0

我的 ASP.NET webapp 将受到第三方代理 (SM) 的保护。SM 将拦截对 webapp 的每个调用,将用户验证为有效的系统用户,添加一些标头信息 ex username 并将其重定向到我的 webapp。然后我需要验证用户是我网站的活跃用户。

目前我正在通过实现文件Application_AuthenticateRequest中的方法来验证用户Global.asax.cs。我有一个自定义成员资格提供程序,其ValidateUser方法检查用户是否存在于我的数据库的用户表中。

如果这是一个好方法,只是想得到评论。

protected void Application_AuthenticateRequest(object sender, EventArgs e)
    {
        //if user is not already authenticated
        if (HttpContext.Current.User == null)
        {

            var smcred = ParseAuthorizationHeader(Request);
            //validate that this user is a active user in the database via Custom Membership 
            if (Membership.ValidateUser(smcred.SMUser, null))
            {
                //set cookie so the user is not re-validated on every call.
                FormsAuthentication.SetAuthCookie(smcred.SMUser, false);
                var identity = new GenericIdentity(smcred.SMUser);
                string[] roles = null;//todo-implement role provider Roles.Provider.GetRolesForUser(smcred.SMUser);
                var principal = new GenericPrincipal(identity, roles);

                Thread.CurrentPrincipal = principal;
                if (HttpContext.Current != null)
                {
                    HttpContext.Current.User = principal;
                }
            }

        }
    }

    protected virtual SMCredentials ParseAuthorizationHeader(HttpRequest request)
    {
        string authHeader = null;
        var smcredential = new SMCredentials();
    //here is where I will parse the request header for relevant tokens ex username

        //return smcredential;
        //mockup below for username henry
        return new SMCredentials() { SMUser = "henry", FirstName = "", LastName = "", EmailAddr = "" };

    }
4

1 回答 1

2

我会采用 Attribute 方法以使其更像 MVC。它还将为您提供更大的灵活性,您可能为不同的控制器/操作拥有不同的成员资格提供者。

于 2013-10-16T22:55:02.993 回答