问题描述
我在我的MVC解决方案执行以下操作属性。
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method,继承=真,的AllowMultiple =真)
公共类AuthorizeADAttribute:AuthorizeAttribute
{
公共字符串[] {组获得;组; }
保护覆盖布尔AuthorizeCore(HttpContextBase的HttpContext)
{
如果(base.AuthorizeCore(HttpContext的))
{
/ *立即返回true,如果授权不
锁定任何特定的AD组* /
如果(组== NULL)
返回true;
的foreach(在组VAR组)
如果(httpContext.User.IsInRole(组))
返回true;
}
返回false;
}
}
和调用它是这样的:
公共常量字符串管理员=MY_DOMAIN \\管理员;
公共常量字符串用户=MY_DOMAIN \\用户;
公共常量字符串ADDUSER =MY_DOMAIN \\ ADDUSER;
[AuthorizeAD(组=新的String [] {管理员,用户})]
公众的ActionResult的GridData(...)
{...}
[AuthorizeAD(组=新的String [] {管理员,用户,ADDUSER})]
公众的ActionResult添加(...)
{...}
这似乎是它是工作的罚款,到目前为止(在本地没有问题),直到有人注意到(在其他问题我贴),我已经接到了部署的实例401错误。
我觉得我AuthorizeADAttribute需要返工,除非任何人有什么样的问题可能是在主机环境的想法。该思想是,用户必须是管理员或用户组中的活动目录访问该网站,并且如果他/她被分配给用户的角色,它们需要属于一个其它组为好,例如:添加,删除,更新,等等...
到目前为止,我pretty的多难住了:/
这是完全正常的,这是多么 NTLM身份验证工作。这是一个挑战 - 应答认证协议,这意味着服务器通过发送401页与客户端的响应,......所以你看到的是发送到客户端的服务器进行认证挑战的部分401S挑战客户端。你看,到底客户成功应对这一挑战,并与200成功通过身份验证。
我不认为你应该返工与您的自定义授权属性什么。只是,你可能不需要它,你可以实现类似的功能使用默认授权的属性:
[授权(角色=MY_DOMAIN \\管理员,MY_DOMAIN \\用户})]
公众的ActionResult的GridData(...)
I've implemented the following action attribute in my MVC solution.
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AuthorizeADAttribute : AuthorizeAttribute
{
public string[] Groups { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (base.AuthorizeCore(httpContext))
{
/* Return true immediately if the authorization is not
locked down to any particular AD group */
if (Groups == null)
return true;
foreach (var group in Groups)
if (httpContext.User.IsInRole(group))
return true;
}
return false;
}
}
And invoked it like this:
public const string Admin = "MY_DOMAIN\\Admins";
public const string Users = "MY_DOMAIN\\Users";
public const string AddUser = "MY_DOMAIN\\AddUser";
[AuthorizeAD(Groups = new string[] { Admin, Users })]
public ActionResult GridData(...)
{ ... }
[AuthorizeAD(Groups = new string[] { Admin, Users, AddUser })]
public ActionResult Add(...)
{ ... }
It seemed like it was working fine so far (locally without a problem), until someone noticed (on another question I posted), that I've been receiving 401 errors on the deployed instance.
I think my AuthorizeADAttribute need to be reworked, unless anyone has an idea of what the issue could be on the host environment. The idea is that a user must be in the admin or user group on the active directory to access the site, and if he/she is assigned to the user role, they need to belong to one other group as well, eg: Add, Delete, Update, etc...
So far I'm pretty much stumped :/
That's perfectly normal and it is how NTLM authentication works. It's a challenge-response authentication protocol meaning that the server challenges the client by sending a 401 page to which the client responds, ... So the 401s you are seeing are parts of the challenge that the server sent to the client to authenticate himself. You see that in the end the client successfully responded to the challenge and was authenticated with a 200 success.
I don't think that you should be reworking anything with your custom authorize attribute. It's just that you probably don't need it as you could achieve similar functionality with the default Authorize attribute:
[Authorize(Roles = "MY_DOMAIN\\Admins,MY_DOMAIN\\Users" })]
public ActionResult GridData(...)
这篇关于401错误:活动目录和放大器; Asp.Net MVC的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!