。
最好的方法是什么?
Curious what recommendations anyone has.
I have an existing asp.net forms application that does a Forms Authentication and has identity impersonate turned on.
The application has a link to a questionnaire that I would like to develop separately in an asp.net MVC application, but I don't want the users to click on the link and be prompted for a username and password, I would like them to be able seamless start filling out the questionnaire.
Is there a way to somehow transfer authentication from one .net app to another? I would like to be able to pass stuff like UserRole.
What's the best way to do this?
发布评论
评论(2)
如果您在两个应用程序中使用相同的 MachineKey 并且 MVC 应用程序位于同一服务器上,我认为它将重用 auth cookie 并简单地认为它们已登录。请参阅此 有关配置 MachineKey 的 MSDN 文章,特别是关于 跨应用程序共享身份验证票证。请注意,这假设两个应用程序位于同一服务器上。如果它们位于不同的服务器上,那么您需要研究一些其他机制 - 例如,为 URL 生成一次性票证,远程系统可以通过 Web 回调用户所在的原始服务器来使用该票证。它可能不需要是中央身份验证系统的完整实现,但沿着这些思路。只需确保您使用 SSL 来加密相关位,以帮助避免中间人攻击。
If you use the same MachineKey in both applications and the MVC application is on the same server, I think that it will reuse the auth cookie and simply consider them logged in. See this MSDN article on configuring the MachineKey, especially the section on sharing authentication tickets across applications. Note this assumes that both applications are on the same server. If they are on different servers then you'll need to investigate some other mechanisms -- say generating a single-use ticket for the URL that can be used by the remote system via a web call back to the originating server who the user is. It might not need to be a full-up implementation of a central authentication system, but along those lines. Just be sure that you're using SSL to encrypt the relevant bits to help avoid man-in-the-middle attacks.
使用 Windows Identity Foundation (WIF),您可以实现单点登录。
在 WIF 中,称为安全令牌服务 (STS) 的服务会颁发带有声明的令牌,该令牌可以是您想要声明的有关经过身份验证的用户的任何内容,例如他的角色。在您的应用程序中,您可以使用 Page.User、Controller.Page 或 Thread.Current.Principal 属性来检查用户声明(不过,如果您仅使用角色声明,则为了简单起见,您可以使用 IsInRole 方法)。
您可以使用 WIF SDK 中包含的 VS 工具轻松创建 STS。表单身份验证将在 STS 而不是 Web 表单站点中完成,并且两个站点都应与 STS 具有信任关系。
Using Windows Identity Foundation (WIF) you can achieve Single Sign-On.
In WIF, a service called a Security Token Service (STS), issues a token with claims, which can be anything you want to declare about the authenticated user, for instance his roles. In your apps you can use the Page.User, Controller.Page or Thread.Current.Principal properties to check the User claims (though if you'll only be using role claims you can use the IsInRole method for simplicity).
You can easily create a STS using the tools for VS included in WIF's SDK. The Forms authentication will be done in the STS instead of in the Web Forms site and both sites should have a trust relationship with the STS.