Question

我有一个在Windows Phone 8.1设备上运行的应用程序，它访问ASP.NET MVC WebAPI上的后端构建。使用FormsAuthentication进行身份验证，因为在此设置中无法进行Windows身份验证。我可以让它运行：用户在手机上以自定义登录表单输入她的凭据，在服务器端，凭据将根据Active Directory进行验证。之后，客户端获得AuthenticationToken。

此片段来自LoginController：

if (Membership.ValidateUser(username, password))
{
    FormsAuthentication.SetAuthCookie(username, false);
    return Request.CreateResponse(HttpStatusCode.OK);
}
else
    return Request.CreateResponse(HttpStatusCode.Unauthorized);

此代码段显示了Web.Config中的身份验证配置：

<system.web>
  <authentication mode="Forms" />
  <authorization>
    <allow users="*" />
  </authorization>
  <membership defaultProvider="MembershipADProvider">
    <providers>
      <add name="MembershipADProvider" 
           type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
           connectionStringName="ADConnectionString"/>
    </providers>
  </membership>
</system.web>

我的问题是FormsIdentity只公开用户名。但是后端需要一个包含AD-User的SID的WindowsIdentity。后端最初是为基于浏览器的客户端构建的，并不是为移动设备服务。

var windowsId = User.Identity as WindowsIdentity;
if (windowsId == null) return null;
var sid = windowsId.User;

我的想法是在身份验证发生后用FormsIdentity替换FormsIdentity。为了做到这一点，我连接到ASP.NET管道的PostAuthenticateRequest事件：

using System;
using System.Web;

namespace MyApp
{
    public class FromToWindowsAuthenticationModule : IHttpModule
    {
        public void Init(HttpApplication context)
        {
            context.PostAuthenticateRequest += PostAuthenticateRequest;
        }

        public void Dispose()
        {
        }

        private void PostAuthenticateRequest(object sender, EventArgs e)
        {
            var ctx = HttpContext.Current;
            if (ctx.Request.IsAuthenticated)
            {
                var principal = ctx.User;
                var formsIdentity = principal.Identity as FormsIdentity;
                if (formsIdentity != null)
                {
                    var username = formsIdentity.Name;

                    var ident = new WindowsIdentity(...);  // ???????????????????

                    var newUser = new WindowsPrincipal(ident);        
                    ctx.User = Thread.CurrentPrincipal = newUser
                }
            }
        }
    }
}

要激活模块，必须将这些行添加到Web.Config：

  <system.webServer>
    <modules>
      <add name="FormToWindowsAuthenticationModule" 
           type="MyApp.FormToWindowsAuthenticationModule"
           preCondition="managedHandler" />
    </modules>
  </system.webServer>

唯一缺少的是从ActiveDirectory中检索WindowsIdentifier的部分。我怎么能这样做？

我的方法是否可行？ Identity对象的替换是否会干扰ASP.NET管道的其余元素？

Answer 1

这看起来很有希望：

    private void PostAuthenticateRequest(object sender, EventArgs e)
    {
        var ctx = HttpContext.Current;
        if (ctx.Request.IsAuthenticated)
        {
            var principal = ctx.User;
            var formsIdentity = principal.Identity as FormsIdentity;
            if (formsIdentity != null)
            {
                var username = formsIdentity.Name;
                var domain = "mydomain.com";
                var fullyQualifiedUsername = username + "@" + domain;

                var windowsIdentity = new WindowsIdentity(fullyQualifiedUsername);
                var windowsPrincipal = new WindowsPrincipal(windowsIdentity);

                Thread.CurrentPrincipal = ctx.User = windowsPrincipal;
            }
        }
    }

在ASP.NET MVC中将FormsIdentity替换为WindowsIdentity

1 个答案: