列出用户时,带有角色的Windows身份验证不起作用,角色优先级更高

时间:2015-05-10 20:07:20

标签: asp.net-mvc asp.net-mvc-5 roles roleprovider

我有" mydomain \ myusername"在具有角色Administrator的数据库中。我已经运行了几个不同配置的测试。评论与" +"被授予访问权限,而" - "需要登录。似乎用户如果被自己授权就被授予访问权限。但是当添加角色时,角色优先考虑,甚至不会看单个用户。

如何在指定角色时将单个用户或多个用户考虑在内?我正在使用自定义[DefaultAuthorize]:Asp.net MVC4: Authorize on both controller and action和OverrideAuthorize,以便控制器和操作权限不会在一起,但它不会导致忽略用户的行为。这种行为似乎是身份验证的默认行为。

编辑:我刚刚测试了一下,上面的SO的解决方案并不能真正在控制器/动作中创建OR,如果两者都被指定但是用户只在控制器组。如果用户在操作组中,则它可以工作。

编辑:我唯一能确定的是在动作中按预期定义角色。在控制器中添加角色或用户会产生无意义的行为。

所以有两个问题令人难以置信。的 1。在控制器和操作中指定角色时,似乎无法摆脱AND条件。 2.用户被忽略角色。

我正在使用带有Windows身份验证和角色的MVC5。

//-[Authorize(Roles = "Publisher,Editor", Users = "mydomain\\myusername")] //this should have worked since myusername is running the test
//-[Authorize(Users = "mydomain\\myusername",Roles = "Publisher,Editor")]  //this should have worked also
//+[Authorize(Users = "mydomain\\myusername", Roles = "Administrator,Publisher,Editor")]  //this works because of Administrator
//+[Authorize(Users="mydomain\\myusername")]
//+[Authorize(Roles = "Administrator")]
//+[Authorize(Roles = "Administrator", Users = "mydomain\\myusername")]
//+[Authorize(Roles = "Administrator,Editor", Users = "mydomain\\myusername")]
//+[Authorize(Roles = "Publisher,Administrator,Editor", Users = "mydomain\\myusername")]
[DefaultAuthorize(Roles = "Publisher,Editor")]
public class PersonEntitiesController : Controller
{

    //default role and override role works as long as it is in a group
    //-[Authorize(Roles = "Administrator")] doesn't work as it's AND with controller
    //when a user is grouped with a Role, the role takes priority
    //doesn't work as myusername is ignored and only looks at Publisher but user is not in gorup
    //-[OverrideAuthorize(Users = "mydomain\\myusername",Roles="Publisher")]  
    //+[OverrideAuthorize(Roles="Administrator")]
    //+[OverrideAuthorize(Users = "mydomain\\myusername")] //works as long as myusername is listed by itself
    //+[OverrideAuthorize(Users = "mydomain\\myusername",Roles="Administrator")] //the group works as long as myusername is in that group
    public ActionResult Index(string sortOrder, string currentFilter, string searchString, int? page)

1 个答案:

答案 0 :(得分:1)

这是Authorize属性的默认行为。该属性验证以下所有规则都通过:

  1. 用户不为空,具有身份并经过身份验证。
  2. 如果包含了用户的姓名,则会在其中包含身份名称。
  3. 如果包含角色,则包含的任何角色都出现在身份角色上。

    4. 检查ASP.NET MVC的AuthorizeAttribute.IsAuthorized代码确认它:

    protected virtual bool IsAuthorized(HttpActionContext actionContext)
{
    if (actionContext == null)
    {
      throw Error.ArgumentNull("actionContext");
    }
    IPrincipal user = actionContext.ControllerContext.RequestContext.Principal;
    if (user == null || user.Identity == null || !user.Identity.IsAuthenticated)
    {
      return false;
    }
    if (_usersSplit.Length > 0 && !_usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase))
    {
      return false;
    }
    if (_rolesSplit.Length > 0 && !_rolesSplit.Any(user.IsInRole))
    {
      return false;
    }
    return true;
}

    因此,您怀疑此行为是AND,而不是OR。如果您想要有不同的行为,我建议您创建一个自定义Authorization属性并在其上放置您自己的逻辑。只需继承 AuthorizeAttribute ,并使用自定义逻辑覆盖 IsAuthorized 方法。

相关问题
最新问题