一些基本概念:
验证(Authentication)指的是确定用户身份的过程,而授权(Authorization)指的是经过上面的过程之后给予用户访问特定资源的权限;说明白一点,验证就是知道"你是谁",而授权则是"让你可以做什么"
.NET为实现这两个过程提供了Principal和Identity对象。其中,基于角色的安全性基础建立在Principal对象之上,该对象封装了当前用户的信息,既包含用户身份,也包含他所扮演的角色;用户身份用Identity对象来指明,Identity对象中不仅包含指定的用户身份信息(用户名称或账号),还包括了"如何验证这一身份"的方法
Identity对象是实现了IIdentity接口的类的实例。IIdentity接口包括三个只读属性:
string AuthenticationType(get;} 获取所使用的身份验证的类型
bool IsAuthenticated{get;} 登录用户是否经过验证
string Name {get;} 获取当前用户的名称
GenericIdentity类
GenericIdentity类其实相当简单,它并不与任何特定的验证协议相关联。因此,它往往被用在采用了自定义登陆机制的场合。比如一个程序可以自己提示用户输入用户名和密码,然后到自定义的用户数据库中去查询。假如用户名和密码有效,那么程序就会创建一个基于数据库中的匹配记录的principal和(对应的)identity对象。
GenericIdentity类除了三个IIdentity接口定义的属性之外没有更多的东西了。不过,GenericIdentity类提供了两个构造函数。一个构造函数接受一个字符串参数,该参数指定的是用户名;另一个构造函数接受两个参数:第一个是用户名字符串,第二个是给定的验证类型字符串。
public GenericIdentity(string name);
public GenericIdentity(string name, string type);
Principal对象是实现了IPrincipal接口的类的实例,这些对象用来表示用户,并且包括了用户的身份信息。System.Security.Principal命名空间包括了几种类型的Principal类,这些类中封装了程序代码运行的的安全环境(security context)
对于每一个线程来说都与一个principal对象相关联。这个principal对象包括了表示运行当前线程的用户的identity对象。我们可以利用Thread类的静态属性CurrentPrincipal来获得这个principal对象。
下面我们来看看IPrincipal接口,该接口只有一个Identity公共属性和IsInRole公共方法:
1、Identity属性指向一个与principal 对象关联的IIdentity对象。
2、IsInRole方法需要一个字符串参数,该字符串是一个角色的名称,并且返回布尔值,指出principal对象是否属于指定的角色。
GenericPrincipal类
GenericPrincipal类用来表示一个通过自定义验证的用户,通常与GenericIdentity类一起使用。下面是一段简单的程序,说明了这两个类如何使用:
//创建一个GenericIdentity对象
IIdentity myGenericIdentity = new GenericIdentity(strUserName, "MyAuthenticationType");
//创建一个GenericPrincipal对象
String[] roles = null;
GenericPrincipal myGenericPrincipal = new GenericPrincipal(myGenericIdentity, roles);
//将创建的GenericPrincipal对象附加到当前线程上
Thread.CurrentPrincipal = myGenericPrincipal;
注重在上面的例子中,我们可以把MyAuthenticationType的验证类型换成熟知的Kerberos身份验证或者NTLM身份验证。
//下面是验证的过程:
//取得当前线程的principal对象
IPrincipal principal = Thread.CurrentPrincipal;
if (!principal.Identity.Name.Equals("TrustedUser"))
{
throw new SecurityException(
strUserName + " NOT PERMITTED to proceed.\n");
}
Console.WriteLine(
strUserName + " is PERMITTED to proceed.\n");
step 1: 自定义一个MyLoginCommand类并继承于FluorineFx.Security.GenericLoginCommand(此类实现了ILoginCommand接口)基类,并重写DoAuthentication方法
using System; using System.Collections.Generic; using System.Text; using System.Collections; using System.Security.Principal; using FluorineFx.Security; namespace ServiceLibrary8 {public class
MyLoginCommand : GenericLoginCommand {public
override IPrincipal DoAuthentication(string username, Hashtable credentials) { string password = credentials["password"
].ToString(); if (username =="admin"
&& password =="admin"
) { GenericIdentity identity =new
GenericIdentity(username); GenericPrincipal principal =new
GenericPrincipal(identity,new
string[] {"admin"
,"privilegeduser"
});return
principal; } else {//To get this error message as "faultString" thow a SecurityException with the message
//However the first CommandMessage will mess up the result (faultString>faultDetail), and only for subsequent RemotingMessages will work.
//throw new SecurityException("Not a valid username or password");
return
null; } } } }
step 2: 定义一个远程服务接口MyLoginService
using System; using System.Collections.Generic; using System.Text; using FluorineFx; namespace ServiceLibrary8 {/// <summary>
/// MyLoginService is used to force setCredentials sending out credentials
/// For Flash this is also used to log out.
