问题
I have a custom role provider, built on a Role entity, and a many to many relationship called RoleUser, between my forms auth User entities and the Roles. I would like to switch this roles provider into using Windows auth as well now. It seems convenient for me piggy back of the forms Users, and create 'shadows' of AD users in my Users entities.
Is this feasible or frowned upon, and are there any good papers etc. on this kind of setup?
I'm using EF Code First against SQL 2005, and am not using a custom membership provider, as my User controller and repository handle all I need quite fine; just a role provider.
回答1:
Notice that we have 5 types of authentication:
1- Anonymous Authentication
2- Asp.net Impersonation
3- Basic Authentication HTTP 401 Challenge
4- Forms Authentication HTTP 302 Login/Redirect
5- Windows Authentication HTTP 401 Challenge
The Philosophy of MVC authentication refers to this fact that, MVC doesn't use ViewState to authenticate users.It does not use view state or server-based forms. This makes the MVC framework ideal for developers who want full control over the behavior of an application.
According to MVC standards, windows authentication is suitable for intranet applications, and forms authentication for internet application, because of security issues and so more.
It's not common to use both windows and forms authentication together. But you can use hybrid of them like this codeproject article. Unless you want to do an action like forms authentication and at the backend store windows account information via your programmability to store to DB or etc. Only make sure there is no challenge among types of authentications.
There is another important thing, that is diffrences between Authentication and Authorization that you can config them at web.config like bellow:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
or
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
</authorization>
This MSDN Article might be helpful too.
回答2:
The membership provider in this case can be a custom membership provider that uses "user" and "role" models from enitity framework DbContext. The user model may have a boolean field that just tells if the user is domain user or not. When dealing with domain users you can have a option of importing the users from Active Directory domain. The admin can just imports the AD users that are required into the database. Once they are in database then they can login. In Account controller Login action we can check if the user is domain user if he is then authenticate the user with the domain controller and then allow him to log-in and issue him a token. Here is a nice article on AD authentication with forms. It is in VB however you can get things. Also you can follow the article and create a provider that supports both authentication.
http://www.cmjackson.net/2009/10/23/asp-net-mvc-using-forms-authentication-with-ldap/
来源:https://stackoverflow.com/questions/10156873/how-to-use-both-windows-and-forms-auth-with-a-single-custom-role-provider