怎么今天有做ASP.net MVC的授权?今天、ASP、MVC、net

由网友(Powerful)分享简介:我一直与ASP.net MVC了好几年。我已经在过去开发的大多数应用程序都被访问通从传统的Web应用程序的链接。当用户到达我的应用程序之一,我的应用程序只需读取浏览器,指示该用户是由遗留应用程序验证的cookie。I've been working with ASP.net MVC for several years...

我一直与ASP.net MVC了好几年。我已经在过去开发的大多数应用程序都被访问通从传统的Web应用程序的链接。当用户到达我的应用程序之一,我的应用程序只需读取浏览器,指示该用户是由遗留应用程序验证的cookie。

I've been working with ASP.net MVC for several years now. Most applications I've developed in the past have been accessed thru a link from a legacy web application. When users arrive on one of my applications, my application simply reads a cookie from the browser that indicates that the user was authenticated by the legacy application.


Now, I'm finally working on a brand-new web application that needs to be able to perform authentication and authorization. I'm sure I can make something work, but I want to know what today's best practices are.


From ASP.net WebForms, I am familiar with the MembershipProvider and RoleProvider classes. I also have a little bit of familiarity with Windows Identity Foundatioin (WIF).

不过,当我看到在默认ASP.net MVC 4应用程序时,的AccountController类使用了一种叫做WebSecurity类。我不知道这是为了解除preciate的的MembershipProvider和RoleProvider类。

However, when I look at the default ASP.net MVC 4 application, the "AccountController" class uses something called the WebSecurity class. I'm wondering if this is meant to depreciate the MembershipProvider and RoleProvider classes.


This should be a basic setup with username/password authentication provided by another server and role-based access to privileged resources.

什么是在ASP.net MVC 4今天实施这些最佳做法?

What are the best practices for implementing these in ASP.net MVC 4 today?


认证一直在变化在过去的几年里和一些所谓的ASP.NET身份,它提供了一个基于声明的标识方法是稳定在Visual Studio 2013 。不过,这仍处于测试阶段,尚未公布。

Authentication has been in flux for the last few years and is stabilizing in Visual Studio 2013 on something called the ASP.NET Identity, which offers a claims based Identity approach. However, this is still in beta and not yet released.

在MVC4在任何VS2010或2012(.NET 4.0或4.5)的默认模板是基于WebMatrix的网页技术WebSecurity班的基础上,SimpleMembershipProvider它本身就是基于的MembershipProvider这是在转。

In MVC4 in either VS2010 or 2012 (.net 4 or 4.5) the default templates are based on the Webmatrix Web Pages technology WebSecurity classes, which are in turn based on the SimpleMembershipProvider which is itself based on MembershipProvider.

让我再说一遍。 WebSecurity使用的MembershipProvider,然而,许多较新的特征只能用于通过浇铸该提供到ExtendedMembershipProvider或通过使用WebSecurity的API。

Let me say that again. WebSecurity uses MembershipProvider, however many of the newer features can only be used by casting the provider to an ExtendedMembershipProvider or by using the WebSecurity API.


You can still use the old SqlMembershipProvider that was used in ASP.NET or MVC3, or any of the other providers MS has released, such as the Universal Providers.


The key here is that all of these (except ASP.NET Identity) are based on Membership, and they all at some level just plug into the Membership API.


Membership, however, is really just about providing a database of users and the ability to validate credentials. Other than logging in, it has little to do with Authenticating the web page, or authorizing the web page. This is where FormsAuthentication or WindowsAuthentication (or others) come in, and these provide the implementations of IIdentity and IPrincipal, which are the basic building blocks upon which ASP.NET (and MVC) authentication are built.


When you use FormsAuthentication, it's basically just an IIdentity implemtation. And when you use a RoleProvider, it's basically just an IPrincipal implementation.


These provide the tools in MVC to use the Authorize attribute to control access to pages, and provide the ability to use the User.IsInRole() method to determine the role a user is in.


