ASP .NET MVC Forms authorization with Active Directory groups

前端 未结 2 1295
悲哀的现实
悲哀的现实 2020-11-29 17:38

I\'m attempting to authenticate using users and groups in ASP.NET MVC against Active Directory.

I have put the following attribute on all my classes (except the acco

相关标签:
2条回答
  • 2020-11-29 18:13

    So I ended up implementing my own authorize attribute and using that:

    namespace Application.Filters
    {  
       public class AuthorizeADAttribute : AuthorizeAttribute
       {
          public string Groups { get; set; }
    
          protected override bool AuthorizeCore(HttpContextBase httpContext)
          {
             if (base.AuthorizeCore(httpContext))
             {
                /* Return true immediately if the authorization is not 
                locked down to any particular AD group */
                if (String.IsNullOrEmpty(Groups))
                   return true;
    
                // Get the AD groups
                var groups = Groups.Split(',').ToList<string>();
    
                // Verify that the user is in the given AD group (if any)
                var context = new PrincipalContext(ContextType.Domain, "server");
                var userPrincipal = UserPrincipal.FindByIdentity(context, 
                                                     IdentityType.SamAccountName,
                                                     httpContext.User.Identity.Name);
    
                foreach (var group in groups)
                   if (userPrincipal.IsMemberOf(context, IdentityType.Name, group))
                      return true;
             }
             return false;
          }
       }
    }
    

    And then I can simply use the following above controllers or functions

    Using Application.Filters;
    ...
    [AuthorizeAD(Groups = "groupname")]
    

    NB: You could simply use new PrincipalContext(ContextType.Domain); however there is a bug in .NET 4.0 that throws a (0x80005000) error at userPrincpal.IsMemberOf(...). See here for details.

    If you would like to know how to redirect to another page based on failed authorization, check my answer here: Adding an error message to the view model based on controller attribute in ASP.NET MVC

    0 讨论(0)
  • 2020-11-29 18:15

    It's no longer necessary to implement your own attribute for this functionality in ASP.NET MVC 3. The AspNetWindowsTokenRoleProvider works with Active Directory users and groups. To use this with AuthorizeAttribute you need to add the following to your web.config:

    <authentication mode="Windows" />
    
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
       <providers>
          <clear />
          <add 
              name="AspNetWindowsTokenRoleProvider"
              type="System.Web.Security.WindowsTokenRoleProvider" 
              applicationName="/" />
       </providers>
    </roleManager>
    

    Then, on your controllers or action methods, you can refer to Active Directory Groups like so:

    [Authorize(Roles = "YOURDOMAIN\\Group1, YOURDOMAIN\\Group2")]
    
    0 讨论(0)
提交回复
热议问题