我对某个操作使用 authorize 属性。
[Authorize(Users= "admin" )]
[HttpGet]
public JsonResult GetServices()
{
return Json(ServicesRepository.SelectServices(), JsonRequestBehavior.AllowGet);
}
成功登录后我正在设置:
Session["Users"] = usersModels;
Session["UHTUserName"] = usersModels.UserName;
FormsAuthentication.SetAuthCookie(usersModels.UserName, LoginVM.RememberMe);
AuthorizeAttribute aattr = new AuthorizeAttribute();
aattr.Users = usersModels.UserName;
但仍然无法授权。
答案 0 :(得分:1)
基于上面的代码片段,您正在使用MVC的表单身份验证。
当使用Forms身份验证时,无论何时出现身份验证需求,ASP.NET框架都会检查当前的IPrinciple类型对象。此IPrinciple类型对象中包含的用户ID和角色将确定是否允许用户访问。
到目前为止,您还没有编写代码来推送用户在此主题对象中的角色详细信息。为此,您需要覆盖global.asax中名为FormsAuthentication_OnAuthenticate的方法。每次ASP.NET框架尝试检查与当前原则相关的身份验证和授权时,都会调用此方法。
您现在需要做的是覆盖此方法。检查身份验证票证(因为用户已经过验证并创建了票证),然后在IPrinciple类型对象中提供此用户/角色信息。为了简单起见,您只需创建一个GenericPriciple对象并在其中设置用户特定的详细信息,如下所示:
protected void FormsAuthentication_OnAuthenticate(Object sender, FormsAuthenticationEventArgs e)
{
if (FormsAuthentication.CookiesSupported == true)
{
if (Request.Cookies[FormsAuthentication.FormsCookieName] != null)
{
try
{
//let us take out the username now
string username = FormsAuthentication.Decrypt(Request.Cookies[FormsAuthentication.FormsCookieName].Value).Name;
string roles = string.Empty;
using (userDbEntities entities = new userDbEntities())
{
User user = entities.Users.SingleOrDefault(u => u.username == username);
roles = user.Roles;
}
//let us extract the roles from our own custom cookie
//Let us set the Pricipal with our user specific details
e.User = new System.Security.Principal.GenericPrincipal(
new System.Security.Principal.GenericIdentity(username, "Forms"), roles.Split(';'));
}
catch (Exception)
{
//somehting went wrong
}
}
}
}
注意:在MVC 4及更高版本中,此事件无效。要使自定义表单身份验证在MVC 4及更高版本中运行,我们需要将此代码放在Global.asax文件中的Application_PostAuthenticateRequest事件中。
protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
if (FormsAuthentication.CookiesSupported == true)
{
if (Request.Cookies[FormsAuthentication.FormsCookieName] != null)
{
try
{
//let us take out the username now
string username = FormsAuthentication.Decrypt(Request.Cookies[FormsAuthentication.FormsCookieName].Value).Name;
string roles = string.Empty;
using (userDbEntities entities = new userDbEntities())
{
User user = entities.Users.SingleOrDefault(u => u.username == username);
roles = user.Roles;
}
//let us extract the roles from our own custom cookie
//Let us set the Pricipal with our user specific details
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(
new System.Security.Principal.GenericIdentity(username, "Forms"), roles.Split(';'));
}
catch (Exception)
{
//somehting went wrong
}
}
}
}
参考:https://www.codeproject.com/Articles/578374/AplusBeginner-splusTutorialplusonplusCustomplusF
答案 1 :(得分:0)
您是否在web.config中为Forms Authentication
设置了设置<system.web>
<authentication mode="Forms"></authentication>
<system.web>
登录时设置cookie如下
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, //version
UserName, // user name
DateTime.Now, // create time
expiration, // expire time
RememberMe, // persistent
strUserData); // user data/role
HttpCookie objHttpCookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));
objHttpCookie.Path = FormsAuthentication.FormsCookiePath;
Response.Cookies.Add(objHttpCookie);