So very very confused about Authentication in asp.net mvc

后端 未结 1 912
陌清茗
陌清茗 2021-02-10 15:44

I come to the conclusion I need to ditch the ASP.NET Membership (for list of reasons).

Now really the only thing I see that I need is creating a cookie(don

1条回答
  •  青春惊慌失措
    2021-02-10 16:09

    Here's a custom attribute that would work just as you want it; using an Enum for role types and using cookie creation yourself, which allows for storing of roles.

    usage

      [AuthorizeAttributeCustom(RoleRequired = GoodRoles.YourRoleTypeHere)]
    

    attribute code:

    //http://stackoverflow.com/questions/977071/redirecting-unauthorized-controller-in-asp-net-mvc/977112#977112
        [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
        public sealed class AuthorizeAttributeCustom : AuthorizeAttribute
        {
    
            /// 
            /// The name of the view to render on authorization failure.  Default is "Error".
            /// 
            public string ViewName { get; set; }
            public ViewDataDictionary ViewDataDictionary { get; set; }
            public DeniedAccessView DeniedAccessView { get; set; }
    
            private GoodRoles roleRequired = GoodRoles.None;
            public GoodRoles RoleRequired { get{ return roleRequired;} set{ roleRequired = value;} } // this may evolve into sets and intersections with an array but KISS
    
            public AuthorizeAttributeCustom()
            {
                ViewName = "DeniedAccess";
                DeniedAccessView = new DeniedAccessView
                                       {
                                           FriendlyName = "n/a",
                                           Message = "You do not have sufficient privileges for this operation."
                                       };
                ViewDataDictionary = new ViewDataDictionary(DeniedAccessView);
            }
    
            private void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus)
            {
                validationStatus = OnCacheAuthorization(new HttpContextWrapper(context));
            }
    
    
            public override void OnAuthorization(AuthorizationContext filterContext)
            {
    
                if (filterContext == null)
                {
                    throw new ArgumentNullException("filterContext");
                }
    
                if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
                {
                    // auth failed, redirect to login page
                    filterContext.Result = new HttpUnauthorizedResult();
                    return;
                }
    
                if (RoleRequired == GoodRoles.None || filterContext.HttpContext.User.IsInRole(RoleRequired.ToString()))
                {
                    // is authenticated and is in the required role
                    SetCachePolicy(filterContext);
                    return;
                }
    
                filterContext.Result = new ViewResult { ViewName = ViewName, ViewData = ViewDataDictionary };
            }
    
            private void SetCachePolicy(AuthorizationContext filterContext)
            {
                // ** IMPORTANT **
                // Since we're performing authorization at the action level, the authorization code runs
                // after the output caching module. In the worst case this could allow an authorized user
                // to cause the page to be cached, then an unauthorized user would later be served the
                // cached page. We work around this by telling proxies not to cache the sensitive page,
                // then we hook our custom authorization code into the caching mechanism so that we have
                // the final say on whether a page should be served from the cache.
                HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
                cachePolicy.SetProxyMaxAge(new TimeSpan(0));
                cachePolicy.AddValidationCallback(CacheValidateHandler, null /* data */);
            }
    
    
        }
    

    you'll need to have explicitly added your roles to auth cookie and read them back in a base controller say. my implementation has other details which you might not want so maybe best to read here: http://ondotnet.com/pub/a/dotnet/2004/02/02/effectiveformsauth.html

    0 讨论(0)
提交回复
热议问题