如何在 asp.net MVC 3 中实现基于角色的自定义用户身份验证。考虑我有两个表 UserInfo(UserId, UserName, Password,RoleId) 和 Role(RoleId, RoleName)。
我想从数据库(UserInfo 表)中验证用户,并且还想从该表中检索角色。并想使用like
[Authorize(Roles="Admin")]
需要你的帮助和想法......
【问题讨论】:
标签: asp.net-mvc-3 roles authentication
您可以使用自定义授权属性并将角色存储在身份验证 cookie 的用户数据部分。因此,例如在您的 LogOn 方法中,一旦您验证了凭据,您就可以从数据库中检索给定用户的角色并将它们存储到用户数据中:
// TODO: fetch roles from your database based on the username
var roles = "Admin|SomeRole";
var ticket = new FormsAuthenticationTicket(
1,
username,
DateTime.Now,
DateTime.Now.AddMilliseconds(FormsAuthentication.Timeout.TotalMilliseconds),
false,
roles
);
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
var authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
{
Domain = FormsAuthentication.CookieDomain,
HttpOnly = true,
Secure = FormsAuthentication.RequireSSL,
};
// Emit the authentication cookie which in addition to the username will
// contain the roles in the user data part
Response.AppendCookie(authCookie);
然后您可以编写一个自定义的授权属性,该属性将用于读取身份验证 cookie 并提取角色信息:
public class MyAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext.User.Identity.IsAuthenticated)
{
var authCookie = httpContext.Request.Cookies[FormsAuthentication.FormsCookieName];
if (authCookie != null)
{
var ticket = FormsAuthentication.Decrypt(authCookie.Value);
var identity = new GenericIdentity(httpContext.User.Identity.Name);
var roles = (ticket.UserData ?? string.Empty).Split('|');
httpContext.User = new GenericPrincipal(identity, roles);
}
}
return base.AuthorizeCore(httpContext);
}
}
现在剩下的就是用这个新属性来装饰你的控制器/动作:
[MyAuthorize(Roles = "Admin")]
public ActionResult Foo()
{
...
}
更新:
根据 cmets 部分的要求,您可以在自定义授权属性中覆盖 HandleUnauthorizedRequest 方法,以便如果用户无权访问给定操作,他将被重定向到某个错误视图而不是登录页面:
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new ViewResult
{
ViewName = "~/Views/Shared/Unauthorized.cshtml"
};
}
【讨论】:
authCookie 上设置将来的到期日期,它将存储在客户端计算机上。