在 WCF 中进行自定义用户名密码身份验证的最佳方法是什么？

发布于 2024-11-04 20:08:26 字数 2038 浏览 0 评论 0原文

我有以下代码（基于网络上的大量示例）

public class UserNameValidator : UserNamePasswordValidator
{
    /// <summary>
    /// Validates the user name and password combination.
    /// </summary>
    /// <param name="userName">The user name.</param>
    /// <param name="password">The password.</param>
    public override void Validate(string userName, string password)
    {
        // validate arguments
        if (string.IsNullOrEmpty(userName))
            throw new ArgumentNullException("userName");
        if (string.IsNullOrEmpty(password))
            throw new ArgumentNullException("password");

        UserCredential user = InMemoryUserStore.Get(userName);
        if (user == null)
        {
            using (DataAccessAdapter da = new DataAccessAdapter())
            {
                LinqMetaData db = new LinqMetaData(da);
                var newUserCredential = (from u in db.User
                                         where u.Username == userName
                                         select new UserCredential
                                         {
                                             UserName = u.Username,
                                             PasswordHash = u.PasswordHash,
                                             PasswordSalt = u.PasswordSalt
                                         }).FirstOrDefault();
                if (newUserCredential == null)
                {
                    throw new SecurityTokenException("Unknown username or password");
                }
                else
                {
                    InMemoryUserStore.Add(newUserCredential);
                    user = newUserCredential;
                }
            }
        }

        //Validate Password
        PasswordHash p = new PasswordHash(user.PasswordSalt, user.PasswordHash);
        if (!p.Verify(password))
        {
            throw new SecurityTokenException("Unknown username or password");
        }
    }
}

这是最好的方法吗？

原文

I have the following code (based on numerous examples on the web)

public class UserNameValidator : UserNamePasswordValidator
{
    /// <summary>
    /// Validates the user name and password combination.
    /// </summary>
    /// <param name="userName">The user name.</param>
    /// <param name="password">The password.</param>
    public override void Validate(string userName, string password)
    {
        // validate arguments
        if (string.IsNullOrEmpty(userName))
            throw new ArgumentNullException("userName");
        if (string.IsNullOrEmpty(password))
            throw new ArgumentNullException("password");

        UserCredential user = InMemoryUserStore.Get(userName);
        if (user == null)
        {
            using (DataAccessAdapter da = new DataAccessAdapter())
            {
                LinqMetaData db = new LinqMetaData(da);
                var newUserCredential = (from u in db.User
                                         where u.Username == userName
                                         select new UserCredential
                                         {
                                             UserName = u.Username,
                                             PasswordHash = u.PasswordHash,
                                             PasswordSalt = u.PasswordSalt
                                         }).FirstOrDefault();
                if (newUserCredential == null)
                {
                    throw new SecurityTokenException("Unknown username or password");
                }
                else
                {
                    InMemoryUserStore.Add(newUserCredential);
                    user = newUserCredential;
                }
            }
        }

        //Validate Password
        PasswordHash p = new PasswordHash(user.PasswordSalt, user.PasswordHash);
        if (!p.Verify(password))
        {
            throw new SecurityTokenException("Unknown username or password");
        }
    }
}

Is this the best way of doing it?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

萌辣 2024-11-11 20:08:26

由于自定义验证器仅被调用一次，因此不需要 InMemoryStore。下面的代码是我们正在使用的代码，它在生产中运行得很好。

    public override void Validate(string userName, string password)
    {
        // validate arguments
        if (string.IsNullOrEmpty(userName))
            throw new ArgumentNullException("userName");
        if (string.IsNullOrEmpty(password))
            throw new ArgumentNullException("password");

        using (DataAccessAdapter da = new DataAccessAdapter())
        {
            LinqMetaData db = new LinqMetaData(da);
            var userCredential = (from u in db.User
                                  where u.Username == userName
                                  select new UserCredential
                                  {
                                      UserName = u.Username,
                                      PasswordHash = u.PasswordHash,
                                      PasswordSalt = u.PasswordSalt
                                  }).FirstOrDefault();
            if (userCredential == null)
            {
                throw new SecurityTokenException("Unknown username or password");
            }

            //Validate Password
            PasswordHash p = new PasswordHash(userCredential.PasswordSalt, userCredential.PasswordHash);
            if (!p.Verify(password))
            {
                throw new SecurityTokenException("Unknown username or password");
            }
        }
    }

调用经过身份验证后，您可以使用以下命令创建自定义主体：

public bool Evaluate(EvaluationContext evaluationContext, ref object state)
    {
        // get the authenticated client identity
        IIdentity client = GetClientIdentity(evaluationContext);            

        // add roles etc
        ....

        evaluationContext.Properties["Principal"] = new CustomPrincipal(client, roles.ToArray(), userId, email, client.Name);

        return true;
    }

Seeing as the Custom Validator is only called once, the InMemoryStore is not needed. The code below is what we are using, and it is working great in production.

    public override void Validate(string userName, string password)
    {
        // validate arguments
        if (string.IsNullOrEmpty(userName))
            throw new ArgumentNullException("userName");
        if (string.IsNullOrEmpty(password))
            throw new ArgumentNullException("password");

        using (DataAccessAdapter da = new DataAccessAdapter())
        {
            LinqMetaData db = new LinqMetaData(da);
            var userCredential = (from u in db.User
                                  where u.Username == userName
                                  select new UserCredential
                                  {
                                      UserName = u.Username,
                                      PasswordHash = u.PasswordHash,
                                      PasswordSalt = u.PasswordSalt
                                  }).FirstOrDefault();
            if (userCredential == null)
            {
                throw new SecurityTokenException("Unknown username or password");
            }

            //Validate Password
            PasswordHash p = new PasswordHash(userCredential.PasswordSalt, userCredential.PasswordHash);
            if (!p.Verify(password))
            {
                throw new SecurityTokenException("Unknown username or password");
            }
        }
    }

Once the call is authenticated, you can create a Custom Principal using the following:

public bool Evaluate(EvaluationContext evaluationContext, ref object state)
    {
        // get the authenticated client identity
        IIdentity client = GetClientIdentity(evaluationContext);            

        // add roles etc
        ....

        evaluationContext.Properties["Principal"] = new CustomPrincipal(client, roles.ToArray(), userId, email, client.Name);

        return true;
    }

回复收藏 0 原文

~没有更多了~