嘿, 几天前我问了一个类似的问题,但我没有看到与描述相同的效果。 基本上,我使用ASP进行表单身份验证。我使用会员提供商管理用户,但它已被广泛定制。 用户可能在登录时删除了权限。我是尽快推出它们。 我在我的应用程序中使用signalr,现在我检查每个集线器查询的用户权限。授权失败导致客户端导航到一个记录它们的页面(带有严厉措辞的消息让他们知道他们已被踢出)。 我有假设,并被告知,当用户在失去授权后导航到新页面时,asp会再次检查用户权限。它没有。 我是否必须在每个页面添加支票或是否有我缺少的设置? 欢迎任何建议^ _ ^ 谢谢 Andy 我尝试了什么: 我使用信号器进行SPA检查授权,因此在大多数情况下,效果就是我的应用程序,但我的同事大多使用页面导航来控制工作流程而不使用SignalR。 我们可以检查每个页面加载的授权,但我听说过这是自动完成的。是否有设置或简单的应用程序范围修复?
解决方案使用表单身份验证时,唯一为每个请求验证的是cookie包含有效的表单身份验证票证并且票证尚未过期。 如果要检查票证是否仍然代表会员店中的有效用户,则需要添加该票据对每个请求。最简单的解决方案可能是使用自定义 IHttpModule : public sealed class MembershipValidationModule:IHttpModule { public void Dispose() {} public void Init(HttpApplication context) { if (context == null ) throw new ArgumentNullException( nameof (context)); context.PostAuthenticateRequest + =(s,e)= > { var app = s as HttpApplication; if (app?.Context!= null ) { OnAuthenticated( new HttpContextWrapper(app.Context)); } }; } private static void OnAuthenticated([NotNull] HttpContextBase context) { if (IsFormsAuthenticated(context.User)) { var user = Membership.GetUser(); if (user == null ||!user.IsApproved) { FormsAuthentication.SignOut(); context.User = null ; } } } private static bool IsFormsAuthenticated(IPrincipal用户) { if (user = = null ||!user.Identity.IsAuthenticated) return 假; return string .Equals(user.Identity.AuthenticationType, Forms,StringComparison.OrdinalIgnoreCase); } }
< configuration > < system.webServer > < 验证 validateIntegratedModeConfiguration = false / > < modules > < add name = MembershipValidationModule preCondition = managedHandler type = YourNamespace.MembershipValidationModule,YourAssembly / > < / modules > < / system.webServer > < / configuration > ;
Hey, I asked a similar question a couple of days ago, but I don't see the same effect as described. Essentially, I use ASP with form authentication. I manage users with a membership provider, but it has been pretty extensively customized. It is possible that a user might have permissions removed whilst they are logged in. I was to kick them out asap. I use signalr in my apps, and I now check the user permissions on each and every hub query. Authorization failure caused the client to navigate to a page that logs them out (with a harshly worded message letting them know that they've been kicked out). I had assumed, and was informed that, when the user navigates to a new page after losing authorization that asp would check the users permissions again. It doesn't. Do I have to add checks into each page or is there a setting I'm missing? Any advice is welcome ^_^ Thanks Andy What I have tried: I use Signalr for SPAs which checks authorisation so in most cases the effect is there for my apps, but my colleagues mostly use page navigation to control workflow and don't use SignalR. We can check authorisation on every page load, but I has heard that this is done automagically. Is there a setting or a simple app wide fix?
解决方案 With forms authentication, the only thing that's validated for each request is that the cookie contains a valid forms authentication ticket, and that the ticket has not expired. If you want to check that the ticket still represents a valid user in your membership store, then you need to add that check to each request. The simplest solution is probably to use a custom IHttpModule: public sealed class MembershipValidationModule : IHttpModule { public void Dispose() { } public void Init(HttpApplication context) { if (context == null) throw new ArgumentNullException(nameof(context)); context.PostAuthenticateRequest += (s, e) => { var app = s as HttpApplication; if (app?.Context != null) { OnAuthenticated(new HttpContextWrapper(app.Context)); } }; } private static void OnAuthenticated([NotNull] HttpContextBase context) { if (IsFormsAuthenticated(context.User)) { var user = Membership.GetUser(); if (user == null || !user.IsApproved) { FormsAuthentication.SignOut(); context.User = null; } } } private static bool IsFormsAuthenticated(IPrincipal user) { if (user == null || !user.Identity.IsAuthenticated) return false; return string.Equals(user.Identity.AuthenticationType, "Forms", StringComparison.OrdinalIgnoreCase); } }<configuration> <system.webServer> <validation validateIntegratedModeConfiguration="false"/> <modules> <add name="MembershipValidationModule" preCondition="managedHandler" type="YourNamespace.MembershipValidationModule, YourAssembly" /> </modules> </system.webServer> </configuration>
更多推荐
自动注销取消授权的用户
发布评论