MVC ASP.NET - Manually authorize someone and persist the authorization via Forms Authentication

前端 未结 3 1689
無奈伤痛
無奈伤痛 2021-02-04 11:38

I want the benefits of form authentication in ASP.NET. I want it to persist the authorization for me and such, but there\'s one thing different about my situation; I want to au

相关标签:
3条回答
  • 2021-02-04 12:14

    I may be over simplifying this, but the way I read this is the following:

    1. If a user is not authenticated, you have a form that you collect the username/password
    2. The results of that form are passed to a web service for authorization
    3. If that authorization is successful, you need a way to let the web application know that they have signed in.
    4. If they are authenticated, do stuff

    If the above is correct, you do not need a membership provider. The [Authorize] attribute simply looks that the forms authentication cookie to see if it has been set and is valid for the current lifetime of the cookie. This authentication cookie stores the username of the user and the expiration time of the cookie (and other stuff, but not important here).

    Given that, you only need to set your web.config configuration element and have a method to set the authentication cookie.

    Web.Config

    <system.web>
        <authentication mode="Forms">
          <forms loginUrl="~/Account/LogOn" timeout="2880" />
        </authentication>
    </system.web>
    

    Logon URL GET action

    public ActionResult Logon(){
       //if the user is logged in, send the to the home page
       if(httpContext.User.Identity.IsAuthenticated_{
            Return RedirectToAction("Index", "Home");
       }
       Return this.View(new LoginViewModel());
    }
    

    Logon URL POST action

    [HttpPost]
    public ActionResult Logon(LoginViewModel model){
       //Check for model errors
       if(!ModelState.IsValid()){
           Return this.View(model);
       }
    
       //Validate against web service - return error if false
       if(!CheckClientsWebService(model.UserName, model.Password)){
           ModelState.AddModelError("","The username or password is invalid");
           Return this.View(model);
       } 
    
       //Manually set the authentication cookie
       FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);  
       //Send them on to the home page, they now have a authorization cookie
       Return RedirectToAction("Index", "Home");
    }
    

    Once you have called the .SetAuthCookie() function, the user will now have an authentication ticket and calls to HttpContext.User.Identity.IsAuthenticated will be true as long as the cookie has not expired and you can get the user name from HttpContext.User.Identity.Name

    0 讨论(0)
  • 2021-02-04 12:18

    In forms authentication isn't the proof of who you are in th forms authentication cookie.? With that in mind couldn't you create the ticket in a custom login form without having to create a custom provider? I would definitely think you could. Do a quick test and create a forms authentication ticket and see if the out of the box membership provider considers the user authenticated.

    I was curious-- so here is some code..

    Model

    public class SignInViewModel
    {
        public string Username { get; set; }
        public string Password { get; set; }
    }
    

    Controller

    public class SignInController : Controller
    {
    
        public ActionResult Index()
        {
            var model = new SignInViewModel {};
            return View(model);
        }
    
        [HttpPost]
        public ActionResult Index(SignInViewModel model)
        {
            if (model.Username == "Fred" && model.Password == "Mertz")
            {
                FormsAuthentication.SetAuthCookie(model.Username, false);
                return RedirectToAction("Secure");
            }
            return View(model);
        }
    
        [Authorize]
        public ActionResult Secure(SignInViewModel model)
        {
            return View();
        }
    
        [Authorize]
        public ActionResult Logout(SignInViewModel model)
        {
            FormsAuthentication.SignOut();
            return RedirectToAction("Index");
        }
    

    Index.cshtml

    @using (Html.BeginForm()) {
        <fieldset>
            <legend>SignInViewModel</legend>
    
            <div class="editor-label">
                @Html.LabelFor(model => model.Username)
            </div>
            <div class="editor-field">
                @Html.EditorFor(model => model.Username)
                @Html.ValidationMessageFor(model => model.Username)
            </div>
    
            <div class="editor-label">
                @Html.LabelFor(model => model.Password)
            </div>
            <div class="editor-field">
                @Html.EditorFor(model => model.Password)
                @Html.ValidationMessageFor(model => model.Password)
            </div>
    
            <p>
                <input type="submit" value="Login" />
            </p>
        </fieldset>
    }
    

    Secure.cshtml

    <h2>Secure</h2>
    @Html.ActionLink("Logout", "Logout")
    
    0 讨论(0)
  • 2021-02-04 12:22

    As Wiktor commented, implement your own MembershipProvider. Just implement the methods you need, leave the rest throwing a NotImplementedException.

    In your case, it looks like all you need to implement is public bool ValidateUser(string username, string password) - the implementation of which just needs to call through to your webservice.

    Then you can use all the standard built-in authentication and authorization stuff.

    0 讨论(0)
提交回复
热议问题