我正在升级网站以使用MVC,我正在寻找设置身份验证的最佳方法.
此时,我已登录Active Directory:验证用户名和密码,然后设置Auth cookie.
如何在登录时存储用户的角色信息,以便我的控制器在用户浏览网站时查看这些角色?
[Authorize(Roles = "admin")]
从Active Directory获取角色列表没有问题.我只是不知道把它们放在哪里,以便控制器能够看到它们.
我有一个动作,我想只限制角色"Admin".我是这样做的:
[Authorize(Roles = "Admin")]
public ActionResult Edit(int id)
手动进入Controller/Edit/1路径后,我被重定向到登录页面.嗯,这也许不错,但我想显示404而不是它,并尝试坚持使用属性.那可能吗?
验证后我的登录代码:
var authTicket = new FormsAuthenticationTicket(
1,
userName,
DateTime.Now,
DateTime.Now.AddMinutes(20), // expiry
false,
roles,
"/");
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
Response.Cookies.Add(cookie);
并且,感谢Darin Dimitrov,我有一个自定义的Authorize属性:
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
public class TJAuthorize : AuthorizeAttribute {
public override void OnAuthorization(AuthorizationContext filterContext) {
string cookieName = FormsAuthentication.FormsCookieName;
if (!filterContext.HttpContext.User.Identity.IsAuthenticated ||
filterContext.HttpContext.Request.Cookies == null || filterContext.HttpContext.Request.Cookies[cookieName] == null) {
HandleUnauthorizedRequest(filterContext);
return;
}
var authCookie = filterContext.HttpContext.Request.Cookies[cookieName];
var authTicket = FormsAuthentication.Decrypt(authCookie.Value);
string[] roles = authTicket.UserData.Split(',');
var userIdentity = …