如何使 ActiveDirectoryMembershipProvider 接受空密码?

发布于 2024-09-10 10:30:10 字数 852 浏览 9 评论 0原文

我们正在开发一个 Web 应用程序,它使用表单身份验证和 ActiveDirectoryMembershipProvider 根据 Active Directory 对用户进行身份验证。我们很快发现提供商不允许指定空白/空密码,即使这在 Active Directory 中是完全合法的(如果没有制定预防性密码策略)。

由 Reflector 提供:

private void CheckPassword(string password, int maxSize, string paramName)
{
    if (password == null)
    {
        throw new ArgumentNullException(paramName);
    }
    if (password.Trim().Length < 1)
    {
        throw new ArgumentException(SR.GetString("Parameter_can_not_be_empty", new object[] { paramName }), paramName);
    }
    if ((maxSize > 0) && (password.Length > maxSize))
    {
        throw new ArgumentException(SR.GetString("Parameter_too_long", new object[] { paramName, maxSize.ToString(CultureInfo.InvariantCulture) }), paramName);
    }
}

如果没有编写我们自己的自定义 Provider,有没有办法使用 .NET 的魔力来覆盖此功能?

We are developing a web application that uses forms authentication and the ActiveDirectoryMembershipProvider to authenticate users against the Active Directory. We soon found out that the provider does not allow a blank/empty password to be specified, even though this is perfectly legal in the Active Directory (provided a preventative password policy is not in place).

Courtesy of reflector:

private void CheckPassword(string password, int maxSize, string paramName)
{
    if (password == null)
    {
        throw new ArgumentNullException(paramName);
    }
    if (password.Trim().Length < 1)
    {
        throw new ArgumentException(SR.GetString("Parameter_can_not_be_empty", new object[] { paramName }), paramName);
    }
    if ((maxSize > 0) && (password.Length > maxSize))
    {
        throw new ArgumentException(SR.GetString("Parameter_too_long", new object[] { paramName, maxSize.ToString(CultureInfo.InvariantCulture) }), paramName);
    }
}

Short of writing our own custom Provider, is there any way to override this functionality using the magic of .NET?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

逆蝶 2024-09-17 10:30:10

我不相信您可以在不创建派生类并覆盖调用私有 CheckPassword 方法的每个方法的情况下更改此行为。但是,我不会推荐此选项,我建议您检查您的设计并质疑在您的应用程序中允许空白密码是否合适。虽然它们在 AD 中有效,但在实践中允许这样做是不寻常的,并且它确实会影响 Windows 网络中的其他事物,例如,我认为网络文件共享的默认设置不允许任何具有空白密码的用户连接到共享。

I don't beleive you could change this behaviour without creating a derived class and overiding every method that calls the private CheckPassword method. I would not recomend this option however, i would recomend that you review your design and question whether it is approriate to allow blank passwords in your application. Whilst they are valid in AD it is unusual for this to be allowed in practice and it does impact other things in a windows network, e.g. i think the default settings for network file shares disallow any user with a blank password from connecting to the share.

风向决定发型 2024-09-17 10:30:10

您也许可以考虑使用模拟,但我不知道您是否会遇到同样的问题。如果要授权用户,那么您可以使用模拟来尝试“模拟”计算机上的用户。我不知道这是否有帮助,但前一周我也在做类似的事情。如果有帮助的话,请将代码放在下面..:)

using System;  
using System.Runtime.InteropServices;  

public partial class Test_Index : System.Web.UI.Page {  
protected void Page_Load(object sender, EventArgs e)
{        
    IntPtr ptr = IntPtr.Zero;
    if (LogonUser("USERNAME", "", "LEAVE-THIS-BLANK", LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, ref ptr))
    {
        using (System.Security.Principal.WindowsImpersonationContext context = new System.Security.Principal.WindowsIdentity(ptr).Impersonate())
        {
            try
            {
                // Do do something
            }
            catch (UnauthorizedAccessException ex)
            {
                // failed to do something
            }

            // un-impersonate user out
            context.Undo();
        }
    }
    else
    {
        Response.Write("login fail");
    }
}

#region imports

[DllImport("advapi32.dll", SetLastError = true)]
private static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);

[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool CloseHandle(IntPtr handle);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public extern static bool DuplicateToken(IntPtr existingTokenHandle, int SECURITY_IMPERSONATION_LEVEL, ref IntPtr duplicateTokenHandle);

#endregion

#region logon consts

// logon types 
const int LOGON32_LOGON_INTERACTIVE = 2;
const int LOGON32_LOGON_NETWORK = 3;
const int LOGON32_LOGON_NEW_CREDENTIALS = 9;

// logon providers 
const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_PROVIDER_WINNT50 = 3;
const int LOGON32_PROVIDER_WINNT40 = 2;
const int LOGON32_PROVIDER_WINNT35 = 1;
#endregion  }

You could perhaps look at using impersonation but i don't know if you will have the same issue. If it's to authorise a user, then you could use impersonation to try and "impersonate" the user on the machine. I don't know if it helps but I was doing something similar to this the other week. Have put the code below if any of this helps.. :)

using System;  
using System.Runtime.InteropServices;  

public partial class Test_Index : System.Web.UI.Page {  
protected void Page_Load(object sender, EventArgs e)
{        
    IntPtr ptr = IntPtr.Zero;
    if (LogonUser("USERNAME", "", "LEAVE-THIS-BLANK", LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, ref ptr))
    {
        using (System.Security.Principal.WindowsImpersonationContext context = new System.Security.Principal.WindowsIdentity(ptr).Impersonate())
        {
            try
            {
                // Do do something
            }
            catch (UnauthorizedAccessException ex)
            {
                // failed to do something
            }

            // un-impersonate user out
            context.Undo();
        }
    }
    else
    {
        Response.Write("login fail");
    }
}

#region imports

[DllImport("advapi32.dll", SetLastError = true)]
private static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);

[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool CloseHandle(IntPtr handle);

[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public extern static bool DuplicateToken(IntPtr existingTokenHandle, int SECURITY_IMPERSONATION_LEVEL, ref IntPtr duplicateTokenHandle);

#endregion

#region logon consts

// logon types 
const int LOGON32_LOGON_INTERACTIVE = 2;
const int LOGON32_LOGON_NETWORK = 3;
const int LOGON32_LOGON_NEW_CREDENTIALS = 9;

// logon providers 
const int LOGON32_PROVIDER_DEFAULT = 0;
const int LOGON32_PROVIDER_WINNT50 = 3;
const int LOGON32_PROVIDER_WINNT40 = 2;
const int LOGON32_PROVIDER_WINNT35 = 1;
#endregion  }
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文