在.NET应用程序中替换表单身份验证的方法

发布于 2024-10-09 04:11:32 字数 891 浏览 4 评论 0原文

我的问题是关于一种方法,我正在寻找提示或链接来帮助我开发解决方案。我有一个 .NET 4.0 Web 表单应用程序,它使用用户和密码的 aspnetdb SQL 数据库进行表单身份验证。该应用程序的一项新功能是使用单点登录的身份验证机制,以允许数千名新用户进行访问。本质上,当用户通过新的单点登录方法登录时,我将能够将他们识别为具有角色的合法用户。

所以我会有类似 HttpContext.Current.Session["email_of_authenticated_user"] (他们的身份)和 HttpContext.Current.Session["role_of_authenticated_user"] (他们的角色)。

重要的是,我不一定希望在即将停用的 aspnetdb 数据库中冗余地维护这些用户和角色,但我确实希望使用上面的会话对象来允许用户通过应用程序就好像他们正在通过表单身份验证一样。我认为 CustomRoleProviders 或 CustomMemberProviders 没有帮助,因为它们不允许创建会话级用户。

所以我的问题是如何使用会话级别的用户和角色,我必须“模仿”所有表单身份验证的优点,例如强制:

[System.Security.Permissions.PrincipalPermission(System.Security.Permissions.SecurityAction.Demand, Role = "Student")]

<authorization>
    <allow users="wilma, barney" />
</authorization>

感谢您的任何指示。

My question is about an approach, and I am looking for tips or links to help me develop a solution. I have an .NET 4.0 web forms application that works with Forms authentication using the aspnetdb SQL database of users and passwords. A new feature for the application is a new authentication mechanism using single sign on to allow access for thousands of new users. Essentially, when the user logs in through the new single-sign-on method, I will be able to identify them as legitimate users with a role.

So I will have something like HttpContext.Current.Session["email_of_authenticated_user"] (their identity) and HttpContext.Current.Session["role_of_authenticated_user"] (their role).

Importantly, I don't necessarily want to maintain these users and roles redundantly in the aspnetdb database which will be retired, but I do want to use the session objects above to allow the user to pass through the application as if they were in passing through with forms authentication. I don't think CustomRoleProviders or CustomMemberProviders are helpful since they do not allow for creating session-level users.

So my question is how to use the session level user and role that I do have to "mimic" all the forms authentication goodness like enforcing:

[System.Security.Permissions.PrincipalPermission(System.Security.Permissions.SecurityAction.Demand, Role = "Student")]

or

<authorization>
    <allow users="wilma, barney" />
</authorization>

Thanks for any pointers.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

凉薄对峙 2024-10-16 04:11:32

我认为您将 Forms AuthenticationSqlMembershipProvider 混淆了。

表单身份验证是 ASP.NET 通常对用户进行授权和身份验证的方式。它没有指定如何完成此操作的具体实现。它仅提供一种方式,一旦经过身份验证,应用程序就可以通过保存为 cookie 的“票证”系统在整个应用程序中使用这些凭据。

本质上,windows中只有两种身份验证,Forms身份验证和Windows身份验证。由于您的新方法不是基于Windows的,那么您必须使用表单身份验证(除非您简单地忽略asp.net中内置的内容并自己滚动所有内容,这样做有点愚蠢)。

您可能需要研究Windows Identity Foundation,因为它为身份,包括各种基于 Web 的单点登录方法。

I think you're confusing Forms Authentication with the SqlMembershipProvider.

Forms authentication is the means by which ASP.NET generically authorizes and authenticates users. It does not specify a specific implementation of how that is done. It only provides a way that, once authenticated, the application can use those credentials throughout the app via a "ticket" system that's saved as a cookie.

Essentially, there are only two kinds of authentication in windows, Forms Authentication and Windows Authentication. Since your new method is not Windows based, then you have to use Forms Authentication (unless you simply ignore the stuff that's built into asp.net and roll everything yourself, which is kind of stupid to do).

You might want to look into the Windows Identity Foundation as it provides a plugable architecture for identity, including various web based single sign-on methods.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文