ASP.NET 身份验证问题
我在 aspx 页面中有以下代码:
protected void Page_Load(object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated)
lblAuthentication.Text =
"Authenticated user: " + User.Identity.Name;
else
lblAuthentication.Text =
"User not authenticated. Anonymous access ";
lblWindowsIdentity.Text =
"Windows identity: " + WindowsIdentity.GetCurrent().Name;
} // Page_Load()
web.config 设置如下:
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
当以管理员 Bob 身份登录时,我得到以下输出
Authenticated user: Bob-PC\Bob
Windows identity: Bob-PC\Bob
其他代码显示:
Administrator: True
User: True
Guest: False
PowerUser: False
AccountOperator: False
SystemOperator: False
然后我切换用户 (Windows Vista),以 Guest 身份登录,浏览到同一个网站,我得到相同的输出???
Authenticated user: Bob-PC\Bob
Windows identity: Bob-PC\Bob
Administrator: True
User: True
Guest: False
PowerUser: False
AccountOperator: False
SystemOperator: False
为什么不同的用户会得到相同的输出?
I have following code in an aspx page:
protected void Page_Load(object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated)
lblAuthentication.Text =
"Authenticated user: " + User.Identity.Name;
else
lblAuthentication.Text =
"User not authenticated. Anonymous access ";
lblWindowsIdentity.Text =
"Windows identity: " + WindowsIdentity.GetCurrent().Name;
} // Page_Load()
web.config settings are as follows:
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
When logged in as Bob who is Administrator I get following output
Authenticated user: Bob-PC\Bob
Windows identity: Bob-PC\Bob
Additional code shows me:
Administrator: True
User: True
Guest: False
PowerUser: False
AccountOperator: False
SystemOperator: False
Then I switch user (Windows Vista), log in as Guest, browse to the same website and I get the same output???
Authenticated user: Bob-PC\Bob
Windows identity: Bob-PC\Bob
Administrator: True
User: True
Guest: False
PowerUser: False
AccountOperator: False
SystemOperator: False
Why do I get the same output for different users?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
WindowsIdentity.GetCurrent().Name 是 IIS 线程运行时使用的标识。
WindowsIdentity.GetCurrent().Name is he identity under which the IIS thread is running.
因为该网站是在 Bob-PC\Bob 上下文中运行的,而不是在您登录的用户下运行。您拨打的电话正在查看网站进程(而不是网站外部[窗口的其余部分]发生的情况)。
如果您使用的是 IIS,您可以通过修改托管网站的应用程序池的属性来更改工作进程运行的身份。...
注意:您可以在 .net 中使用模拟来强制 IIS 在以下环境下运行浏览用户。这就是保护在 LAN 上运行的应用程序(例如运行 Windows 网络)的方法。但为了使其工作,您必须使用 IE,因为其他浏览器不会通过域身份验证凭据)。
Because the website is operating under the context of Bob-PC\Bob rather than the user you are logged in as. The calls you are making are looking at the website process (not what is going on outside the website[rest of windows]).
If you are using IIS you can change the identity that the worker process runs under by modifying the properties of the application pool that hosts the website....
NOTE: you can use impersonation in .net to force IIS to operate under the context of the browsing user. And this is the way that you would secure an app running on a LAN for example with a windows network running. But in order for this to work you have to use IE as other browsers dont pass the domain authentication credentials).