问题
The application is already using Windows integrated security, not Forms. What I am trying to accomplish is a so called "step-up" authentication, or "force re-authentication" for the following scenario:
- the user is browsing the site doing common, trivial stuff
- suddenly, the user has to do a sensitive action such as authorizing a resource allocation or confirming a car loan or something similar
- the user is prompted for the credential before (s)he's redirected to the sensitive page, in a manner similar to SharePoint's "Sign In as a Different User"
- if, and only if, the credentials entered are the same as for the currently logged-in user the application proceeds to the sensitive area.
This would prevent the following two issues:
- The user goes for a meeting or a coffee and forgets to lock the workstation and a colleague uses the session to access the sensitive area
- The user enters the credentials of his or her boss (because, let's say he peeked over the boss' shoulder) to access the sensitive area.
I know, some would look at this as "being paranoid", but also some would say it's common sense and should be build in a framework somewhere (jQuery or .NET)
回答1:
Have the form send the credentials along with the request to perform the action, i.e., some actions require that you provide username/password. Use the PrincipalContext ValidateCredentials method to ensure that the proper credentials have been entered and check that the username supplied matches the current username in the User.Identity
object.
public ActionResult SensitiveAction( SensitiveModel model, string username, string password )
{
using (var context = new PrincipalContext(ContextType.Domain))
{
if (!string.Equals(this.User.Identity.Name,username,StringComparison.OrdinalIgnoreCase)
|| !context.ValidateCredentials(username,password))
{
return View("PermissionDenied");
}
}
...
}
回答2:
The user goes for a meeting or a coffee and forgets to lock the workstation and a colleague uses the session to access the sensitive area
That works only the first time, but now the boss enters a sensitive area, re-enters her credentials, then goes for coffee. Are you going to prompt for every sensitive request? Users won't put up with that.
The user enters the credentials of his or her boss (because, let's say he peeked over the boss' shoulder) to access the sensitive area.
If someone knows and enters the credentials of their boss, there is nothing you can do to detect that.
来源:https://stackoverflow.com/questions/7585539/how-do-i-re-authenticate-a-user-in-an-asp-net-mvc-3-intranet-application