如何在 ASP.NET MVC 3 Intranet 应用程序中重新验证用户身份?
该应用程序已经使用 Windows 集成安全性,而不是 Forms。我想要完成的是所谓的“逐步”身份验证,或“强制重新身份验证”,适用于以下场景:
- 用户正在浏览网站,
- 突然做一些常见的、琐碎的事情,用户必须执行敏感操作比如授权 资源分配或确认汽车贷款或类似的操作,
- 在用户被重定向到之前,系统会提示用户输入凭据 敏感页面,其方式类似于 SharePoint 的“登录身份” 不同的用户”
- 当且仅当输入的凭据是 与当前登录用户的应用程序相同 继续前往敏感区域。
这可以防止以下两个问题:
- 用户去开会或喝咖啡时忘记锁定 工作站和同事使用会话来访问敏感信息 区域
- 用户输入他或她老板的凭据(因为,让我们 假设他从老板的肩膀上偷看)以进入敏感区域。
我知道,有些人会认为这是“偏执”,但也有些人会说这是常识,应该在某个地方的框架中构建(jQuery 或 .NET)
The application is already using Windows integrated security, not Forms. What I am trying to accomplish is a so called "step-up" authentication, or "force re-authentication" for the following scenario:
- the user is browsing the site doing common, trivial stuff
- suddenly, the user has to do a sensitive action such as authorizing
a resource allocation or confirming a car loan or something similar - the user is prompted for the credential before (s)he's redirected to
the sensitive page, in a manner similar to SharePoint's "Sign In as
a Different User" - if, and only if, the credentials entered are
the same as for the currently logged-in user the application
proceeds to the sensitive area.
This would prevent the following two issues:
- The user goes for a meeting or a coffee and forgets to lock the
workstation and a colleague uses the session to access the sensitive
area - The user enters the credentials of his or her boss (because, let's
say he peeked over the boss' shoulder) to access the sensitive area.
I know, some would look at this as "being paranoid", but also some would say it's common sense and should be build in a framework somewhere (jQuery or .NET)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
让表单发送凭据以及执行操作的请求,即某些操作要求您提供用户名/密码。使用 PrimaryContext ValidateCredentials 方法确保输入了正确的凭据并检查提供的用户名是否与 User.Identity 对象中的当前用户名匹配。
Have the form send the credentials along with the request to perform the action, i.e., some actions require that you provide username/password. Use the PrincipalContext ValidateCredentials method to ensure that the proper credentials have been entered and check that the username supplied matches the current username in the
User.Identityobject.这仅在第一次有效,但现在老板进入敏感区域,重新输入她的凭据,然后继续咖啡。您会提示每个敏感请求吗?用户不会忍受这一点。
如果有人知道并输入其老板的凭据,您将无法检测到这一点。
That works only the first time, but now the boss enters a sensitive area, re-enters her credentials, then goes for coffee. Are you going to prompt for every sensitive request? Users won't put up with that.
If someone knows and enters the credentials of their boss, there is nothing you can do to detect that.