.net核心身份验证

本文介绍了核心身份验证的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我想在asp MVC Core应用程序中实现具有成员身份的表单身份验证. 我们在以前的应用程序中具有如下所示的表单身份验证设置，并希望在核心中使用相同的表单.

I wanted to implement forms authentication with membership in my asp MVC Core application. We had forms authentication setup in our previous application as below and wanted to use the same in core.

[HttpPost] public ActionResult Login(LoginModel model, string returnUrl) { if (!this.ModelState.IsValid) { return this.View(model); } //Authenticate if (!Membership.ValidateUser(model.UserName, model.Password)) { this.ModelState.AddModelError(string.Empty, "The user name or password provided is incorrect."); return this.View(model); } else { FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe); return this.RedirectToAction("Index", "Home"); } return this.View(model); }

在我的配置中:

<membership defaultProvider="ADMembership"> <providers> <add name="ADMembership" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" /> </providers> </membership>

因此，我们在此使用活动目录中的成员身份.

So we are using active directory here in membership.

核心中仍然适用吗?

Is this still applicable in core.

如果没有，核心中可用于表单身份验证和AD的其他内容.

If not what else is available in core for forms authentication and AD.

将感谢您的投入.

推荐答案

是的，您可以在Core MVC应用程序中执行此操作.您启用表单身份验证并将LDAP用作后端的用户存储.

Yes you can do that in Core MVC application. You enable form authentication and use LDAP as user store at the back-end.

这是我进行设置的方式，以帮助您入门:

Here is how I set things up, to give you start:

public class Startup { ... public void ConfigureServices(IServiceCollection services) { ... // Read LDAP settings from appsettings services.Configure<LdapConfig>(this.Configuration.GetSection("ldap")); // Define an interface for authentication service, // We used Novell.Directory.Ldap as implementation. services.AddScoped<IAuthenticationService, LdapAuthenticationService>(); // Global filter is enabled to protect the whole site services.AddMvc(config => { var policy = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .Build(); config.Filters.Add(new AuthorizeFilter(policy)); ... }); // Form authentication and cookies settings var cookiesConfig = this.Configuration.GetSection("cookies").Get<CookiesConfig>(); services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme) .AddCookie(options => { options.Cookie.Name = cookiesConfig.CookieName; options.LoginPath = cookiesConfig.LoginPath; options.LogoutPath = cookiesConfig.LogoutPath; options.AccessDeniedPath = cookiesConfig.AccessDeniedPath; options.ReturnUrlParameter = cookiesConfig.ReturnUrlParameter; }); } public void Configure(IApplicationBuilder app, IHostingEnvironment env) { // Redirects all HTTP requests to HTTPS if (env.IsProduction()) { app.UseRewriter(new RewriteOptions() .AddRedirectToHttpsPermanent()); } if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } else { app.UseExceptionHandler("/error"); } app.UseStaticFiles(); app.UseStatusCodePagesWithReExecute("/error", "?code={0}"); app.UseAuthentication(); app.UseMvc(routes => { ... }); } }

appsettings.json

{ "connectionStrings": { "appDbConnection": xxx }, "ldap": { "url": "xxx.loc", "bindDn": "CN=Users,DC=xxx,DC=loc", "username": "xxx", "password": "xxx", "searchBase": "DC=xxx,DC=loc", "searchFilter": "(&(objectClass=user)(objectClass=person)(sAMAccountName={0}))" }, "cookies": { "cookieName": "xxx", "loginPath": "/account/login", "logoutPath": "/account/logout", "accessDeniedPath": "/account/accessDenied", "returnUrlParameter": "returnUrl" } }

IAuthenticationService.cs

namespace DL.SO.Services.Core { public interface IAuthenticationService { IAppUser Login(string username, string password); } }

LdapAuthenticationService.cs

Ldap实现身份验证服务，使用Novell.Directory.Ldap库与活动目录进行通信.您可以Nuget该库.

LdapAuthenticationService.cs

Ldap implementation of authentication service, using Novell.Directory.Ldap library to talk to active directory. You can Nuget that library.

using Microsoft.Extensions.Options; using Novell.Directory.Ldap; ... using DL.SO.Services.Core; namespace DL.SO.Services.Security.Ldap { public class LdapAuthenticationService : IAuthenticationService { private const string MemberOfAttribute = "memberOf"; private const string DisplayNameAttribute = "displayName"; private const string SAMAccountNameAttribute = "sAMAccountName"; private const string MailAttribute = "mail"; private readonly LdapConfig _config; private readonly LdapConnection _connection; public LdapAuthenticationService(IOptions<LdapConfig> configAccessor) { // Config from appsettings, injected through the pipeline _config = configAccessor.Value; _connection = new LdapConnection(); } public IAppUser Login(string username, string password) { _connection.Connect(_config.Url, LdapConnection.DEFAULT_PORT); _connection.Bind(_config.Username, _config.Password); var searchFilter = String.Format(_config.SearchFilter, username); var result = _connection.Search(_config.SearchBase, LdapConnection.SCOPE_SUB, searchFilter, new[] { MemberOfAttribute, DisplayNameAttribute, SAMAccountNameAttribute, MailAttribute }, false); try { var user = result.next(); if (user != null) { _connection.Bind(user.DN, password); if (_connection.Bound) { var accountNameAttr = user.getAttribute(SAMAccountNameAttribute); if (accountNameAttr == null) { throw new Exception("Your account is missing the account name."); } var displayNameAttr = user.getAttribute(DisplayNameAttribute); if (displayNameAttr == null) { throw new Exception("Your account is missing the display name."); } var emailAttr = user.getAttribute(MailAttribute); if (emailAttr == null) { throw new Exception("Your account is missing an email."); } var memberAttr = user.getAttribute(MemberOfAttribute); if (memberAttr == null) { throw new Exception("Your account is missing roles."); } return new AppUser { DisplayName = displayNameAttr.StringValue, Username = accountNameAttr.StringValue, Email = emailAttr.StringValue, Roles = memberAttr.StringValueArray .Select(x => GetGroup(x)) .Where(x => x != null) .Distinct() .ToArray() }; } } } finally { _connection.Disconnect(); } return null; } } }

AccountController.cs

最后，在验证用户身份之后，您需要根据用户声明构建主体以进行登录，这将在后台生成Cookie.

AccountController.cs

Then finally after the user is verified, you need to construct the principal from the user claims for sign in process, which would generate the cookie behind the scene.

public class AccountController : Controller { private readonly IAuthenticationService _authService; public AccountController(IAuthenticationService authService) { _authService = authService; } ... [HttpPost] [AllowAnonymous] public async Task<IActionResult> Login(LoginViewModel model) { if (ModelState.Valid) { try { var user = _authService.Login(model.Username, model.Password); if (user != null) { var claims = new List<Claim> { new Claim(ClaimTypes.Name, user.Username), new Claim(CustomClaimTypes.DisplayName, user.DisplayName), new Claim(ClaimTypes.Email, user.Email) } // Roles foreach (var role in user.Roles) { claims.Add(new Claim(ClaimTypes.Role, role)); } // Construct Principal var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, _authService.GetType().Name)); await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal, new AuthenticationProperties { IsPersistent = model.RememberMe } ); return Redirect(Url.IsLocalUrl(model.ReturnUrl) ? model.ReturnUrl : "/"); } ModelState.AddModelError("", @"Your username or password is incorrect."); } catch(Exception ex) { ModelState.AddModelError("", ex.Message); } } return View(model); } }