I want to use AuthorizeAttribute, to control which users are allowed to do my work. I just want to make it clear that my argument is in order
- I used to implement my own IPrincipal
- I used a security controller for a login operation Credit post
- I verified the credentials with a UserService class and assigned the IPrincipal from my UserService class to HttpContext.User
- returned to my WebAuthorizeAttribute, which AuthorizeAttribute inherits, checks current HttpContext.User.Identity.IsAuthenticated and HttpContext.User.IsInRole if the user has access to the action to determine.
What is the normal flow of things? I know that I can get to the membership provider, but I do not need all the functions there, in fact there is the ability to login only with two different roles.
You have to store the IPrincipal somewhere and restore it with every request. If you use FormsAuthentication, this is a good solution:
You can find other solutions here:
And in Proppose many other StackOverflow questions :)
Edit
About MyBusinessLayerSecurityClass.CreatePrincipal (id, id.Name):
You should read this page:
Specifically this:
FormsAuthenticationModule build a class of GenericPrincipal and stores it in the HTTP context Generic Principal CTO maintains a Form Identity is a reference to the example which represents the current authenticated user. You must allow form authentication to manage these tasks for you. In your application, the user establishes this property for a custom class that the IPrincipal interface should handle your application PostAuthenticate As is the specific requirements, then the event. FormAuthenticationModule has validated the form authentication cookie and created the GenericPrincipal and FormsIdentity objects, followed by the PostAuthenticate event is. Within this code, you can create a custom IPrincipal object that wraps the FormsIdentity object, and then it HttpContext. The user stores in the property.
After setting the authentication cookie, the website is automatically managed. All you have to do is wrap it in your ipernist. All this happens when the HttpContext.Current.User property is not empty (this is GenericPrincipal, which you will soon change later). When HttpContext.Current.User is empty then no authentication cookie was created previously and the user was not authenticated.
No comments:
Post a Comment