Question

当我创建我的formsauthenticationticket时，不会立即触发Application_AuthenticateRequest（在global.asax中）。当我检查user.isrole时它是空的。但是稍后当我尝试另一个动作时，会触发Application_AuthenticateRequest，并设置用户的角色。

登录功能：

      if (loggedIn)
            {
                ViewBag.loginFailed = 1;
                string roles = "Administrator";
                CreateTicket(pharmacist.ID.ToString(), roles);
                LoginRedirect();
            }

方法：

    [Authorize(Roles = "Administrator, User")]
    private void CreateTicket(string id, string role)
    {

        var ticket = new FormsAuthenticationTicket(
                version: 1,
                name: id,
                issueDate: DateTime.Now,
                expiration: DateTime.Now.AddHours(1),
                isPersistent: false,
                userData: role);

        var encryptedTicket = FormsAuthentication.Encrypt(ticket);
        var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
        HttpContext.Response.Cookies.Add(cookie);
    }

   [Authorize(Roles = "Administrator, User")]
    private ActionResult LoginRedirect() {
        if (User.IsInRole("Administrator"))
        {
            return RedirectToAction("Index", "Pharmacist");
        }
        else if (User.IsInRole("User"))
        {
            return RedirectToAction("Index", "Patient");
        }
        else {
            return RedirectToAction("Logout", "Authentication");
        }
    }

Application_AuthenticateRequest

  protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
        if (HttpContext.Current.User != null)
        {
            if (HttpContext.Current.User.Identity.IsAuthenticated)
            {
                if (HttpContext.Current.User.Identity is FormsIdentity)
                {
                    FormsIdentity id =
                        (FormsIdentity)HttpContext.Current.User.Identity;
                    FormsAuthenticationTicket ticket = id.Ticket;

                    // Get the stored user-data, in this case, our roles
                    string userData = ticket.UserData;
                    string[] roles = userData.Split(',');
                    HttpContext.Current.User = new GenericPrincipal(id, roles);
                }
            }
        }
    }

Answer 1

仅在您请求新资源时才会调用

Application_AuthenticateRequest 。

在您的情况下，您仍然在创建 FormsAuthenticationTicket 的请求中。因此，尚未将 主要对象 分配给当前线程。

如果您想从当前线程中检索IPrincipal，则需要明确指定它。

var encryptedTicket = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
// You need this two lines.
HttpContext.Current.User = new GenericPrincipal(id, roles); 
Thread.CurrentPrincipal = HttpContext.Current.User;
....

同时确保在 Application_AuthenticateRequest 中包含这两行。

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
   ...
   HttpContext.Current.User = new GenericPrincipal(id, roles);
   Thread.CurrentPrincipal = HttpContext.Current.User; <-- Do not forget this.
   ...
}

仅供参考 ：私有方法不需要 AuthorizeAttribute 。您只需要在Controller或Action Methods上。

[Authorize(Roles = "Administrator, User")] <-- This is not needed.
private void CreateTicket(string id, string role)
{
   ...
}

Application_AuthenticateRequest触发到最晚

1 个答案: