开发者

IIS Virtual Directory/Application & Forms authentication

开发者 https://www.devze.com 2023-01-01 18:42 出处:网络
I\'ve setup and deployed a simple forms authentication website with membership using .NET 4. I\'ve created a virtual directory (now converted to \"Application\") in IIS7 and setup the web.config file

I've setup and deployed a simple forms authentication website with membership using .NET 4.

I've created a virtual directory (now converted to "Application") in IIS7 and setup the web.config file in the virtual directory as follows:

<configuration>
  <system.web>
    <authorization>
      <deny users="?">
    </authorization>
  </system.web>
  <system.webServer>
    <directoryBrowse enabled="true" />
  </system.webServer>
</configuration>

Great! I browse to the virtual directory: ../mydomain/books/

and I'm automatically redirected to the login page specified by web.config in my root directory and the url path is placed as follows:

../Account/Login.aspx?ReturnUrl=%2fbooks

At this point, I login succesfully, but I am not redirected anywhere, and when I manually return to the directory, ../books, I'm sent back to the login page, where I'm 开发者_开发百科already logged in?

So I'm confused about what my problem is! I should be successfully authenticated, and than redirected back to the directory, or at the very least be able to view it manually after I log in right?


Since I had to solve this myself, I thought I may as well post it for others in case their search brings them here.

This is everything you'll need to use Forms Authentication, allow your formatting to be exposed to anonymous users, pass credentials between an existing .Net (.aspx) web site and an MVC web application and redirect to a given url after login.

Use whatever pieces you are looking for.

Make sure your Virtual Directory/Virtual Application path for your .Net web application (.aspx) is outside of the Views directory. Also make sure you set up your Virtual Directory/Application in IIS.

I used Entity Framework and Identity with a SQLServer database to validate my users.

Your Virtual Application/Directory .Net (.aspx) web.config file needs to contain this:

<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">

    <!-- other stuff -->

    <system.web>
        <authentication mode="Forms">
            <forms 
                loginUrl="login.aspx" 
                name=".AUTHCOOKIE" 
                protection="All" 
                path="/" 
                domain="your_domain.com" 
                enableCrossAppRedirects="true" 
                timeout="60">
            </forms>
        </authentication>

        <authorization>
            <deny users="?" />
            <allow users="*" />
        </authorization>

        <machineKey
            validationKey="your validation key"
            decryptionKey="your decryption key"
            validation="SHA1"
            decryption="AES"
        />

        <!-- other stuff -->

    </system.web>

    <location path="/path/to/your/site.css">
        <system.web>
            <authorization>
                <allow users="?"></allow>
            </authorization>
        </system.web>
    </location>

    <!-- other stuff -->

</configuration>

Then, in the code behind your login.aspx page you'll need something like this:

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
    string username = Login1.UserName;
    string pwd = Login1.Password;

    /* do your authentication here
        connect to user store
        get user identity
        validate your user
        etc
    */
    if (user != null)
    {
        FormsAuthentication.SetAuthCookie(username, Login1.RememberMeSet);
        System.Web.HttpCookie MyCookie = System.Web.Security.FormsAuthentication.GetAuthCookie(User.Identity.Name.ToString(), false);
        MyCookie.Domain = "your_domain.com";
        Response.AppendCookie(MyCookie);
        Response.Redirect("~/path/to/your/index.aspx");
    }
    else
    {
        StatusText.Text = "Invalid username or password.";
        LoginStatus.Visible = true;
    }
}

Now, in your MVC applications web.config file add this:

<configuration>

    <!-- other stuff -->

    <system.web>
        <authentication mode="Forms">
            <forms 
                loginUrl="Account/Login" 
                name=".AUTHCOOKIE" 
                protection="All" 
                path="/" 
                domain="your_domain.com"
                enableCrossAppRedirects="true" 
                timeout="30"/>
        </authentication>

        <authorization>
            <deny users="?"/>
            <allow users="*"/>
        </authorization>

        <machineKey 
            validationKey="your validation key" 
            decryptionKey="your decryption key" 
            validation="SHA1" 
            decryption="AES"
        />

        <!-- other stuff -->

    </system.web>

    <location path="/path/to/your/site.css"> 
        <system.web> 
            <authorization> 
                <allow users="?"></allow> 
            </authorization> 
        </system.web>
    </location>

    <!-- other stuff -->

    <system.webServer>
        <modules runAllManagedModulesForAllRequests="true">
            <remove name="FormsAuthenticationModule"/>
            <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule"/>
            <remove name="UrlAuthorization"/>
            <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"/>
        </modules>
    </system.webServer>

    <!-- other stuff -->

</configuration>

In your MVC AccountController Login method should look something like this:

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
    if (ModelState.IsValid)
    {
        /* do your authentication here
        connect to user store
        get user identity
        validate your user
            etc
        */
        if (user != null)
        {
            await SignInAsync(user, model.RememberMe);
            FormsAuthentication.SetAuthCookie(model.Email, model.RememberMe);
            System.Web.HttpCookie MyCookie = System.Web.Security.FormsAuthentication.GetAuthCookie(User.Identity.Name.ToString(), false);
            MyCookie.Domain = "your_domain.com";
            Response.AppendCookie(MyCookie);

            if (Url.IsLocalUrl(returnUrl))
            {
                return Redirect(returnUrl);
            }
            else
            {
                return RedirectToAction("Index", "Home");
            }
        }
        else
        {
           ModelState.AddModelError("", "Invalid username or password.");
        }
    }

    // If we got this far, something failed, redisplay form
    return View(model);
}

Finally, your MVC AccountController log off method is this:

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
    AuthenticationManager.SignOut();
    FormsAuthentication.SignOut();
    return RedirectToAction("Login", "Account");
}


You need to add code to redirect to the "ReturnUrl" URL noted in the query string from within your Login page after you login.

0

精彩评论

暂无评论...
验证码 换一张
取 消