1

I'm new to web security so I don't want to implement my own. I plan to use SimpleMembership via the VS2012 template for an ASP.NET MVC Internet Application. The problem is that I need to pass the data via a Web API.

I plan to use basic authentication for my Web API, so I just need to pass username/pass in the http headers. I can intercept the message using Thinktecure.IdentityModel. Here's an example that uses ASP.NET Membership:

authConfig.AddBasicAuthentication((userName, password) =>  
  Membership.ValidateUser(userName, password));

I can replace Membership.ValidateUser with my own bool function. I've successfully queried my custom database with username/password and everything worked fine. However, I'm using the template's user database because I DON'T want to store string (or even encoded) passwords.

I am unclear on how to manually validate the credentials using the SimpleMembership's database. I can grab a UserProfile, but can't figure out how to check the profile's password.

UserProfile user = context.UserProfiles.Find(1);

==OUTPUT==
user
    UserId: 1
    UserName: "bob"

Do you know how I can check if an inputted password matches that of an existing user?

Thanks for your help!

4

1 回答 1

0

为什么你不使用Membership.ValidateUser?这不仅限于 ASP.NET 成员资格,假设您在正确的位置拥有[InitializeSimpleMembership]( here ) 属性或在其他地方自己执行了其中的逻辑,并且您对 WebMatrix 等有正确的引用,您仍然可以调用Membership.ValidateUser它并将使用SimpleMemberships 验证用户

如果您想自己访问数据库,并假设您使用的是散列密码等,那么本文可能会有所帮助,因为您需要在选择之前对输入的密码进行散列处理,剩下的只是写一些EF 或(任何其他数据库访问方法)从用户表中选择用户名和散列密码匹配的位置。但我认为没有明显的理由这样做,因为 Membership.ValidateUser 会为你做这一切。

于 2012-12-15T11:12:15.493 回答