问题描述
Q 1. 据我所知,FormsAuthenticationModule
订阅了 AuthenticateRequest
事件,因此只有在触发此事件后,才会调用 FormsAuthenticationModule
.但以下引述让我有点困惑:
- 上面的引用是不是表明当
AuthenticateRequest
事件被引发时,请求(又名用户)已经被认证了?
- 上面的引用是不是表明当
- 据我所知,如果我们订阅了
AuthenticatedRequest
,那么我们的事件处理程序将在FormsAuthenticationModule
之前被调用?因此Application_AuthenticateRequest()
会在FormsAuthenticationModule
被调用之前被调用?
- 据我所知,如果我们订阅了
Q 2. 我正在学习的书表明,在 Application_AuthenticateRequest()
中,我们可以验证用户是否是特定角色的成员,如果不是,我们可以自动添加用户:
protected void Application_AuthenticateRequest(Object sender, EventArgs e){if (User.Identity.IsAuthenticated && Roles.Enabled){//这里我们可以通过 Roles.AddUserToRole() 为用户订阅一个角色}}
从上面的代码来看,Application_AuthenticateRequest()
是在FormsAuthenticationModule
被调用后调用的,但在同一本书的其他地方暗示了Application_AuthenticateRequest()
在 FormsAuthenticationModule
之前调用:
Application_AuthenticateRequest
在执行身份验证之前调用.这是创建您自己的身份验证逻辑的起点.
我错过了什么?
谢谢
似乎首先处理 FormsAuthenticationModule.该模块通常早于 ASP.NET 管道中的任何自定义模块,因此当 AuthenticateRequest 被触发时,FormsAuthenticationModule 将首先被调用,完成其工作,然后将调用您模块的事件处理程序.
如果您真的想深入研究这一点,我建议您尝试自己调试 ASP.NET 代码.这是如何设置 VS 的帖子:
编辑:通过在 Global.asax 中设置具有自定义模块和事件处理程序的 Web 项目,我能够确认此行为.看一下HttpApplication.InitInternal的源码,初始化顺序如下:
- 集成模块的初始化:FormsAuthenticationModule 与 HttpApplication.AuthenticateRequest 事件挂钩
- 自定义模块的初始化:自定义模块连接到 HttpApplication.AuthenticateRequest 事件
- 全局类 (global.asax) 的初始化:这里我们连接到 AuthenticateRequest 事件
- HttpApplication.InitInternal 按照特定的名称模式(例如 Application_AuthenticateRequest)搜索全局类上的方法,将它们与事件匹配并连接
初始化后,当 AuthenticateRequest 触发时,事件处理程序将按照它们初始化的顺序调用,因此:
- FormsAuthenticationModule.AuthenticateRequest 事件处理程序
- CustomModule.AuthenticateRequest 事件处理程序
- Global.AuthenticateRequest 事件处理程序
- Global.Application_AuthenticateRequest 方法
除非我错过了什么,否则没有机制可以阻止事件处理程序触发,因此无论 FormsAuthenticationModule.AuthenticateRequest 的结果如何,下一个处理程序仍将被调用.我希望这会有所帮助.
Q 1. To my understanding FormsAuthenticationModule
is subscribed to AuthenticateRequest
event, and thus only after this event is fired, is FormsAuthenticationModule
called. But the following quotes got me a bit confused:
- Doesn’t the above quote suggest that when
AuthenticateRequest
event is raised, request (aka user) is already authenticated?
- Doesn’t the above quote suggest that when
- As far as I understand this quote, if we subscribe to
AuthenticatedRequest
, then our event handler will be called prior toFormsAuthenticationModule
? ThusApplication_AuthenticateRequest()
will be called beforeFormsAuthenticationModule
is called?
- As far as I understand this quote, if we subscribe to
Q 2. Book I’m learning from suggests that within Application_AuthenticateRequest()
we are able to verify whether user is a member of specific role, and if not, we can add the user automatically:
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated && Roles.Enabled)
{
//here we can subscribe user to a role via Roles.AddUserToRole()
}
}
Judging from the above code, Application_AuthenticateRequest()
is called after FormsAuthenticationModule
has been invoked, but somewhere else same book implies that Application_AuthenticateRequest()
is called prior to FormsAuthenticationModule
:
What am I missing?
Thanx
It seems that the FormsAuthenticationModule gets handled first. This module is normally earlier than any custom module in the ASP.NET pipeline, so when AuthenticateRequest is fired, FormsAuthenticationModule will get called first, do its job and then your module's event handler will be called.
If you really want to dig deep into this, I suggest trying to debug the ASP.NET code yourself. Here is a post how to set up your VS:
EDIT: I was able to confirm this behavior by setting up a web project with custom module and event handlers in Global.asax. Take a look at the source code of HttpApplication.InitInternal, the order of initialization is as follows:
- initialization of integrated modules: FormsAuthenticationModule hooks up to HttpApplication.AuthenticateRequest event
- initialization of custom modules: custom module hooks up to HttpApplication.AuthenticateRequest event
- initialization of Global class (global.asax): here we hook up to the AuthenticateRequest event
- HttpApplication.InitInternal searches for methods on Global class following the specific name pattern (e.g. Application_AuthenticateRequest), matches them to event and hooks up
After the initialization, when the AuthenticateRequest fires, the event handlers are called in the order they where initialized, so:
- FormsAuthenticationModule.AuthenticateRequest event handler
- CustomModule.AuthenticateRequest event handler
- Global.AuthenticateRequest event handler
- Global.Application_AuthenticateRequest method
Unless I missed something, there is no mechanism for stopping the event handlers to fire, so no matter what the result of FormsAuthenticationModule.AuthenticateRequest, the next handlers will still be called. I hope that helps.
这篇关于AuthenticateRequest 事件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!