這是一篇過時的文章,但http://msdn.microsoft.com/en-us/library/ff650308.aspx#paght000026_step3說明了我想要做的事情。我選擇了Nancy作爲我的網頁框架,因爲它簡單而低禮儀的做法。所以,我需要一種使用Nancy來對Active Directory進行身份驗證的方法。如何在南希對Active Directory進行身份驗證?
在ASP.NET中,它看起來像只能通過web.config文件中的某些設置在基於數據庫的成員資格提供程序和Active Directory之間切換。我並不特別需要這一點,但是在開發和生產之間切換的能力將會很棒。
這怎麼辦?
真的,解決方案比看起來簡單得多。只要將Active Directory視爲您的用戶的存儲庫(就像數據庫一樣)。您只需查詢AD即可驗證輸入的用戶名和密碼是否有效。所以,只需使用Nancy的Forms Validation並在你的IUserMapper實現中處理與AD的連接。以下是我想出了我的用戶映射:
public class ActiveDirectoryUserMapper : IUserMapper, IUserLoginManager
{
static readonly Dictionary<Guid, long> LoggedInUserIds = new Dictionary<Guid, long>();
readonly IAdminUserValidator _adminUserValidator;
readonly IAdminUserFetcher _adminUserFetcher;
readonly ISessionContainer _sessionContainer;
public ActiveDirectoryUserMapper(IAdminUserValidator adminUserValidator, IAdminUserFetcher adminUserFetcher, ISessionContainer sessionContainer)
{
_adminUserValidator = adminUserValidator;
_adminUserFetcher = adminUserFetcher;
_sessionContainer = sessionContainer;
}
public IUserIdentity GetUserFromIdentifier(Guid identifier, NancyContext context)
{
_sessionContainer.OpenSession();
var adminUserId = LoggedInUserIds.First(x => x.Key == identifier).Value;
var adminUser = _adminUserFetcher.GetAdminUser(adminUserId);
return new ApiUserIdentity(adminUser);
}
public Guid Login(string username, string clearTextPassword, string domain)
{
var adminUser = _adminUserValidator.ValidateAndReturnAdminUser(username, clearTextPassword, domain);
var identifier = Guid.NewGuid();
LoggedInUserIds.Add(identifier, adminUser.Id);
return identifier;
}
}
我保持的紀錄在我的數據庫來處理角色,因此此類處理與AD驗證,並從數據庫中獲取的用戶:
public class AdminUserValidator : IAdminUserValidator
{
readonly IActiveDirectoryUserValidator _activeDirectoryUserValidator;
readonly IAdminUserFetcher _adminUserFetcher;
public AdminUserValidator(IAdminUserFetcher adminUserFetcher,
IActiveDirectoryUserValidator activeDirectoryUserValidator)
{
_adminUserFetcher = adminUserFetcher;
_activeDirectoryUserValidator = activeDirectoryUserValidator;
}
#region IAdminUserValidator Members
public AdminUser ValidateAndReturnAdminUser(string username, string clearTextPassword, string domain)
{
_activeDirectoryUserValidator.Validate(username, clearTextPassword, domain);
return _adminUserFetcher.GetAdminUser(1);
}
#endregion
}
而這個類實際上驗證用戶名/密碼組合在Active Directory中:
public class ActiveDirectoryUserValidator : IActiveDirectoryUserValidator
{
public void Validate(string username, string clearTextPassword, string domain)
{
using (var principalContext = new PrincipalContext(ContextType.Domain, domain))
{
// validate the credentials
bool isValid = principalContext.ValidateCredentials(username, clearTextPassword);
if (!isValid)
throw new Exception("Invalid username or password.");
}
}
}
Minor nitpick:而不是LoggedInUserIds.First(x => x.Key ==標識符).Value' ,你不能只是做'LoggedInUserIds [標識符]'? 'Login'方法中還有'LoggedInUserIds [identifier] = adminUser.Id'。 –
這可以作爲一個Nuget Nancy.ActiveDirectoryAuthentication包嗎? – pashute
@pashute [AD討論](https://github.com/NancyFx/Nancy/issues/742)在南希的問題跟蹤器(回覆此答案) – Omni
順便說一句,如果這是現在沒空,我將貢獻它..在任何指導方向會也有幫助。 –
我剛剛向南希回購添加了一個問題:https://github.com/NancyFx/Nancy/issues/742 –