我有一个带有OWIN身份验证的asp.net MVC 5站点。我想有两个不同的登录页面,一个用于普通用户,一个用于管理员用户。当设置UseCookieAuthentication时,登录重定向路径当前在Start.cs中设置。我很确定我可以解析returnUrl并在路径中查找/ admin /,但这看起来真的很容易出错并且容易出错(如果没有returnUrl会怎样?)。有没有更好的办法?我在网上看到有关使用身份验证过滤器的内容,但不确定在使用OWIN时是否可行。
答案 0 :(得分:1)
您可以在路由规则中添加约束。此约束将检查用户是否为Admin类型并允许(或拒绝)路由。
您需要设置IRouteConstraint
课程。例如:
public class IsAdmin : IRouteConstraint
{
public IsAdmin()
{
}
public bool Match(HttpContextBase httpContext, Route route, string parameterName, RouteValueDictionary values, RouteDirection routeDirection)
{
bool isAdmin = false;
// TO DO, detect if current user is Admin and return the value
// ...
return isAdmin;
}
}
然后在您的路由规则中,将其添加为约束
routes.MapRoute(
name: "Default",
url: "{controller}/{action}/{id}",
defaults: new { controller = "home", action = "index", id = UrlParameter.Optional },
constraints: new { controller = new Common.Constraints.IsAdmin() }
);
这是一种相当简单的方法。我曾经习惯阻止非管理员用户访问我网站/admin
部分的任何内容,它就像一个魅力。
答案 1 :(得分:0)
@AntP是对的,我有同样的问题,我解决了使用身份验证过滤器。 (我也在使用OWIN身份验证)。 在我的情况下,我希望根据区域将用户重定向到不同的登录页面。
public class AreaAuthorizationAttribute : FilterAttribute, IAuthenticationFilter
{
string clientRole = "Client"; // can be taken from resource file or config file
string adminRole = "Admin"; // can be taken from resource file or config file
string currentArea = "";
public void OnAuthentication(AuthenticationContext context)
{
var area = context.RouteData.DataTokens["area"];
if (context.HttpContext.User.Identity.IsAuthenticated)
{
if (context.HttpContext.User.IsInRole(clientRole) && !(area.ToString().Equals("Client")))
{
context.Result = new HttpUnauthorizedResult();
currentArea = "Client";
}
if (context.HttpContext.User.IsInRole(adminRole) && !(area.ToString().Equals("Admin")))
{
context.Result = new HttpUnauthorizedResult();
currentArea = "Admin";
}
}
else
{
if (area.ToString().Equals("Client"))
{
context.Result = new HttpUnauthorizedResult();
currentArea = "Client";
} else if (area.ToString().Equals("Admin"))
{
context.Result = new HttpUnauthorizedResult();
currentArea = "Admin";
}
}
}
public void OnAuthenticationChallenge(AuthenticationChallengeContext context)
{
if (context.Result == null)
{
Debug.WriteLine("Context null");
context.Result = new RedirectToRouteResult(new System.Web.Routing.RouteValueDictionary(
new { area = "Client", controller = "Client", action = "Login", returnUrl = context.HttpContext.Request.RawUrl }));
}
if (context.Result is HttpUnauthorizedResult)
{
if ((currentArea.Equals("Client")))
{
context.Result = new RedirectToRouteResult(new System.Web.Routing.RouteValueDictionary(
new { area = "Client", controller = "Client", action = "Login", returnUrl = context.HttpContext.Request.RawUrl }));
}
else if(currentArea.Equals("Admin"))
{
context.Result = new RedirectToRouteResult(new System.Web.Routing.RouteValueDictionary(
new { area = "Admin", controller = "Admin", action = "Login", returnUrl = context.HttpContext.Request.RawUrl }));
}
}
}
}
然后我使用了我的自定义属性:
[AreaAuthorization]
public class AdminController : Controller //controller in Admin area
{
.... //actions
}
[AreaAuthorization]
public class ClientController : Controller //controller in Client area
{
.... //actions
}
这是我的来源(针对自定义授权属性):http://www.dotnetfunda.com/articles/show/2935/creating-custom-authentication-filter-in-aspnet-mvc