问题描述
我正在开发一个 Intranet 应用程序,并希望使用现有组织的 Active Directory 进行用户身份验证和基于策略的角色授权.
I am developing an intranet application and would like to use the existing organisations Active Directory for user authentication and policy based role authorisation.
有人能指出我正确的方向吗?我有点困惑(实际上很困惑).
Can someone point me in the right direction? I am getting a bit confused (well actually a lot confused).
谢谢
推荐答案
http://docs.asp.net/en/latest/security/index.html
首先启动一个新的 ASP.Net Web 应用程序项目,选择 Web 应用程序模板,然后在右侧窗格中按更改身份验证"按钮并选择Windows 身份验证".
First start a new ASP.Net Web Application project, Pick the Web Application template then on the right pane press the "Change Authentication" button and pick "Windows Authentication".
您现在可以在类或方法上使用 [Authorize]
来检查基本身份验证与从 RC2 开始的活动目录,您可以简单地使用组名 ala [Authorize(Roles=@"域组")]
You can now use [Authorize]
on a class or method to check basic authentication vs active directory as of RC2 you can simply use the group names ala [Authorize(Roles=@"DOMAINGROUP")]
现在已经过时且繁琐的替代方案(仍然有效):
The now obsolete and cumbersome alternative (still works):
如果您查看 User.Claims
,您会发现每个用户组都存在 groupid 键.在此基础上,您可以执行类似 [Authorize(Policy="FOOBAR")]
的操作,并通过
If you look at User.Claims
you can see the groupsid keys exist for each of the user's groups. Building off that you can do something like [Authorize(Policy="FOOBAR")]
and define it in your Startup.ConfigureServices
method via
services.AddAuthorization(
o => o.AddPolicy(
"FOOBAR",
p => p.RequireClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
"ENTER GROUP SID")
));
请注意,RequireClaim 的第二个参数是一个允许多个组的字符串数组.
Note that the second param to RequireClaim is a string array to allow for multiple groups.
还要注意通过这个命令行魔法找出组ID dsquery group -name ENTER GROUP NAME" |dsget group -sid
Also note to figure out group ids via this command line magic dsquery group -name "ENTER GROUP NAME" | dsget group -sid
这篇关于如何为 ASP.Net 5 (MVC6) Intranet 应用程序使用 Active Directory的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!