ASP .NET MVC 表单授权与 Active Directory 组
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4342271/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
ASP .NET MVC Forms authorization with Active Directory groups
提问by dnatoli
I'm attempting to authenticate using users and groups in ASP.NET MVC against Active Directory.
我正在尝试使用 ASP.NET MVC 中的用户和组针对 Active Directory 进行身份验证。
I have put the following attribute on all my classes (except the account class):
我已经在我的所有类(帐户类除外)上放置了以下属性:
[Authorize (Roles="SubcontractDB Users")]
This group is found under OU=Area->OU=Groups->OU=Company->CN=SubcontractDB in active directory. I'm assuming I also need to setup a RoleManager in web.config which I've attempted to do as follows:
该组位于活动目录中的 OU=Area->OU=Groups->OU=Company->CN=SubcontractDB 下。我假设我还需要在 web.config 中设置一个 RoleManager ,我尝试执行以下操作:
<roleManager defaultProvider="ADRoleProvider">
<providers>
<clear />
<add name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName" />
</providers>
</roleManager>
My connection string is:
我的连接字符串是:
<add name="ADConnectionString"
connectionString="LDAP://blah.com:389/DC=blah,DC=wateva,DC=com"/>
Obviously I'm doing it wrong as this doesn't work. All I want to do is allow access to users that are a member of a certain group in AD.
显然我做错了,因为这不起作用。我想要做的就是允许访问属于 AD 中某个组成员的用户。
回答by dnatoli
So I ended up implementing my own authorize attribute and using that:
所以我最终实现了我自己的授权属性并使用它:
namespace Application.Filters
{
public class AuthorizeADAttribute : AuthorizeAttribute
{
public string Groups { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (base.AuthorizeCore(httpContext))
{
/* Return true immediately if the authorization is not
locked down to any particular AD group */
if (String.IsNullOrEmpty(Groups))
return true;
// Get the AD groups
var groups = Groups.Split(',').ToList<string>();
// Verify that the user is in the given AD group (if any)
var context = new PrincipalContext(ContextType.Domain, "server");
var userPrincipal = UserPrincipal.FindByIdentity(context,
IdentityType.SamAccountName,
httpContext.User.Identity.Name);
foreach (var group in groups)
if (userPrincipal.IsMemberOf(context, IdentityType.Name, group))
return true;
}
return false;
}
}
}
And then I can simply use the following above controllers or functions
然后我可以简单地使用以下上述控制器或功能
Using Application.Filters;
...
[AuthorizeAD(Groups = "groupname")]
NB:You could simply use new PrincipalContext(ContextType.Domain);however there is a bug in .NET 4.0 that throws a (0x80005000)error at userPrincpal.IsMemberOf(...). See herefor details.
注意:您可以简单地使用,new PrincipalContext(ContextType.Domain);但是 .NET 4.0 中有一个(0x80005000)错误会在userPrincpal.IsMemberOf(...). 有关详细信息,请参见此处。
If you would like to know how to redirect to another page based on failed authorization, check my answer here: Adding an error message to the view model based on controller attribute in ASP.NET MVC
如果您想知道如何根据授权失败重定向到另一个页面,请在此处查看我的答案:Add an error message to the view model based on controller attribute in ASP.NET MVC
回答by Nick Cecil
It's no longer necessary to implement your own attribute for this functionality in ASP.NET MVC 3. The AspNetWindowsTokenRoleProviderworks with Active Directory users and groups. To use this with AuthorizeAttributeyou need to add the following to your web.config:
不再需要在 ASP.NET MVC 3 中为此功能实现您自己的属性。AspNetWindowsTokenRoleProvider适用于 Active Directory 用户和组。要使用它,AuthorizeAttribute您需要将以下内容添加到您的 web.config 中:
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add
name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider"
applicationName="/" />
</providers>
</roleManager>
Then, on your controllers or action methods, you can refer to Active Directory Groups like so:
然后,在您的控制器或操作方法上,您可以像这样引用 Active Directory 组:
[Authorize(Roles = "YOURDOMAIN\Group1, YOURDOMAIN\Group2")]
