如何为ASP.NET MVC 2创build自定义成员资格提供程序?

如何基于ASP.NET成员资格提供程序为ASP.NET MVC 2创build自定义成员资格?

我创build了一个包含自定义成员资格提供程序的新项目,并从MembershipProvider抽象类中覆盖了ValidateUser方法:

 public class MyMembershipProvider : MembershipProvider { public override bool ValidateUser(string username, string password) { // this is where you should validate your user credentials against your database. // I've made an extra class so i can send more parameters // (in this case it's the CurrentTerritoryID parameter which I used as // one of the MyMembershipProvider class properties). var oUserProvider = new MyUserProvider(); return oUserProvider.ValidateUser(username,password,CurrentTerritoryID); } } 

然后我通过添加一个引用并将其从我的web.config中指出来,将该提供程序连接到我的ASP.NET MVC 2项目:

 <membership defaultProvider="MyMembershipProvider"> <providers> <clear /> <add name="MyMembershipProvider" applicationName="MyApp" Description="My Membership Provider" passwordFormat="Clear" connectionStringName="MyMembershipConnection" type="MyApp.MyMembershipProvider" /> </providers> </membership> 

我需要创build一个inheritanceRoleProvider抽象类的自定义类,并重写GetRolesForUser方法。 ASP.NET MVC授权使用该方法找出哪些angular色分配给当前login用户,并确保允许用户访问控制器操作。

以下是我们需要采取的步骤:

1)创build一个inheritanceRoleProvider抽象类并覆盖GetRolesForUser方法的自定义类:

 public override string[] GetRolesForUser(string username) { SpHelper db = new SpHelper(); DataTable roleNames = null; try { // get roles for this user from DB... roleNames = db.ExecuteDataset(ConnectionManager.ConStr, "sp_GetUserRoles", new MySqlParameter("_userName", username)).Tables[0]; } catch (Exception ex) { throw ex; } string[] roles = new string[roleNames.Rows.Count]; int counter = 0; foreach (DataRow row in roleNames.Rows) { roles[counter] = row["Role_Name"].ToString(); counter++; } return roles; } 

2)通过我们的web.config连接angular色提供者和ASP.NET MVC 2应用程序:

 <system.web> ... <roleManager enabled="true" defaultProvider="MyRoleProvider"> <providers> <clear /> <add name="MyRoleProvider" applicationName="MyApp" type="MyApp.MyRoleProvider" connectionStringName="MyMembershipConnection" /> </providers> </roleManager> ... </system.web> 

3)将授权(angular色=“xxx,yyy”)设置在所需的控制器/操作之上:

 [Authorization(Roles = "Customer Manager,Content Editor")] public class MyController : Controller { ...... } 

而已! 现在它工作!

4)可选:设置一个自定义的Authorize属性,以便我们可以将一个不需要的angular色redirect到一个AccessDenied页面:

 [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)] public class MyAuthorizationAttribute : AuthorizeAttribute { /// <summary> /// The name of the master page or view to use when rendering the view on authorization failure. Default /// is null, indicating to use the master page of the specified view. /// </summary> public virtual string MasterName { get; set; } /// <summary> /// The name of the view to render on authorization failure. Default is "Error". /// </summary> public virtual string ViewName { get; set; } public MyAuthorizationAttribute () : base() { this.ViewName = "Error"; } protected void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus) { validationStatus = OnCacheAuthorization(new HttpContextWrapper(context)); } public override void OnAuthorization(AuthorizationContext filterContext) { if (filterContext == null) { throw new ArgumentNullException("filterContext"); } if (AuthorizeCore(filterContext.HttpContext)) { SetCachePolicy(filterContext); } else if (!filterContext.HttpContext.User.Identity.IsAuthenticated) { // auth failed, redirect to login page filterContext.Result = new HttpUnauthorizedResult(); } else if (filterContext.HttpContext.User.IsInRole("SuperUser")) { // is authenticated and is in the SuperUser role SetCachePolicy(filterContext); } else { ViewDataDictionary viewData = new ViewDataDictionary(); viewData.Add("Message", "You do not have sufficient privileges for this operation."); filterContext.Result = new ViewResult { MasterName = this.MasterName, ViewName = this.ViewName, ViewData = viewData }; } } protected void SetCachePolicy(AuthorizationContext filterContext) { // ** IMPORTANT ** // Since we're performing authorization at the action level, the authorization code runs // after the output caching module. In the worst case this could allow an authorized user // to cause the page to be cached, then an unauthorized user would later be served the // cached page. We work around this by telling proxies not to cache the sensitive page, // then we hook our custom authorization code into the caching mechanism so that we have // the final say on whether a page should be served from the cache. HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache; cachePolicy.SetProxyMaxAge(new TimeSpan(0)); cachePolicy.AddValidationCallback(CacheValidateHandler, null /* data */); } } 

