一種方法是覆蓋AuthorizeAttribute
的OnAuthorize
方法,檢查是否存在授權標頭,如果找到它,請提取並驗證憑據,然後手動創建IPrincipal
。否則,請致電base.OnAuthorization
,以便發生通常的.NET成員關係。
來源:
public class RoleAuthorizeAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
bool basicValidated = false;
var req = filterContext.HttpContext.Request;
var auth = req.Headers["Authorization"];
if (!string.IsNullOrEmpty(auth))
{
var cred = System.Text.Encoding.ASCII.GetString(Convert.FromBase64String(auth.Substring(6))).Split(':');
var userName = cred[0];
var pass = cred[1];
var membership = new AccountMembershipService();
basicValidated = membership.ValidateUser(userName, pass);
if (!basicValidated)
{
base.OnAuthorization(filterContext);
}
else
{
var roles = System.Web.Security.Roles.GetRolesForUser(userName);
IPrincipal principal = new GenericPrincipal(
new GenericIdentity(userName),roles);
Thread.CurrentPrincipal = principal;
System.Web.HttpContext.Current.User = principal;
}
} else
{
base.OnAuthorization(filterContext);
}
}
}
我很驚訝你推薦設置HttpContext.Current.User在OnAuthorize方法的主體。當然,這意味着未經身份驗證的用戶可訪問並且沒有Authorize屬性的Controllers/Actions如果碰巧經過身份驗證,將無法訪問當前用戶。在經典的ASP.NET中,設置HttpContext.Current.User的地方應該在Application_PostAuthenticateRequest中 - 對MVC來說不會是一樣的嗎? – Joe
好點,可能會更好地把它放在那裏。我會考慮並修改我的答案。 – jackmott