Application_AuthenticateRequest触发到最晚

时间:2016-11-28 23:40:21

标签: asp.net asp.net-mvc-5 forms-authentication

当我创建我的formsauthenticationticket时,不会立即触发Application_AuthenticateRequest(在global.asax中)。当我检查user.isrole时它是空的。但是稍后当我尝试另一个动作时,会触发Application_AuthenticateRequest,并设置用户的角色。

登录功能:

      if (loggedIn)
            {
                ViewBag.loginFailed = 1;
                string roles = "Administrator";
                CreateTicket(pharmacist.ID.ToString(), roles);
                LoginRedirect();
            }

方法:

    [Authorize(Roles = "Administrator, User")]
    private void CreateTicket(string id, string role)
    {

        var ticket = new FormsAuthenticationTicket(
                version: 1,
                name: id,
                issueDate: DateTime.Now,
                expiration: DateTime.Now.AddHours(1),
                isPersistent: false,
                userData: role);

        var encryptedTicket = FormsAuthentication.Encrypt(ticket);
        var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
        HttpContext.Response.Cookies.Add(cookie);
    }

   [Authorize(Roles = "Administrator, User")]
    private ActionResult LoginRedirect() {
        if (User.IsInRole("Administrator"))
        {
            return RedirectToAction("Index", "Pharmacist");
        }
        else if (User.IsInRole("User"))
        {
            return RedirectToAction("Index", "Patient");
        }
        else {
            return RedirectToAction("Logout", "Authentication");
        }
    }

Application_AuthenticateRequest 

  protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
        if (HttpContext.Current.User != null)
        {
            if (HttpContext.Current.User.Identity.IsAuthenticated)
            {
                if (HttpContext.Current.User.Identity is FormsIdentity)
                {
                    FormsIdentity id =
                        (FormsIdentity)HttpContext.Current.User.Identity;
                    FormsAuthenticationTicket ticket = id.Ticket;

                    // Get the stored user-data, in this case, our roles
                    string userData = ticket.UserData;
                    string[] roles = userData.Split(',');
                    HttpContext.Current.User = new GenericPrincipal(id, roles);
                }
            }
        }
    }

1 个答案:

答案 0 :(得分:2)

仅在您请求新资源时才会调用

Application_AuthenticateRequest

在您的情况下,您仍然在创建 FormsAuthenticationTicket 的请求中。因此,尚未将 主要对象 分配给当前线程。

如果您想从当前线程中检索IPrincipal,则需要明确指定它。 

var encryptedTicket = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
// You need this two lines.
HttpContext.Current.User = new GenericPrincipal(id, roles); 
Thread.CurrentPrincipal = HttpContext.Current.User;
....

同时确保在 Application_AuthenticateRequest 中包含这两行。

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
   ...
   HttpContext.Current.User = new GenericPrincipal(id, roles);
   Thread.CurrentPrincipal = HttpContext.Current.User; <-- Do not forget this.
   ...
}

仅供参考 :私有方法不需要 AuthorizeAttribute 。您只需要在Controller或Action Methods上。 

[Authorize(Roles = "Administrator, User")] <-- This is not needed.
private void CreateTicket(string id, string role)
{
   ...
}
相关问题
最新问题