ASP .NET MVC 表单授权与 Active Directory 组

ASP .NET MVC Forms authorization with Active Directory groups(ASP .NET MVC 表单授权与 Active Directory 组)
本文介绍了ASP .NET MVC 表单授权与 Active Directory 组的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

我正在尝试使用 ASP.NET MVC 中的用户和组对 Active Directory 进行身份验证.

我已将以下属性放在我所有的类(帐户类除外)上:

[授权(角色=SubcontractDB 用户")]

该组位于活动目录中的 OU=Area->OU=Groups->OU=Company->CN=SubcontractDB 下.我假设我还需要在 web.config 中设置一个 RoleManager,我尝试按如下方式执行:

<提供者><清除/><add name="ADMembershipProvider"type="System.Web.Security.ActiveDirectoryMembershipProvider"connectionStringName="ADConnectionString"attributeMapUsername="sAMAccountName"/></提供者></roleManager>

我的连接字符串是:

 

显然我做错了,因为这不起作用.我想要做的就是允许访问属于 AD 中某个组成员的用户.

解决方案

所以我最终实现了我自己的授权属性并使用它:

命名空间 Application.Filters{公共类 AuthorizeADAttribute : AuthorizeAttribute{公共字符串组{获取;放;}protected override bool AuthorizeCore(HttpContextBase httpContext){如果 (base.AuthorizeCore(httpContext)){/* 如果没有授权,立即返回真锁定到任何特定的 AD 组 */if (String.IsNullOrEmpty(Groups))返回真;//获取 AD 组var groups = Groups.Split(',').ToList();//验证用户是否在给定的 AD 组中(如果有)var context = new PrincipalContext(ContextType.Domain, "server");var userPrincipal = UserPrincipal.FindByIdentity(上下文,IdentityType.SamAccountName,httpContext.User.Identity.Name);foreach (var group in groups)if (userPrincipal.IsMemberOf(context, IdentityType.Name, group))返回真;}返回假;}}}

然后我可以简单地使用上面的控制器或函数

使用 Application.Filters;...[AuthorizeAD(Groups = "groupname")]

注意:您可以简单地使用 new PrincipalContext(ContextType.Domain); 但是 .NET 4.0 中有一个错误会引发 (0x80005000) userPrincpal.IsMemberOf(...) 错误.有关详细信息,请参阅此处.

如果您想知道如何根据授权失败重定向到另一个页面,请在此处查看我的答案:在ASP.NET MVC中基于控制器属性向视图模型添加错误信息>

I'm attempting to authenticate using users and groups in ASP.NET MVC against Active Directory.

I have put the following attribute on all my classes (except the account class):

[Authorize (Roles="SubcontractDB Users")]

This group is found under OU=Area->OU=Groups->OU=Company->CN=SubcontractDB in active directory. I'm assuming I also need to setup a RoleManager in web.config which I've attempted to do as follows:

<roleManager defaultProvider="ADRoleProvider">
  <providers>
    <clear />
        <add name="ADMembershipProvider" 
             type="System.Web.Security.ActiveDirectoryMembershipProvider" 
             connectionStringName="ADConnectionString" 
             attributeMapUsername="sAMAccountName" />
  </providers>
</roleManager>

My connection string is:

    <add name="ADConnectionString" 
         connectionString="LDAP://blah.com:389/DC=blah,DC=wateva,DC=com"/>

Obviously I'm doing it wrong as this doesn't work. All I want to do is allow access to users that are a member of a certain group in AD.

解决方案

So I ended up implementing my own authorize attribute and using that:

namespace Application.Filters
{  
   public class AuthorizeADAttribute : AuthorizeAttribute
   {
      public string Groups { get; set; }

      protected override bool AuthorizeCore(HttpContextBase httpContext)
      {
         if (base.AuthorizeCore(httpContext))
         {
            /* Return true immediately if the authorization is not 
            locked down to any particular AD group */
            if (String.IsNullOrEmpty(Groups))
               return true;

            // Get the AD groups
            var groups = Groups.Split(',').ToList<string>();

            // Verify that the user is in the given AD group (if any)
            var context = new PrincipalContext(ContextType.Domain, "server");
            var userPrincipal = UserPrincipal.FindByIdentity(context, 
                                                 IdentityType.SamAccountName,
                                                 httpContext.User.Identity.Name);

            foreach (var group in groups)
               if (userPrincipal.IsMemberOf(context, IdentityType.Name, group))
                  return true;
         }
         return false;
      }
   }
}

And then I can simply use the following above controllers or functions

Using Application.Filters;
...
[AuthorizeAD(Groups = "groupname")]

NB: You could simply use new PrincipalContext(ContextType.Domain); however there is a bug in .NET 4.0 that throws a (0x80005000) error at userPrincpal.IsMemberOf(...). See here for details.

If you would like to know how to redirect to another page based on failed authorization, check my answer here: Adding an error message to the view model based on controller attribute in ASP.NET MVC

这篇关于ASP .NET MVC 表单授权与 Active Directory 组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

ActiveDirectory error 0x8000500c when traversing properties(遍历属性时 ActiveDirectory 错误 0x8000500c)
search by samaccountname with wildcards(使用通配符按 samaccountname 搜索)
Get the list of Groups for the given UserPrincipal(获取给定 UserPrincipal 的组列表)
Can you find an Active Directory User#39;s Primary Group in C#?(你能在 C# 中找到 Active Directory 用户的主要组吗?)
How to register System.DirectoryServices for use in SQL CLR User Functions?(如何注册 System.DirectoryServices 以在 SQL CLR 用户函数中使用?)
Query From LDAP for User Groups(从 LDAP 查询用户组)