Let me explain: the application is already using Windows integrated security, not Forms. What I am trying to accomplish is a so called "step-up" authentication, or "force re-authentication" for the following scenario:
让我解释一下:应用程序已经在使用Windows集成安全性,而不是Forms。我想要完成的是所谓的“升级”身份验证,或针对以下场景的“强制重新身份验证”:
- the user is browsing the site doing common, trivial stuff
- suddenly, the user has to do a sensitive action such as authorizing a ressource allocation or confirming a car loan or something similar
- the user is prompted for the credential before (s)he's redirected to the sensitive page, in a manner similar to SharePoint's "Sign In as a Different User"
- if, and only if, the credentials entered are the same as for the currently logged-in user the application proceeds to the sensitive area.
用户正在浏览网站,做一些普通的,琐碎的事情
突然,用户必须执行敏感操作,例如授权资源分配或确认汽车贷款或类似的东西
在将用户重定向到敏感页面之前,系统会提示用户输入凭据,其方式类似于SharePoint“以不同用户身份登录”
如果且仅当输入的凭证与当前登录的用户相同时,应用程序才会进入敏感区域。
This would prevent the following 2 issues:
这样可以防止以下两个问题:
- The user goes for a meeting or a coffee and forgets to lock the workstation and a colleague uses the session to access the sensitive area
- The user enters the credentials of his or her boss (because, let's say he peeked over the boss' sholder) to access the sensitive area.
用户去参加会议或喝咖啡并忘记锁定工作站,同事使用会话来访问敏感区域
用户输入他或她的老板的凭证(因为,让我们说他偷看老板的sholder)来访问敏感区域。
I know, some would look at this as "being paranoid", but also some would say it's common sense and should be build in a framework somewhere (jQuery or .NET)
我知道,有些人会认为这是“偏执狂”,但有些人会说它是常识,应该在某个地方构建(jQuery或.NET)
I would really appreciate any input. Thank you!
我真的很感激任何输入。谢谢!
2 个解决方案
#1
4
Have the form send the credentials along with the request to perform the action, i.e., some actions require that you provide username/password. Use the PrincipalContext ValidateCredentials method to ensure that the proper credentials have been entered and check that the username supplied matches the current username in the User.Identity object.
让表单发送凭据以及执行操作的请求,即某些操作要求您提供用户名/密码。使用PrincipalContext ValidateCredentials方法确保输入了正确的凭据,并检查提供的用户名是否与User.Identity对象中的当前用户名匹配。
public ActionResult SensitiveAction( SensitiveModel model, string username, string password )
{
using (var context = new PrincipalContext(ContextType.Domain))
{
if (!string.Equals(this.User.Identity.Name,username,StringComparison.OrdinalIgnoreCase)
|| !context.ValidateCredentials(username,password))
{
return View("PermissionDenied");
}
}
...
}
#2
2
The user goes for a meeting or a coffee and forgets to lock the workstation and a colleague uses the session to access the sensitive area That works only the first time, but now the boss enters a sensitive area, re-enters her credentials, then goes for coffee. Are you going to prompt for every sensitive request? Users won't put up with that.
用户去参加会议或咖啡,忘记锁定工作站,同事使用会话访问敏感区域,这只是第一次工作,但现在老板进入敏感区域,重新输入她的凭据,然后去换咖啡你是否会提示每个敏感请求?用户不会忍受这一点。
The user enters the credentials of his or her boss (because, let's say he peeked over the boss' sholder) to access the sensitive area. If someone knows and enters the credentials of their boss, there is nothing you can do to detect that.
用户输入他或她的老板的凭证(因为,让我们说他偷看老板的sholder)来访问敏感区域。如果有人知道并输入了他们的老板的凭证,那么你无能为力。
#1
4
Have the form send the credentials along with the request to perform the action, i.e., some actions require that you provide username/password. Use the PrincipalContext ValidateCredentials method to ensure that the proper credentials have been entered and check that the username supplied matches the current username in the User.Identity object.
让表单发送凭据以及执行操作的请求,即某些操作要求您提供用户名/密码。使用PrincipalContext ValidateCredentials方法确保输入了正确的凭据,并检查提供的用户名是否与User.Identity对象中的当前用户名匹配。
public ActionResult SensitiveAction( SensitiveModel model, string username, string password )
{
using (var context = new PrincipalContext(ContextType.Domain))
{
if (!string.Equals(this.User.Identity.Name,username,StringComparison.OrdinalIgnoreCase)
|| !context.ValidateCredentials(username,password))
{
return View("PermissionDenied");
}
}
...
}
#2
2
The user goes for a meeting or a coffee and forgets to lock the workstation and a colleague uses the session to access the sensitive area That works only the first time, but now the boss enters a sensitive area, re-enters her credentials, then goes for coffee. Are you going to prompt for every sensitive request? Users won't put up with that.
用户去参加会议或咖啡,忘记锁定工作站,同事使用会话访问敏感区域,这只是第一次工作,但现在老板进入敏感区域,重新输入她的凭据,然后去换咖啡你是否会提示每个敏感请求?用户不会忍受这一点。
The user enters the credentials of his or her boss (because, let's say he peeked over the boss' sholder) to access the sensitive area. If someone knows and enters the credentials of their boss, there is nothing you can do to detect that.
用户输入他或她的老板的凭证(因为,让我们说他偷看老板的sholder)来访问敏感区域。如果有人知道并输入了他们的老板的凭证,那么你无能为力。