Mvc,授权反弹授权用户
我试图将MVC 5网页的一部分限制为某个Active目录组的用户,但[Authorize]属性(在控制器上)阻止登录用户。
我的登录页面代码如下所示:
public class AccountController: Controller { [AllowAnonymous] public ActionResult Login(string returnUrl) { ViewBag.ReturnUrl = returnUrl; return View(); } // POST: /Account/Login [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public ActionResult Login(LoginModel model, string returnUrl) { if (ModelState.IsValid) { ActiveDirectoryHelper ad = new ActiveDirectoryHelper(); if (Membership.ValidateUser(model.UserName, model.Password)) { if (ad.CheckGroupMembership(model.UserName)) { FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe); if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/") && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\")) { return Redirect(returnUrl); } else { return RedirectToAction("Index", "Home"); } } else { ModelState.AddModelError("", "Credentials are correct but you are no authorised \n You Need membership in group: HKF-HIT-FortigateAPI-GS"); } } else { ModelState.AddModelError("", "The user name or password provided is incorrect"); } } // if we got this far, something failed, redisplay form return View(model); } // POST: /Account/LogOff [HttpPost] [ValidateAntiForgeryToken] public ActionResult LogOff() { FormsAuthentication.SignOut(); return RedirectToAction("Index", "Home"); } } public class ActiveDirectoryHelper { string group = "HKF-HIT-FortigateAPI-GS"; public bool CheckGroupMembership(string name) { var context = new PrincipalContext( ContextType.Domain, "AD-Domain", @"Username", "Password"); var userPrincipal = UserPrincipal.FindByIdentity( context, IdentityType.SamAccountName, name); var test = userPrincipal; if (userPrincipal.IsMemberOf(context, IdentityType.Name, group)) { return true; } return false; } } 用户通过并重定向到Home控制器中的Index。
但是,该控制器的[授权]值设置如下:
[Authorize] public class HomeController : Controller { public ActionResult Index() { return View(); } }
在这里,用户反弹回登录页面,好像他没有被授权。
这也是web.config:
在浏览器中,我可以看到ADAuthCookie。
编辑:找到请求数据的图片:
帐号邮报:
小提琴手:
索引获取:
小提琴手:
编辑:问题已经解决,在通过评论链接的惊人指南后,我意识到我从未在Global.asaz.cs类中处理我的库克。
为Application_PostAuthenticateRequest添加一个Overover解决了我的问题。
我添加的代码最终使用:
protected void Application_PostAuthenticateRequest(Object sender, EventArgs e) { HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName]; if (authCookie != null) { FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value); JavaScriptSerializer serializer = new JavaScriptSerializer(); CustomPrincipalSerializeModel serializeModel = serializer.Deserialize(authTicket.UserData); CustomPrincipal newUser = new CustomPrincipal(authTicket.Name); newUser.Name = serializeModel.Name; HttpContext.Current.User = newUser; } }
在global.asax中,我还添加了:
CustomPrincipalSerializeModel serializeModel = new CustomPrincipalSerializeModel(); serializeModel.Name = model.UserName; JavaScriptSerializer serializer = new JavaScriptSerializer(); string userData = serializer.Serialize(serializeModel); FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket( 1, model.UserName, DateTime.Now, DateTime.Now.AddMinutes(15), false, userData); string encTicket = FormsAuthentication.Encrypt(authTicket); HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket); Response.Cookies.Add(faCookie);
到我的登录页面。
AuthorizeAttribute 检查HttpContext.User值( IPrincipal实现)和HttpContext.User.Identity值( IIdentity实现) 。
Microsoft的所有安全框架(身份,成员资格等)都使用这些接口与MVC / ASP.NET进行通信。 如果您使用的是自定义安全框架,则还需要实现这些接口并将它们设置在AcquireRequestState (如果使用会话状态)或PostAuthorizeRequest事件中。
请参阅ASP.NET MVC – 设置自定义IIdentity或IPrincipal以获取后者的示例以及自定义IPrincipal和IIdentity实现。