Application_AuthenticateRequest 触发到很晚
Application_AuthenticateRequest fires to late
当我创建 formsauthenticationticket 时,Application_AuthenticateRequest(在 global.asax 中)不会立即被触发。当我检查 user.isrole 时,它是空的。但稍后当我尝试另一个操作时,Application_AuthenticateRequest 被触发,并且用户的角色被设置。
登录函数:
if (loggedIn)
{
ViewBag.loginFailed = 1;
string roles = "Administrator";
CreateTicket(pharmacist.ID.ToString(), roles);
LoginRedirect();
}
方法:
[Authorize(Roles = "Administrator, User")]
private void CreateTicket(string id, string role)
{
var ticket = new FormsAuthenticationTicket(
version: 1,
name: id,
issueDate: DateTime.Now,
expiration: DateTime.Now.AddHours(1),
isPersistent: false,
userData: role);
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
HttpContext.Response.Cookies.Add(cookie);
}
[Authorize(Roles = "Administrator, User")]
private ActionResult LoginRedirect() {
if (User.IsInRole("Administrator"))
{
return RedirectToAction("Index", "Pharmacist");
}
else if (User.IsInRole("User"))
{
return RedirectToAction("Index", "Patient");
}
else {
return RedirectToAction("Logout", "Authentication");
}
}
Application_AuthenticateRequest
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User.Identity is FormsIdentity)
{
FormsIdentity id =
(FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
// Get the stored user-data, in this case, our roles
string userData = ticket.UserData;
string[] roles = userData.Split(',');
HttpContext.Current.User = new GenericPrincipal(id, roles);
}
}
}
}
Application_AuthenticateRequest 仅在您请求新资源时调用。
在您的情况下,您仍在创建 FormsAuthenticationTicket 的请求中。结果,Principal 对象 尚未分配给当前线程。
如果要从当前线程中获取 IPrincipal,则需要显式分配它。
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
// You need this two lines.
HttpContext.Current.User = new GenericPrincipal(id, roles);
Thread.CurrentPrincipal = HttpContext.Current.User;
....
还要确保在 Application_AuthenticateRequest.
中包含这两行
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
...
HttpContext.Current.User = new GenericPrincipal(id, roles);
Thread.CurrentPrincipal = HttpContext.Current.User; <-- Do not forget this.
...
}
仅供参考:私有方法不需要AuthorizeAttribute。您只需要在 Controller 或 Action Methods 上使用它。
[Authorize(Roles = "Administrator, User")] <-- This is not needed.
private void CreateTicket(string id, string role)
{
...
}
当我创建 formsauthenticationticket 时,Application_AuthenticateRequest(在 global.asax 中)不会立即被触发。当我检查 user.isrole 时,它是空的。但稍后当我尝试另一个操作时,Application_AuthenticateRequest 被触发,并且用户的角色被设置。
登录函数:
if (loggedIn)
{
ViewBag.loginFailed = 1;
string roles = "Administrator";
CreateTicket(pharmacist.ID.ToString(), roles);
LoginRedirect();
}
方法:
[Authorize(Roles = "Administrator, User")]
private void CreateTicket(string id, string role)
{
var ticket = new FormsAuthenticationTicket(
version: 1,
name: id,
issueDate: DateTime.Now,
expiration: DateTime.Now.AddHours(1),
isPersistent: false,
userData: role);
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
HttpContext.Response.Cookies.Add(cookie);
}
[Authorize(Roles = "Administrator, User")]
private ActionResult LoginRedirect() {
if (User.IsInRole("Administrator"))
{
return RedirectToAction("Index", "Pharmacist");
}
else if (User.IsInRole("User"))
{
return RedirectToAction("Index", "Patient");
}
else {
return RedirectToAction("Logout", "Authentication");
}
}
Application_AuthenticateRequest
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User.Identity is FormsIdentity)
{
FormsIdentity id =
(FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
// Get the stored user-data, in this case, our roles
string userData = ticket.UserData;
string[] roles = userData.Split(',');
HttpContext.Current.User = new GenericPrincipal(id, roles);
}
}
}
}
Application_AuthenticateRequest 仅在您请求新资源时调用。
在您的情况下,您仍在创建 FormsAuthenticationTicket 的请求中。结果,Principal 对象 尚未分配给当前线程。
如果要从当前线程中获取 IPrincipal,则需要显式分配它。
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
// You need this two lines.
HttpContext.Current.User = new GenericPrincipal(id, roles);
Thread.CurrentPrincipal = HttpContext.Current.User;
....
还要确保在 Application_AuthenticateRequest.
中包含这两行protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
...
HttpContext.Current.User = new GenericPrincipal(id, roles);
Thread.CurrentPrincipal = HttpContext.Current.User; <-- Do not forget this.
...
}
仅供参考:私有方法不需要AuthorizeAttribute。您只需要在 Controller 或 Action Methods 上使用它。
[Authorize(Roles = "Administrator, User")] <-- This is not needed.
private void CreateTicket(string id, string role)
{
...
}