Asp.net MVC 5 seems to have left behind using the AuthorizeAttribute class where you could create a custom authorize attribute by implementing the AuthorizeAttribute class, override its methods and hiding the SiteRole property incase you wanted to bake in your own roles. All the examples I have seen either suggest using OWIN or the identity framework. Are these the only two ways to do authentication and authorization in the new ASP.Net framework?. Will I miss out on anything if I do it the old fashioned way? I dont want to have the framework create all the user and role tables for me. What if I want to add an existing user and role table to a new application?
net MVC 5似乎已经使用AuthorizeAttribute类,您可以通过实现AuthorizeAttribute类来创建自定义授权属性,覆盖它的方法,并隐藏SiteRole属性(如果您想在自己的角色中构建SiteRole属性)。我所看到的所有例子都建议使用OWIN或身份框架。在新的ASP中,只有这两种方法可以进行身份验证和授权吗?净框架?。如果我用老办法做,我会错过什么吗?我不想让框架为我创建所有的用户和角色表。如果我想向新应用程序添加一个现有的用户和角色表,该怎么办?
I also really don't see a need for social integration in every application as yet and don't think I will need it immediately as well. Is there any article that explains starting off with a bare minimum by using a custom authorize attribute and then goes on to add the new authentication features. I want something that basically explains all the clutter in a newly created project with No Authentication or Individual User Authentication selected.
我也不认为在每个应用程序中都需要社会集成,而且我也不认为我马上就需要它。是否有任何一篇文章可以通过使用自定义授权属性,然后继续添加新的身份验证特性来解释最基本的初始化。我想要的东西基本上可以解释新创建的项目中没有身份验证或选择单个用户身份验证的所有混乱。
2 个解决方案
#1
23
You can still customize the AuthorizeAttribute in MVC 5 using ASP.NET Identity. There is an example of doing this in the SimpleSecurity Project. Here is a customized AuthorizedAttribute you can use for controllers and here is customized AuthorizeAttribute you can use for Web API's. The concept behind these custom AuthorizeAttributes is to decouple your security model from your application model which is discussed here. The one for the Web API's also supports basic authentication.
您仍然可以使用ASP在MVC 5中定制AuthorizeAttribute。净的身份。在SimpleSecurity项目中有一个这样做的例子。这里是一个定制的AuthorizedAttribute,可以用于控制器,这里是定制的AuthorizeAttribute,可以用于Web API。这些定制的AuthorizeAttributes背后的概念是将安全模型与这里讨论的应用程序模型分离。Web API的那个也支持基本的身份验证。
The security pipeline has changed with the introduction of OWIN and I did run into some issues with the behavior of AuthorizeAttribute for Web API's, which is discussed here.
随着OWIN的引入,安全管道发生了变化,我确实遇到了Web API的AuthorizeAttribute行为的一些问题,这里讨论了这个问题。
You will also find examples in the SimpleSecurity project on porting of the old membership provider called SimpleMembership to MVC 5. Some of the issues with the upgrade process are discussed here. I did get it to work though so you could go with the old membership provider implementation. But my recommendation would be to go with the ASP.NET Identity as this is the way going forward that Microsoft will be supporting, it is a more flexible architecture, and it eliminates many of the issues found in the old membership provider implementations.
您还将在SimpleSecurity项目中找到关于将旧的成员服务提供商SimpleMembership移植到MVC 5的示例。这里讨论了升级过程中的一些问题。我确实让它工作了,所以你可以使用旧的成员资格提供者实现。但是我的建议是使用ASP。NET Identity因为这是Microsoft将支持的前进方式,它是一个更灵活的体系结构,并且它消除了在旧的成员资格提供者实现中发现的许多问题。
#2
1
Ben Foster has a two-part series that takes you through steps on implementing cookie-based authentication with ASP.NET Identity from the ground up, starting off with a new Web app with no authentication selected. Follow along "ASP.NET Identity Stripped Bare" Part 1 and Part 2.
Ben Foster有一个由两部分组成的系列,介绍了如何使用ASP实现基于cookie的身份验证。NET Identity从头开始,首先使用一个没有选择身份验证的新Web应用程序。跟随“ASP。NET Identity剥离了“第1部分和第2部分”。
use the following Authorize attribute to handle unauthorized access when the user is already authenticated.
