安全手柄已关闭'使用FederatedAuthentication.SessionAuthenticationM
本文关键字:使用 FederatedAuthentication SessionAuthenticationM 安全 | 更新日期: 2023-09-27 18:05:19
对于基于MVC5的内部网应用程序,我正在尝试在主体的声明感知Windows身份之上使用自定义声明实现基于Windows的身份验证。
一切都很顺利,直到当我尝试从先前存储在会话cookie中的SessionSecurityToken读取身份时,由于某种原因,当我试图在登陆我的Home/index视图后转到任何其他视图时,会给我'安全句柄已关闭'错误。
- 在项目属性- Windows Auth = Enabled, Anonymous Auth = disabled.
- 是。net 4.5上的MVC5项目,该项目默认设计为使用OWIN(是的VS这样做,如果你在项目创建时没有选择Windows身份验证),我觉得OWIN不与Windows Auth结合,所以我一开始就通过在startup.cs 中注释调用"ConfigAuth"来禁用OWIN。
编写了一个类来自定义windows主体身份,并使用FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie将sessionSecurityToken写入cookie
public class CustomClaimsTransformer : ClaimsAuthenticationManager { public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal) { if (!incomingPrincipal.Identity.IsAuthenticated) { return base.Authenticate(resourceName, incomingPrincipal); } ClaimsPrincipal transformedPrincipal = CustomizePrincipal(ClaimsPrincipal.Current.Identities.First(), incomingPrincipal.Identity.Name); CreateSession(transformedPrincipal); return transformedPrincipal; } private void CreateSession(ClaimsPrincipal transformedPrincipal) { SessionSecurityToken sessionSecurityToken = new SessionSecurityToken(transformedPrincipal, TimeSpan.FromHours(12)); FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionSecurityToken); } private ClaimsPrincipal CustomizePrincipal(ClaimsIdentity userClaimsIdentity, String userName) { List<Claim> claims = new List<Claim>(); PrincipalContext princiContxt = null; ; UserPrincipal princi = null; ClaimsIdentity custClaimsIdentity = new ClaimsIdentity(); princiContxt = new PrincipalContext(ContextType.Domain); princi = UserPrincipal.FindByIdentity(princiContxt, userName);//); userClaimsIdentity.AddClaims(new[] { new Claim("CustGroup", "CustTeam"), new Claim(ClaimTypes.Email, princi.EmailAddress), ... ///more claims added here }); return new ClaimsPrincipal(userClaimsIdentity); } }Web。在配置中,我添加了以下内容:
在"configSections":
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
在'system.identityModel'中:
<system.identityModel>
<identityConfiguration>
<claimsAuthenticationManager type="myProject.CustomClaimsTransformer,myProject"/>
</identityConfiguration>
</system.identityModel>
还在system.webserver中添加了以下模块:
<modules>
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"></add>
</modules>
接下来,我有一个自定义的授权过滤器属性,使用上面定义的customclaimstrtransformer类来使用自定义声明进行授权:
public class PROJClaimsAuthorizeAttribute : AuthorizeAttribute {
public string ClaimType { get; set; }
public string ClaimValue { get; set; }
//Called when access is denied
protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
{
//User isn't logged in
if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary(new { controller = "Home", action = "Index" })
);
}
//User is logged in but has no access
else
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary(new { controller = "Error", action = "AccessDenied" })
);
}
}
//Core authentication, called before each action
protected override bool AuthorizeCore(HttpContextBase context)
{
SessionSecurityToken token;
ClaimsIdentity claimsIdentity = null;
ClaimsIdentity userClaimsIdentity = null;
ClaimsPrincipal customClaimsPrinci = null;
ClaimsAuthenticationManager authManager = null;
