3

我目前在我的 MVC.NET 应用程序中使用 windows azure 活动目录作为单点登录,这部分效果很好。我可以针对 WAAD 进行身份验证并毫无问题地加载我的 ClaimsPrinical。

下一步是通过添加来自不同数据源的新声明来转换从 WAAD 检索到的声明。为此,我创建了一个继承 ClaimsAuthenticationManager 的类(如下)。声明被添加到 Principal 并在 CreateSession 方法中持久化到会话 cookie。

我现在的问题是 ClaimsPrincipal.Current 不包含我添加的任何其他声明。当我在 SessionAuthenticationModule_SessionSecurityTokenReceived 事件中设置断点时,我可以看到 ClaimsPrincipal.Current 之间存在差异

ClaimsPrincipal.Current.FindAll(ClaimTypes.Email)
Count = 0

和 e.SessionToken.ClaimsPrincipal。

e.SessionToken.ClaimsPrincipal.FindAll(ClaimTypes.Email)
Count = 1
[0]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress: me@mydomain.com}

我在这里想念什么?在所有处理转换声明的示例中,我发现没有提到从 cookie 中手动重新加载 ClaimsPrincipal。会话安全令牌事件是否是重新加载 ClaimsPrincipal 的正确位置,还是我破坏了安全模型?

谢谢。

public class MyAuthenticationManager : ClaimsAuthenticationManager
{
    public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
    {
        if (!incomingPrincipal.Identity.IsAuthenticated)
        {
            return base.Authenticate(resourceName, incomingPrincipal);
        }

        var transformedPrincipal = this.CreateUserPrincipal(incomingPrincipal.Identity.Name);
        this.CreateSession(transformedPrincipal);

        return transformedPrincipal;
    }

    private ClaimsPrincipal CreateUserPrincipal(String userName)
    {
        List<Claim> claims = new List<Claim>();
        var user = SecurityController.GetUserIdentity(userName);

        claims.Add(new Claim(ClaimTypes.Name, userName));
        claims.Add(new Claim(ClaimTypes.Email, user.Email));
        claims.Add(new Claim(ClaimTypes.GivenName, user.FirstName));
        claims.Add(new Claim(ClaimTypes.Surname, user.LastName));

        return new ClaimsPrincipal(new ClaimsIdentity(claims, "MyCustom"));
    }

    private void CreateSession(ClaimsPrincipal transformedPrincipal)
    {
        var sessionSecurityToken = new SessionSecurityToken(transformedPrincipal, TimeSpan.FromHours(8));

        if (FederatedAuthentication.SessionAuthenticationModule != null &&
        FederatedAuthentication.SessionAuthenticationModule.ContainsSessionTokenCookie(HttpContext.Current.Request.Cookies))
        {
            return;
        }
        FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionSecurityToken);
        //Added line below as per suggestion in one of the posts
        //Doesn't seem to have any effect
        Thread.CurrentPrincipal = transformedPrincipal;
        FederatedAuthentication.SessionAuthenticationModule.SessionSecurityTokenReceived += SessionAuthenticationModule_SessionSecurityTokenReceived;
    }

    void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, SessionSecurityTokenReceivedEventArgs e)
    {
        System.Diagnostics.Debug.WriteLine("SessionAuthenticationModule_SessionSecurityTokenReceived");
    }
4

2 回答 2

2

看起来我必须通过 ClaimsIdentity 而不是 ClaimsPrincipal 访问索赔。现在,我可以从应用程序中的任何视图或控制器成功访问声明。

((ClaimsIdentity)Thread.CurrentPrincipal.Identity).FindAll(ClaimTypes.Email)
Count = 1
    [0]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress: me@mydomain.com}

AuthenticationManager 中的最终代码库如下所示(请注意,当前线程上没有对 ClaimsPrincipal 的显式分配操作)。

public class MyAuthenticationManager : ClaimsAuthenticationManager
{
    public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
    {
        if (!incomingPrincipal.Identity.IsAuthenticated)
        {
            return base.Authenticate(resourceName, incomingPrincipal);
        }

        var transformedPrincipal = this.CreateUserPrincipal(incomingPrincipal.Identity.Name);
        this.CreateSession(transformedPrincipal);

        return transformedPrincipal;
    }

    private ClaimsPrincipal CreateUserPrincipal(String userName)
    {
        List<Claim> claims = new List<Claim>();
        var user = SecurityController.GetUserIdentity(userName);

        claims.Add(new Claim(ClaimTypes.Name, userName));
        claims.Add(new Claim("UserId", user.Id.ToString()));
        claims.Add(new Claim(ClaimTypes.Email, user.Email));
        claims.Add(new Claim(ClaimTypes.GivenName, user.FirstName));
        claims.Add(new Claim(ClaimTypes.Surname, user.LastName));
        //claims.Add(new Claim(ClaimTypes.NameIdentifier, userName));

        if (user.Account != null)
        {
            claims.Add(new Claim("AccountId", user.Account.Id.ToString()));
            claims.Add(new Claim("AccountName", user.Account.Name.ToString()));
        }
        if (user.Owner != null)
        {
            claims.Add(new Claim("OwnerId", user.Owner.Id.ToString()));
            claims.Add(new Claim("OwnerName", user.Owner.Name.ToString()));
        }

        return new ClaimsPrincipal(new ClaimsIdentity(claims, "MyCustom"));
    }

    private void CreateSession(ClaimsPrincipal transformedPrincipal)
    {
        if (FederatedAuthentication.SessionAuthenticationModule != null &&
        FederatedAuthentication.SessionAuthenticationModule.ContainsSessionTokenCookie(HttpContext.Current.Request.Cookies))
        {
            return;
        }
        var sessionSecurityToken = new SessionSecurityToken(transformedPrincipal, TimeSpan.FromHours(8));
        FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionSecurityToken);
    }
}
于 2013-11-30T00:34:02.463 回答
0

我没有看到您将您的 ClaimsPrincipal(在转换之后)添加回 Thread.CurrentPrincipal。请试试

private void CreateSession(ClaimsPrincipal transformedPrincipal)
    {
        var sessionSecurityToken = new SessionSecurityToken(transformedPrincipal, TimeSpan.FromHours(8));

        if (FederatedAuthentication.SessionAuthenticationModule != null &&
        FederatedAuthentication.SessionAuthenticationModule.ContainsSessionTokenCookie(HttpContext.Current.Request.Cookies))
        {
            return;
        }
        FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionSecurityToken);
        //Following is the missing line of code.
        Thread.CurrentPrincipal = transformedPrincipal;
   }
于 2013-11-27T21:06:23.577 回答