基于用户权限的自定义身份validation和授权

确保Identity如此强大和灵活，您可以自定义它。 使用您的用户权限作为声明，然后编写自定义的AuthorizeAttribute来检查声明，例如考虑以下代码：

 [HttpPost] public ActionResult Login(string username, string password) { if (_userManager.IsValid(username, password)) // your own user manager { var ident = new ClaimsIdentity( new[] { // adding following 2 claim just for supporting default antiforgery provider new Claim(ClaimTypes.NameIdentifier, username), new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "ASP.NET Identity", "http://www.w3.org/2001/XMLSchema#string"), new Claim(ClaimTypes.Name, username), // populate assigned user rightID's form the DB and add each one as a claim new Claim("UserRight","FirstAssignedUserRightID"), new Claim("UserRight","SecondAssignedUserRightID"), }, DefaultAuthenticationTypes.ApplicationCookie); HttpContext.GetOwinContext().Authentication.SignIn( new AuthenticationProperties { IsPersistent = false }, ident); return RedirectToAction("MyAction"); // auth succeed } // invalid username or password ModelState.AddModelError("", "invalid username or password"); return View(); } 

并编写基于声明的授权属性：

 public class ClaimsAccessAttribute : AuthorizeAttribute { // in the real world you could get claim value form the DB, // I simplified the example public string ClaimType { get; set; } public string Value { get; set; } protected override bool AuthorizeCore(HttpContextBase context) { return context.User.Identity.IsAuthenticated && context.User.Identity is ClaimsIdentity && ((ClaimsIdentity)context.User.Identity).HasClaim(x => x.Type == ClaimType && x.Value == Value); } } 

最后，您只需将属性添加到操作中：

 [ClaimsAccess(CliamType="UserRight",Value="YourRightID"] public ActionResult MyAction() { // also you have access the authenticated user's claims // simply by casting User.Identity to ClaimsIdentity // ((ClaimsIdentity)User.Identity).Claims } 

我省略了用户组以简化示例，并且我还编写了一些需要编写提供程序以从DB获取的部分。