在 ASP.NET MVC 3 应用程序中扩展 Windows 身份验证
经过大量谷歌搜索并阅读了有关如何在 ASP.NET 应用程序中管理混合模式身份验证的几种解决方案后,我仍然没有适合我的问题的解决方案。
我必须为一堆不同的用户组实现一个 Intranet 应用程序。到目前为止,我一直使用 Windows 身份验证,它的实现非常简单。当涉及到授权用户组使用特殊应用程序功能时,我遇到了问题。
使用 [Authorize(Users = "DOMAIN\\USER")] 效果很好,但由于我无权访问活动目录管理,我无法按照我需要的方式配置角色管理它适合我的应用程序。
角色和成员资格之外,我想做的是定义自定义角色和成员资格(这样的扩展可能吗?例如,通过实现自己的membershipprovider?)。
除了在活动目录中定义的 你认为这是解决我的问题的最佳方案。除了 Windows 身份验证之外,我是否真的必须使用表单身份验证来实现复杂的混合模式身份验证?
使用的技术:
- MS SQL Server 2008
- MS VS 2010
- ASP.NET MVC 3 -
- 的 Razor View Engine Telerik 扩展
- Windows Server 2008 上 ASP.NET MVC IIS 7
编辑(最终解决方案感谢 dougajmcdonald 的帮助):
在指示我使用自定义 IPrincipal 实现后,我找到了一些解决方案此处 和 这里。将所有内容放在一起,我得出以下解决方案:
1.创建自定义主体实现:
public class MyPrincipal: WindowsPrincipal
{
List<string> _roles;
public MyPrincipal(WindowsIdentity identity) : base(identity) {
// fill roles with a sample string just to test if it works
_roles = new List<string>{"someTestRole"};
// TODO: Get roles for the identity out of a custom DB table
}
public override bool IsInRole(string role)
{
if (base.IsInRole(role) || _roles.Contains(role))
{
return true;
}
else
{
return false;
}
}
}
2.通过扩展“Global.asax.cs”文件将我的自定义主体实现集成到应用程序中:
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
if (Request.IsAuthenticated)
{
WindowsIdentity wi = (WindowsIdentity)HttpContext.Current.User.Identity;
MyPrincipal mp = new MyPrincipal(wi);
HttpContext.Current.User = mp;
}
}
3.在我的应用程序中使用我的自定义角色进行授权应用程序
public class HomeController : Controller
{
[Authorize(Roles= "someTestRole")]
public ActionResult Index()
{
ViewBag.Message = "Welcome to ASP.NET MVC!";
return View();
}
}
它有效!是的!
after a lot of googling and reading several solutions on how to manage mixed mode authentication in ASP.NET apps, I still have no fitting solution for my problem.
I've got to implement an intranet application for a bunch of different user groups. Until now i've used windows authenthication which was very simple to implement. My problems arise when it comes to authorizing usergroups for special application functionalities.
Using [Authorize(Users = "DOMAIN\\USER")] works great but due to that i have no access to the active directory managament, it is impossible to me to configure rolemanagement in the way I need it for my application.
What I'd like to do is defining custom roles and memberships in addition to the ones that are defined within the active directory (is such an extension possible? e.g. by implementing an own membershipprovider?).
What do you think is the best solution for my problem. Do I really have to implement a complex mixed mode authentication with forms authentication in addition to windows authentication?
Used Technologies:
- MS SQL Server 2008
- MS VS 2010
- ASP.NET MVC 3 - Razor View Engine
- Telerik Extensions for ASP.NET MVC
- IIS 7 on Windows Server 2008
EDIT (final solution thanks to the help of dougajmcdonald):
After pointing me to use a custom IPrincipal implementation I've found some solutions here and here. Putting everything together I came to the following solution:
1.Create a custom principal implementation:
public class MyPrincipal: WindowsPrincipal
{
List<string> _roles;
public MyPrincipal(WindowsIdentity identity) : base(identity) {
// fill roles with a sample string just to test if it works
_roles = new List<string>{"someTestRole"};
// TODO: Get roles for the identity out of a custom DB table
}
public override bool IsInRole(string role)
{
if (base.IsInRole(role) || _roles.Contains(role))
{
return true;
}
else
{
return false;
}
}
}
2.Integrate my custom principal implementation into the application through extending the "Global.asax.cs" file:
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
if (Request.IsAuthenticated)
{
WindowsIdentity wi = (WindowsIdentity)HttpContext.Current.User.Identity;
MyPrincipal mp = new MyPrincipal(wi);
HttpContext.Current.User = mp;
}
}
3.Use my custom roles for authorization in my application
public class HomeController : Controller
{
[Authorize(Roles= "someTestRole")]
public ActionResult Index()
{
ViewBag.Message = "Welcome to ASP.NET MVC!";
return View();
}
}
It works!!! yeah!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我不确定这是否仍然适用于 MVC,但在 Webforms 中,执行此操作的一种方法如下:
这样您仍然可以连接到Principal.IsInRole("MyRole") 以及主体[PrincipalPermission()] 注释。
希望有帮助。
编辑回答q's:
要将主体集成到授权中,您需要在 global.asax 中为身份验证类型编写自己的 OnAuthenticate 方法,所以我会为您猜测,类似这样:
我相信授权会在稍后的日期加入到PrincipalPermission中,但我不太确定何时/为何会出现差异,我担心:( - 抱歉!
I'm not sure if this still applies in MVC, but in Webforms one way to do this would be as follows:
This way you can still hook into Principal.IsInRole("MyRole") and also the principal [PrincipalPermission()] annotation.
Hope it helps.
EDIT in answer to q's:
To integrate the principal into the authorisation you need to write your own method for OnAuthenticate in the global.asax for the type of authentication, so I would guess for you, something like this:
I believe Authorize came in at a later date to the PrincipalPermission, but I'm not too sure as to when/why of the differences I'm afraid :( - sorry!