在.NET应用程序中替换表单身份验证的方法
我的问题是关于一种方法,我正在寻找提示或链接来帮助我开发解决方案。我有一个 .NET 4.0 Web 表单应用程序,它使用用户和密码的 aspnetdb SQL 数据库进行表单身份验证。该应用程序的一项新功能是使用单点登录的新身份验证机制,以允许数千名新用户进行访问。本质上,当用户通过新的单点登录方法登录时,我将能够将他们识别为具有角色的合法用户。
所以我会有类似 HttpContext.Current.Session["email_of_authenticated_user"] (他们的身份)和 HttpContext.Current.Session["role_of_authenticated_user"] (他们的角色)。
重要的是,我不一定希望在即将停用的 aspnetdb 数据库中冗余地维护这些用户和角色,但我确实希望使用上面的会话对象来允许用户通过应用程序就好像他们正在通过表单身份验证一样。我认为 CustomRoleProviders 或 CustomMemberProviders 没有帮助,因为它们不允许创建会话级用户。
所以我的问题是如何使用会话级别的用户和角色,我必须“模仿”所有表单身份验证的优点,例如强制:
[System.Security.Permissions.PrincipalPermission(System.Security.Permissions.SecurityAction.Demand, Role = "Student")]
或
<authorization>
<allow users="wilma, barney" />
</authorization>
感谢您的任何指示。
My question is about an approach, and I am looking for tips or links to help me develop a solution. I have an .NET 4.0 web forms application that works with Forms authentication using the aspnetdb SQL database of users and passwords. A new feature for the application is a new authentication mechanism using single sign on to allow access for thousands of new users. Essentially, when the user logs in through the new single-sign-on method, I will be able to identify them as legitimate users with a role.
So I will have something like HttpContext.Current.Session["email_of_authenticated_user"] (their identity) and HttpContext.Current.Session["role_of_authenticated_user"] (their role).
Importantly, I don't necessarily want to maintain these users and roles redundantly in the aspnetdb database which will be retired, but I do want to use the session objects above to allow the user to pass through the application as if they were in passing through with forms authentication. I don't think CustomRoleProviders or CustomMemberProviders are helpful since they do not allow for creating session-level users.
So my question is how to use the session level user and role that I do have to "mimic" all the forms authentication goodness like enforcing:
[System.Security.Permissions.PrincipalPermission(System.Security.Permissions.SecurityAction.Demand, Role = "Student")]
or
<authorization>
<allow users="wilma, barney" />
</authorization>
Thanks for any pointers.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我认为您将
Forms Authentication与SqlMembershipProvider混淆了。表单身份验证是 ASP.NET 通常对用户进行授权和身份验证的方式。它没有指定如何完成此操作的具体实现。它仅提供一种方式,一旦经过身份验证,应用程序就可以通过保存为 cookie 的“票证”系统在整个应用程序中使用这些凭据。
本质上,windows中只有两种身份验证,Forms身份验证和Windows身份验证。由于您的新方法不是基于Windows的,那么您必须使用表单身份验证(除非您简单地忽略asp.net中内置的内容并自己滚动所有内容,这样做有点愚蠢)。
您可能需要研究Windows Identity Foundation,因为它为身份,包括各种基于 Web 的单点登录方法。
I think you're confusing
Forms Authenticationwith theSqlMembershipProvider.Forms authentication is the means by which ASP.NET generically authorizes and authenticates users. It does not specify a specific implementation of how that is done. It only provides a way that, once authenticated, the application can use those credentials throughout the app via a "ticket" system that's saved as a cookie.
Essentially, there are only two kinds of authentication in windows, Forms Authentication and Windows Authentication. Since your new method is not Windows based, then you have to use Forms Authentication (unless you simply ignore the stuff that's built into asp.net and roll everything yourself, which is kind of stupid to do).
You might want to look into the Windows Identity Foundation as it provides a plugable architecture for identity, including various web based single sign-on methods.