ASP.NET MVC和登录身份validation

我在这里搜索了很多关于自定义用户身份validation的post,但没有一个解决了我的所有问题

我是ASP.NET MVC的新手并使用传统的ASP.NET(WebForms),但不知道如何为使用ASP.NET MVC的用户构建登录/身份validation机制。

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e) { string userName = Login1.UserName; string password = Login1.Password; bool rememberUserName = Login1.RememberMeSet; if (validateuser(userName, password)) { //Fetch the role Database db = DatabaseFactory.CreateDatabase(); //Create Command object System.Data.Common.DbCommand cmd = db.GetStoredProcCommand("sp_RolesForUser"); db.AddInParameter(cmd, "@Uid", System.Data.DbType.String, 15); db.SetParameterValue(cmd, "@Uid", Login1.UserName); System.Data.IDataReader reader = db.ExecuteReader(cmd); System.Collections.ArrayList roleList = new System.Collections.ArrayList(); if (reader.Read()) { roleList.Add(reader[0]); string myRoles = (string)roleList[0]; //Create Form Authentication ticket //Parameter(1) = Ticket version //Parameter(2) = User ID //Parameter(3) = Ticket Current Date and Time //Parameter(4) = Ticket Expiry //Parameter(5) = Remember me check //Parameter(6) = User Associated Roles in this ticket //Parameter(7) = Cookie Path (if any) FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(20), rememberUserName, myRoles, FormsAuthentication.FormsCookiePath); //For security reasons we may hash the cookies string hashCookies = FormsAuthentication.Encrypt(ticket); HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies); // add the cookie to user browser Response.Cookies.Add(cookie); if (HttpContext.Current.User.IsInRole("Administrators")) { Response.Redirect("~/Admin/Default.aspx"); } else { string returnURL = "~/Default.aspx"; // get the requested page //string returnUrl = Request.QueryString["ReturnUrl"]; //if (returnUrl == null) // returnUrl = "~/Default.aspx"; Response.Redirect(returnURL); } } } } protected bool validateuser(string UserName, string Password) { Boolean boolReturnValue = false; //Create Connection using Enterprise Library Database Factory Database db = DatabaseFactory.CreateDatabase(); //Create Command object DbCommand cmd = db.GetStoredProcCommand("sp_ValidateUser"); db.AddInParameter(cmd, "@userid", DbType.String, 15); db.SetParameterValue(cmd, "@userid", Login1.UserName); db.AddInParameter(cmd, "@password", DbType.String, 15); db.SetParameterValue(cmd, "@password", Login1.Password); db.AddOutParameter(cmd, "@retval", DbType.Int16, 2); db.ExecuteNonQuery(cmd); int theStatus = (System.Int16)db.GetParameterValue(cmd, "@retval"); if (theStatus > 0) //Authenticated user boolReturnValue = true; else //UnAuthorized... boolReturnValue = false; return boolReturnValue; } 

我真的不知道如何将ASP.NET代码转换为MVC-esque架构; 我仍然对如何在ASP.NET MVC中实现身份validation感到茫然。

我需要做什么? 如何在ASP.NET MVC中实现上述代码? 我从那段代码中遗漏了什么?

您可以自己编写身份validation服务。 这是一个简短的故事:

您的用户模型类(即)

 public class User { public int UserId { get; set; } public string Name { get; set; } public string Username { get; set; } public string Password { get; set; } public string Email { get; set; } public bool IsAdmin { get; set; } } 

您的用户存储库类(即)

  public class UserRepository { Context context = new Context(); public User GetByUsernameAndPassword(User user) { return context.Users.Where(u => u.Username==user.Username & u.Password==user.Password).FirstOrDefault(); } } 

和您的用户应用程序类(即)

 public class UserApplication { UserRepository userRepo = new UserRepository(); public User GetByUsernameAndPassword(User user) { return userRepo.GetByUsernameAndPassword(user); } } 

这是您的帐户控制人(即)

 public class AccountController : Controller { UserApplication userApp = new UserApplication(); SessionContext context = new SessionContext(); public ActionResult Login() { return View(); } [HttpPost] public ActionResult Login(User user) { var authenticatedUser = userApp.GetByUsernameAndPassword(user); if (authenticatedUser != null) { context.SetAuthenticationToken(authenticatedUser.UserId.ToString(),false, authenticatedUser); return RedirectToAction("Index", "Home"); } return View(); } public ActionResult Logout() { FormsAuthentication.SignOut(); return RedirectToAction("Index", "Home"); } 

和你的SessionContext类(即)

 public class SessionContext { public void SetAuthenticationToken(string name, bool isPersistant, User userData) { string data = null; if (userData != null) data = new JavaScriptSerializer().Serialize(userData); FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, name, DateTime.Now, DateTime.Now.AddYears(1), isPersistant, userData.UserId.ToString()); string cookieData = FormsAuthentication.Encrypt(ticket); HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, cookieData) { HttpOnly = true, Expires = ticket.Expiration }; HttpContext.Current.Response.Cookies.Add(cookie); } public User GetUserData() { User userData = null; try { HttpCookie cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName]; if (cookie != null) { FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Value); userData = new JavaScriptSerializer().Deserialize(ticket.UserData, typeof(User)) as User; } } catch (Exception ex) { } return userData; } } 

最后将以下标记添加到web.config文件中的标记:

    

现在你只需要在每个需要身份validation的控制器的头部插入[Autorize]属性。就像这样:

 [Authorize] public class ClassController : Controller { ... } 

鉴于您对教程的评论,请参阅有关安全性的asp.net/mvc学习部分 。

特别是, 本教程将创建一个安全的ASP.NET MVC 5 Web应用程序,其中包含登录,电子邮件确认和密码重置。

码:

 using Microsoft.AspNet.Identity; if (Request.IsAuthenticated) { return View(); }