自定义授权中的MVC 4.0 FormsAuthentication和AuthorizeAttribute

时间:2013-10-21 10:10:00

标签: c# asp.net asp.net-mvc-4

我正在使用MVC4,我正在尝试修改用于验证用户的分配过程并为用户分配角色。一切都适用于属性[Authorize (Users = "adminadmin")],但每次有登录页面且无法访问时都会[Authorize (Roles = "Admin")]

的Global.asax.cs:

protected void Application_AuthenticateRequest(object sender, EventArgs e)
        {
            // look if any security information exists for this request
            if (HttpContext.Current.User != null)
            {
                // see if this user is authenticated, any authenticated cookie (ticket) exists for this user
                if (HttpContext.Current.User.Identity.IsAuthenticated)
                {
                    // see if the authentication is done using FormsAuthentication
                    if (HttpContext.Current.User.Identity is FormsIdentity)
                    {
                        // Get the roles stored for this request from the ticket
                        // get the identity of the user
                        FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
                        //Get the form authentication ticket of the user
                        FormsAuthenticationTicket ticket = identity.Ticket;
                        //Get the roles stored as UserData into ticket
                        List<string> roles = new List<string>();
                        if (identity.Name == "adminadmin")
                            roles.Add("Admin");
                        //Create general prrincipal and assign it to current request

                        HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(identity, roles.ToArray());
                    }
                }
            }
        }

的AccountController:

[InitializeSimpleMembership]
public class AccountController : Controller
{
public ActionResult Login()
{
    return View();
}

[HttpPost]
public ActionResult Login(LoginModel model, string returnUrl)
{
    // Lets first check if the Model is valid or not
    if (ModelState.IsValid)
    {
            string username = model.UserName;
            string password = model.Password;

            bool userValid = username == password ? true : false;

            // User is valid
            if (userValid)
            {

                FormsAuthentication.SetAuthCookie(username, false);
                if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
                    && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
                {
                    return Redirect(returnUrl);
                }
                else
                {
                    return RedirectToAction("Index", "Home");
                }
            }
            else
            {
                ModelState.AddModelError("", "The user name or password provided is incorrect.");
            }
    }

    // If we got this far, something failed, redisplay form
    return View(model);
}

public ActionResult LogOff()
{
    FormsAuthentication.SignOut();

    return RedirectToAction("Index", "Home");
}

}

HomeController.cs:

 public class HomeController : Controller
    {
        [AllowAnonymous]
        public ActionResult Index()
        {
            ViewBag.Message = "Modify this template to jump-start your ASP.NET MVC application.";

            return View();
        }

        [Authorize]
        public ActionResult About()
        {
            ViewBag.Message = "Your app description page.";

            return View();
        }

        [Authorize(Roles = "Admin")]
        public ActionResult Contact()
        {
            ViewBag.Message = "Your contact page.";

            return View();
        }
    }

的Web.config:

(...)
    <authentication mode="Forms">
      <forms loginUrl="~/Account/Login" timeout="2880"/>
    </authentication>
(...)

2 个答案:

答案 0 :(得分:5)

你快到了。现在正在发生的事情是您将主体设置为自定义主体,并且SimpleMembership提供程序在您之后进入并通过将其设置为System.Web.Security.RolePrincipal来消除您的主体。将当前的Application_AuthenticateRequest代码移动到新的Application_PostAuthenticateRequest处理程序中,您的自定义主体将保留在原位。

答案 1 :(得分:0)

这就是你想要的(虽然它使用自定义会员资格) http://mycodepad.wordpress.com/2014/05/17/mvc-custom-authorizeattribute-for-custom-authentication/