var isAuthorized = false;
try
{
claimsIdentity = context.User.Identity as ClaimsIdentity; // get current user's ClaimsIdentity (Widnow's identity as ClaimsIdentity)
isAuthorized = base.AuthorizeCore(context);
if (!context.Request.IsAuthenticated || !isAuthorized)
{
return false;
}
///////******* THE Error Causing IF statement *******************************************
//check if the SessionSecurityToken is available in cookie
if (FederatedAuthentication.SessionAuthenticationModule.TryReadSessionTokenFromCookie(out token))
{
//var accessToken = await tokenManager.GetTokenFromStoreAsync(token.ClaimsPrincipal.Identity.Name);
claimsIdentity = token.ClaimsPrincipal.Identity as ClaimsIdentity;
}
else
{
//else get the principal with Custom claims identity using CustomClaimsTransformer, which also sets it in cookie
ClaimsPrincipal currentPrincipal = ClaimsPrincipal.Current;
CustomClaimsTransformer customClaimsTransformer = new CustomClaimsTransformer();
ClaimsPrincipal tranformedClaimsPrincipal = customClaimsTransformer.Authenticate(string.Empty, currentPrincipal);
Thread.CurrentPrincipal = tranformedClaimsPrincipal;
HttpContext.Current.User = tranformedClaimsPrincipal;
}
isAuthorized = checkClaimValidity(claimsIdentity, ClaimType, ClaimValue);
}
catch (Exception e)
{
// Error handling code
var exptnMsg = "error setting AuthorizeCore" + e.Message;
return false;
}
return isAuthorized;
} // </ protected override bool AuthorizeCore >
//checks Claim type/value in the given Claims Identity
private Boolean checkClaimValidity(ClaimsIdentity pClaimsIdentity, string pClaimType, string pClaimValue)
{
Boolean blnClaimsValiditiy = false;
//now check the passed in Claimtype has the passed in Claimvalue
if (pClaimType != null && pClaimValue != null)
{
if ((pClaimsIdentity.HasClaim(x => x.Type.ToLower() == pClaimType.ToLower() && x.Value.ToLower() == pClaimValue.ToLower())))
{
blnClaimsValiditiy = true;
}
}
return blnClaimsValiditiy;
}
}
在此之后,我可以用我的自定义授权属性'PROJClaimsAuthorizeAttribute'装饰我的控制器类,如下所示:
[PROJClaimsAuthorizeAttribute(ClaimType = "CustGroup", ClaimValue = "CustTeam")]
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
}
一切正常。问题是-当从索引视图,如果我试图导航到其他视图-我得到'安全句柄已关闭'错误。(当我删除标有'上面的错误导致if语句****** '的if语句的'if'部分,只是保留任何在其他部分,然后它工作良好,但然后我没有使用sessionSecurityToken cookie)。
在过去的几天里,我一直在挠头想弄清楚这个错误,搜索了谷歌/SO等,但到目前为止还没有运气。所以最后想到把这个问题扔给这里的专家社区,如果有人能告诉我问题可能在哪里,我将非常感激。衷心感谢您的帮助。
我得到了它的修复-这篇文章给了一个线索。而不是自定义现有的Windows主体claimsIdentity,创建一个新的身份并添加自定义声明到这个身份有助于摆脱"安全句柄已关闭"错误。
在customclaimstrtransformer类中- customclaimstrtransformer。CustomizePrincipal
/* commented this earlier code of adding claims to userClaimsIdentity
userClaimsIdentity.AddClaims(new[] {
new Claim("CustGroup", "CustTeam"),
new Claim(ClaimTypes.Email, princi.EmailAddress),
... ///more claims added here
});
return new ClaimsPrincipal(userClaimsIdentity);
*/
并替换为创建新的ClaimsIdentity的代码,如下所示
List<Claim> newClaims = new List<Claim>();
newClaims.Add(new Claim("CustGroup ", "CustTeam"));
newClaims.Add(new Claim(ClaimTypes.Email, princi.EmailAddress));
... ///more claims added here
ClaimsIdentity ci = new ClaimsIdentity(newClaims, "CustomClaims");
return new ClaimsPrincipal(ci); //userClaimsIdentity);
现在运行良好,用户认证/身份/声明被保存在SessionTokenCookie