我试图编写自己的IAuthenticationFilter实现,但是我可能很难搞清楚。
问题:
人们可以访问他们不应该访问的页面!
我如何实现安全性
如前所述,我想编写自己的IAuthenticationFilter属性实现,以修饰整个MVC应用程序中的几乎所有方法和/或控制器。例如,AdminController
就是这样
[UserHandler(roles: new Role[] { Role.ADMIN })]
public class AdminController : Controller
{
...
}
Role
对象是Enum
,并具有其他值(READ,WRITE和SUPERVISOR)。
现在,这是我对身份验证过滤器的实际实现:
[OutputCache(Duration = 0)]
public class UserHandler : actionFilterAttribute,IAuthenticationFilter
{
private bool AppOffline;
private bool isAuthenticated = false;
private bool isAuthorized = false;
private bool isAdmin = false;
public UserHandler(Role[] roles = null)
{
string userID = HttpContext.Current.User.Identity.Name.Substring(7,7);
// creates a users repository
UsersRepository repository = new UsersRepository(User.GetUserHandler());
// search the user ID within the database
// it's basically an encapsulated .Where(u => u.ID == userID)
isAuthenticated = repository.IsAuthenticated(userID);
if (isAuthenticated)
{
// search the roles associated to the user
isAdmin = repository.IsAuthorized(userID,new Role[] { Role.ADMIN });
// this is where the authorization is done:
// the roles array in the constructor parameter is
// intersected with the roles array coming from the
// database: if any(),the user is authorized.
isAuthorized = repository.IsAuthorized(userID,roles);
}
}
[OutputCache(Duration = 0)]
void IAuthenticationFilter.OnAuthentication(AuthenticationContext filterContext)
{
AppStatus m = new AppStatus();
AppOffLine = m.IsOffline
if (!isAuthenticated || (AppOffline && !isAdmin) || !isAuthorized)
{
filterContext.Result = new HttpUnauthorizedResult();
}
}
[OutputCache(Duration = 0)]
void IAuthenticationFilter.OnAuthenticationChallenge(AuthenticationChallengeContext filterContext)
{
if (!isAuthenticated)
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary(
new { action = "UtenteNonPresente",controller = "Errori" }));
}
else if (AppOffline && !isAdmin)
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary(
new { action = "ManutenzioneAttiva",controller = "Errori" }));
}
else if (!isAuthorized)
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary(
new { action = "OperazioneNonConsentita",controller = "Errori" }));
}
}
}
我看不出问题出在哪里,但我认为是有关缓存“ isAuthorized”布尔值的事情,因为例如,我看到刷新页面不会调用UserHandler
构造函数。
另一个大问题是,我看到问题不时发生,但是我找不到真正的方法来进行调试。不过,在大多数情况下,从IIS面板重新启动站点会使它消失,这就是让我考虑缓存问题的原因。