这适用于使用我的AuthorizeAttribute修饰的控制器/操作,但是,对于不需要身份验证的控制器(但如果它在那里仍然使用它),我想得到我的CustomPrincipal(最好是通过HttpContext.User) ).
在这些非装饰的控制器/动作中,设置了HttpContext.User,但是使用了GenericPrincipal而不是我的CustomPrincipal.将GepertPrincipal的HttpContext.User的默认设置“覆盖”的最佳位置在哪里?
同样,如果在每个具有auth cookie的请求中完成此操作,那么在AuthorizeAttribute修饰控制器的情况下,我将如何避免两次执行该工作(这将成为强制认证的控制器).
为了清楚起见,我的网站允许匿名用户访问,但在这些页面上,如果经过身份验证(并实现了CustomPrincipal),则会提供额外的功能.
我认为有些选择(不一定是我的每个背后的逻辑):
>使用会话(并处理逻辑来创建我需要的东西,忘记校长)
> Application_AuthenticateRequest – 在网上看到这是旧学校的评论
>在基本控制器上设置自定义过滤器
>在基本控制器上创建一个AuthorizationAttribute,让每个人都能通过并设置HttpContext.User,因为我想要它
> IHttpModule – 这似乎是一种下降方式(除非其他人不同意,否则沿着这条路走下去).
思考?
解决方法
public class MyPrincipal : GenericPrincipal
{
public MyPrincipal(IIdentity identity,string[] roles): base(identity,roles)
{
}
... some custom properties and stuff
}
然后你可以编写一个全局授权操作过滤器(但是它不是从基础AuthorizeAttribute派生来避免全局认证,它只是实现IAuthorizationFilter接口以确保它在任何其他过滤器之前运行):
public class GlobalIdentityInjector : ActionFilterAttribute,IAuthorizationFilter
{
public void OnAuthorization(AuthorizationContext filterContext)
{
var identity = filterContext.HttpContext.User.Identity;
// do some stuff here and assign a custom principal:
var principal = new MyPrincipal(identity,null);
// here you can assign some custom property that every user
// (even the non-authenticated have)
// set the custom principal
filterContext.HttpContext.User = principal;
}
}
全局过滤器将在〜/ App_Start / FilterConfig.cs中注册,以确保它将应用于所有操作:
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new GlobalIdentityInjector());
}
}
现在,您可以拥有自定义授权属性,该属性仅应用于需要身份验证的某些控制器操作:
public class MyAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var authorized = base.AuthorizeCore(httpContext);
if (!authorized)
{
return false;
}
// we know that at this stage we have our custom
// principal injected by the global action filter
var myPrincipal = (MyPrincipal)httpContext.User;
// do some additional work here to enrich this custom principal
// by setting some other properties that apply only to
// authenticated users
return true;
}
}
然后你可以有两种类型的动作:
public ActionResult Foo()
{
var user = (MyPrincipal)User;
// work with the custom properties that apply only
// to anonymous users
...
}
[MyAuthorize]
public ActionResult Bar()
{
var user = (MyPrincipal)User;
// here you can work with all the properties
// because we know that the custom authorization
// attribute set them and the global filter set the other properties
...
}