现在我们可以使用自己的属性redirect我们的用户访问被拒绝的视图:

 [MyAuthorization(Roles = "Portal Manager,Content Editor", ViewName = "AccessDenied")] public class DropboxController : Controller { ....... } 

而已! 超级骗子!

以下是我用来获取所有这些信息的一些链接:

自定义angular色提供者: http : //davidhayden.com/blog/dave/archive/2007/10/17/CreateCustomRoleProviderASPNETRolePermissionsSecurity.aspx

我希望这个信息帮助!

它也可以使用这个less得多的代码量,我不完全确定,如果这个方法是安全的,但对你使用的任何数据库工作得很好。

在global.asax中

 protected void Application_AuthenticateRequest(object sender, EventArgs e) { if (HttpContext.Current.User != null) { if (HttpContext.Current.User.Identity.IsAuthenticated) { if (HttpContext.Current.User.Identity is FormsIdentity) { FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity; FormsAuthenticationTicket ticket = id.Ticket; // Get the stored user-data, in this case, our roles string userData = ticket.UserData; string[] roles = userData.Split(','); HttpContext.Current.User = new GenericPrincipal(id, roles); } } } } 

这个function是从FormsAuthenticationTicket创build的authCookie中读取angular色

login逻辑看起来像这样

 public class dbService { private databaseDataContext db = new databaseDataContext(); public IQueryable<vwPostsInfo> AllPostsAndDetails() { return db.vwPostsInfos; } public IQueryable<role> GetUserRoles(int userID) { return (from r in db.roles join ur in db.UsersRoles on r.rolesID equals ur.rolesID where ur.userID == userID select r); } public IEnumerable<user> GetUserId(string userName) { return db.users.Where(u => u.username.ToLower() == userName.ToLower()); } public bool logOn(string username, string password) { try { var userID = GetUserId(username); var rolesIQueryable = GetUserRoles(Convert.ToInt32(userID.Select(x => x.userID).Single())); string roles = ""; foreach (var role in rolesIQueryable) { roles += role.rolesName + ","; } roles.Substring(0, roles.Length - 2); FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( 1, // Ticket version username, // Username associated with ticket DateTime.Now, // Date/time issued DateTime.Now.AddMinutes(30), // Date/time to expire true, // "true" for a persistent user cookie roles, // User-data, in this case the roles FormsAuthentication.FormsCookiePath);// Path cookie valid for // Encrypt the cookie using the machine key for secure transport string hash = FormsAuthentication.Encrypt(ticket); HttpCookie cookie = new HttpCookie( FormsAuthentication.FormsCookieName, // Name of auth cookie hash); // Hashed ticket // Set the cookie's expiration time to the tickets expiration time if (ticket.IsPersistent) cookie.Expires = ticket.Expiration; // Add the cookie to the list for outgoing response HttpContext.Current.Response.Cookies.Add(cookie); return true; } catch { return (false); } } } 

我用两个表在我的数据库中存储angular色:table:具有列:roleID和roleName的angular色和表:UsersRoles具有列:userID和roleID,这使得多个用户可以有多个angular色,这很容易使自己的逻辑添加/删除用户等angular色。 这使您可以使用[授权(angular色=“超级pipe理员”)]例如。 希望这可以帮助。

编辑:忘了做密码检查,但你只是添加一个如果在logOn方法,检查是否提供的用户名和密码检查,如果不是,它返回false

我使用NauckIt.PostgreSQL提供程序的源代码作为基础,并对其进行了修改以适应我的需要。