我一直在网上阅读大量有关身份验证和授权的内容,最后确定了一些似乎正在运行的代码......但我并不完全理解它所做的一切(就FormsAuthenticationTicket而言).
我正在使用的MVC应用程序将处理一些敏感数据,我想要检查与验证和授权相关的所有操作.
我正在使用Windows身份验证;
<authentication mode="Windows" />
<authorization>
<deny users="?"/>
</authorization>
我在SQL Server中有一组表,其中包含其他用户和权限信息.
在我的Global.asax中,我有以下方法的启发
http://www.codeproject.com/Articles/5182/Insight-into-Security-Model-using-Principal-and-Id
protected void WindowsAuthentication_OnAuthenticate(object sender, WindowsAuthenticationEventArgs e)
{
if (e.Identity == null || !e.Identity.IsAuthenticated)
{
//Redirect to error or access denied page
}
string userData = e.Identity.AuthenticationType;
var cachedUser = HttpContext.Current.Cache[e.Identity.Name] as User;
if (cachedUser == null)
{
var user = repo.GetUserByFullUserName(e.Identity.Name);
HttpContext.Current.Cache.Insert(e.Identity.Name, user, null, DateTime.Now.AddMinutes(2), Cache.NoSlidingExpiration);
cachedUser = HttpContext.Current.Cache[e.Identity.Name] as User;
}
var userIdentity = e.Identity.Name;
var formsAuthTicket = new FormsAuthenticationTicket(1, e.Identity.Name, …cookies forms-authentication windows-authentication asp.net-mvc-4