/// MyLoginService被用来强制使得(Flex的)setCredentials发送验证信息
/// 对于flash它也可以用来实现注销登录
/// </summary>
[RemotingService]public class
MyLoginService {public
MyLoginService() { }public
bool Login() {return true
; }public
bool Logout() {//FormsAuthentication.SignOut(); new
MyLoginCommand().Logout(null);return true
; } } }
step 3: 定义实际业务操作类SecureService(经过验证后才能访问到的类)
using System; using FluorineFx; namespace ServiceLibrary8 {/// <summary>
/// Summary description for SecureService
/// </summary>
[RemotingService()]public class
SecureService {public
SecureService() { }public
string GetSecureData() {return "Secure data sent from server."
; } } }
step 4: 配置services-config.xml,确保有以下节点内容:
<security-constraint id="privileged-users"
> <auth-method>Custom</auth-method> <roles> <role>admin</role> <role>privilegeduser</role> </roles> </security-constraint> <login-commandclass
="ServiceLibrary8.MyLoginCommand"
server="asp.net"
/>
step 5: 配置remoting-config.xml,确保有以下节点内容:
<destination id="fluorine"
> <properties> <source>*</source> </properties> <security> <security-constraint ref="privileged-users"
/> </security> </destination> <destination id="login"
> <properties> <source>ServiceLibrary8.MyLoginService</source> </properties> </destination>
step 6: 新建Flex项目,并编写如下代码:
<?xml version="1.0"
encoding="utf-8"
?> <mx:Application xmlns:mx="http://www.adobe.com/2006/mxml"
layout="absolute"
> <mx:Script> <![CDATA[import
mx.rpc.events.ResultEvent;import
mx.utils.ObjectUtil;import
mx.controls.Alert;import
mx.rpc.events.FaultEvent;/* Call the login service*/ private function
logIn():void
{//use remote object method setCredentials to //enable Flex to send the values required
loginRO.logout(); loginRO.setCredentials(username.text, password.text); loginRO.Login(); }/*Call logout*/ private function
logOut():void
{ loginRO.logout(); appViews.selectedChild = loginView; }private function
getSecureData():void
{ fluorineRO.GetSecureData(); }/* Display error messages returned */ private function
serverFault(event:FaultEvent):void
{ Alert.show( ObjectUtil.toString(event.fault.faultString),"Error"
, mx.controls.Alert.OK ); }private function
loginResult(event:ResultEvent):void
{var
result:Boolean = event.resultas
Boolean; appViews.selectedChild = secureView; }private function
loginFault(event:FaultEvent):void
{//Alert.show("Authentication failed", "Errors", mx.controls.Alert.OK);
Alert.show( ObjectUtil.toString(event.fault),"Authentication failed"
); }private function
getSecureDataResult(event:ResultEvent):void
{var
result:String = event.resultas
String; Alert.show(result,"Secure data"
, mx.controls.Alert.OK); } ]]> </mx:Script> <mx:ViewStack id="appViews"
width="100%"
height="100%"
> <!--login view--> <mx:HBox horizontalAlign="center"
verticalAlign="middle"
id="loginView"
width="100%"
height="100%"
> <mx:Panel title="Login"
id="loginPanel"
horizontalScrollPolicy="off"
verticalScrollPolicy="off"
> <mx:Form id="loginForm"
> <mx:FormItem label="Username:"
> <mx:TextInput id="username"
/> </mx:FormItem> <mx:FormItem label="Password:"
> <mx:TextInput id="password"
displayAsPassword="true"
/> </mx:FormItem> </mx:Form> <mx:ControlBar> <mx:Spacer width="100%"
id="spacer1"
/> <mx:Button label="Login"
id="loginButton"
enabled="{(username.text.length == 0 || password.text.length == 0) ? false : true}"
toolTip="{loginButton.enabled == true ? 'Click to submit' : 'Enter username and password'}"
click="logIn()"
/> </mx:ControlBar> </mx:Panel> </mx:HBox> <!--end loginView--> <!--secure area view, made visible after a successful login--> <mx:HBox id="secureView"
width="100%"
height="100%"
> <mx:ApplicationControlBar dock="true"
paddingTop="0"
paddingBottom="0"
width="100%"
> <mx:Label text="Action:"
/> <mx:Spacer width="5"
/> <mx:Button label="Get"
click="getSecureData()"
/> <mx:Spacer width="5"
/> <mx:Button label="Logout"
click="logOut()"
/> </mx:ApplicationControlBar> </mx:HBox> <!--end secure area view--> </mx:ViewStack> <mx:RemoteObject id="loginRO"
destination="login"
> <mx:method name="Login"
result="loginResult(event)"
fault="loginFault(event)"
/> </mx:RemoteObject> <mx:RemoteObject id="fluorineRO"
destination="fluorine"
source="ServiceLibrary8.SecureService"
> <mx:method name="GetSecureData"
result="getSecureDataResult(event)"
fault="serverFault(event)"
/> </mx:RemoteObject> </mx:Application>
运行项目,只有用"admin"账户成功登陆,才能访问到来自SecureService的数据