当用户已经通过身份验证时,使用以下授权属性来处理未经授权的访问。
public class LoggedOrAuthorizedAttribute : AuthorizeAttribute
{
public LoggedOrAuthorizedAttribute()
{
View = "error";
Master = String.Empty;
}
public String View { get; set; }
public String Master { get; set; }
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
CheckIfUserIsAuthenticated(filterContext);
}
private void CheckIfUserIsAuthenticated(AuthorizationContext filterContext)
{
// If Result is null, we’re OK: the user is authenticated and authorized.
if (filterContext.Result == null)
return;
// If here, you’re getting an HTTP 401 status code. In particular,
// filterContext.Result is of HttpUnauthorizedResult type. Check Ajax here.
if (filterContext.HttpContext.User.Identity.IsAuthenticated)
{
if (String.IsNullOrEmpty(View))
return;
var result = new ViewResult {ViewName = View, MasterName = Master};
filterContext.Result = result;
}
}
}
#1
23
You can still customize the AuthorizeAttribute in MVC 5 using ASP.NET Identity. There is an example of doing this in the SimpleSecurity Project. Here is a customized AuthorizedAttribute you can use for controllers and here is customized AuthorizeAttribute you can use for Web API's. The concept behind these custom AuthorizeAttributes is to decouple your security model from your application model which is discussed here. The one for the Web API's also supports basic authentication.
您仍然可以使用ASP在MVC 5中定制AuthorizeAttribute。净的身份。在SimpleSecurity项目中有一个这样做的例子。这里是一个定制的AuthorizedAttribute,可以用于控制器,这里是定制的AuthorizeAttribute,可以用于Web API。这些定制的AuthorizeAttributes背后的概念是将安全模型与这里讨论的应用程序模型分离。Web API的那个也支持基本的身份验证。
The security pipeline has changed with the introduction of OWIN and I did run into some issues with the behavior of AuthorizeAttribute for Web API's, which is discussed here.
随着OWIN的引入,安全管道发生了变化,我确实遇到了Web API的AuthorizeAttribute行为的一些问题,这里讨论了这个问题。
You will also find examples in the SimpleSecurity project on porting of the old membership provider called SimpleMembership to MVC 5. Some of the issues with the upgrade process are discussed here. I did get it to work though so you could go with the old membership provider implementation. But my recommendation would be to go with the ASP.NET Identity as this is the way going forward that Microsoft will be supporting, it is a more flexible architecture, and it eliminates many of the issues found in the old membership provider implementations.
您还将在SimpleSecurity项目中找到关于将旧的成员服务提供商SimpleMembership移植到MVC 5的示例。这里讨论了升级过程中的一些问题。我确实让它工作了,所以你可以使用旧的成员资格提供者实现。但是我的建议是使用ASP。NET Identity因为这是Microsoft将支持的前进方式,它是一个更灵活的体系结构,并且它消除了在旧的成员资格提供者实现中发现的许多问题。
#2
1
Ben Foster has a two-part series that takes you through steps on implementing cookie-based authentication with ASP.NET Identity from the ground up, starting off with a new Web app with no authentication selected. Follow along "ASP.NET Identity Stripped Bare" Part 1 and Part 2.
Ben Foster有一个由两部分组成的系列,介绍了如何使用ASP实现基于cookie的身份验证。NET Identity从头开始,首先使用一个没有选择身份验证的新Web应用程序。跟随“ASP。NET Identity剥离了“第1部分和第2部分”。
use the following Authorize attribute to handle unauthorized access when the user is already authenticated.
当用户已经通过身份验证时,使用以下授权属性来处理未经授权的访问。
public class LoggedOrAuthorizedAttribute : AuthorizeAttribute
{
public LoggedOrAuthorizedAttribute()
{
View = "error";
Master = String.Empty;
}
public String View { get; set; }
public String Master { get; set; }
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
CheckIfUserIsAuthenticated(filterContext);
}
private void CheckIfUserIsAuthenticated(AuthorizationContext filterContext)
{
// If Result is null, we’re OK: the user is authenticated and authorized.
if (filterContext.Result == null)
return;
// If here, you’re getting an HTTP 401 status code. In particular,
// filterContext.Result is of HttpUnauthorizedResult type. Check Ajax here.
if (filterContext.HttpContext.User.Identity.IsAuthenticated)
{
if (String.IsNullOrEmpty(View))
return;
var result = new ViewResult {ViewName = View, MasterName = Master};
filterContext.Result = result;
}
}
}