I've been using a custom membership provider for authentication in all my web form applications till now. I'm about to start developing my first website using MVC. I'm wondering if I should I use the built-in membership provider that ships with ASP .NET MVC, or if I should create my own. My site needs to integrate with openid, facebook, google etc for authentication and openauth for api access. I'm wondering how easy it would be to use the built-in one for my needs.
到目前为止,我一直在我的所有web表单应用程序中使用自定义成员资格提供程序进行身份验证。我即将开始使用MVC开发我的第一个网站。我想知道我是应该使用内置的成员提供程序来提供ASP。net MVC,还是应该创建我自己的。我的站点需要集成openid、facebook、谷歌等进行认证,openauth进行api访问。我想知道用内置的系统来满足我的需要有多简单。
5 个解决方案
#1
25
Personally, I hate using the ASP.NET Membership provider that's available in the core framework ... when it persists to a SQL SERVER database. All the tables and views are such an overkill for a single website. For a hosting company? .. maybe ... but for all the enterprise sites I've done .. it's been such a fraking overkill and hassle. As to the actual provider interface, etc ... it's very good .. but still very hardcore, etc. An overkill for simple-medium sites, IMO.
就我个人而言,我讨厌使用ASP。在核心框架中可用的净会员提供者……当它持续到一个SQL SERVER数据库时。对于一个网站来说,所有的表格和视图都是多余的。托管公司吗?. .也许……但是对于我所做的所有企业网站…这是如此的疯狂和麻烦。至于实际的提供者接口,等等……很好. .但仍然是非常硬的核心,等等。在我看来,这是一个过于简单的中型网站。
So personally, I would use some simple custom code to handle membership persistence for most basic-medium websites.
因此,就我个人而言,我将使用一些简单的自定义代码来处理大多数基础媒体网站的会员持久性。
This then segues to your second question: OpenId. Use Andrew Arnott's DotNetOpenAuth .NET framework -> it litterally Kicks Serious Ass (tm). Using this is independent of HOW you save the user membership data to a repository. Ie. if you go ahead and use the Sql Server + ASP.NET Membership provider, you can still (and should) use DotNetOpenAuth. If you have a simple, custom way to save user details to a database (which is what I do), you can also still use DotNetOpenAuth -- the two are independent of each other.
这就引出了第二个问题:OpenId。使用Andrew Arnott的DotNetOpenAuth . net框架->,它可以很好地踢你的屁股(tm)。使用它与如何将用户成员关系数据保存到存储库无关。Ie。如果您继续使用Sql Server + ASP。NET会员提供者,您仍然(并且应该)使用DotNetOpenAuth。如果您有一种简单的自定义方法将用户详细信息保存到数据库中(我就是这么做的),那么您还可以使用DotNetOpenAuth——这两者是相互独立的。
So, IMO, don't use the overcomplicated ASP.NET Membership + Sql Server stuff but a simple table or two to save your own user details. Next, you MUST use DotNetOpenAuth for any OpenId stuff (* uses DotNetOpenAuth to handle their OpenId login).
所以,在我看来,不要用太复杂的ASP。NET Membership + Sql Server之类的东西,不过是一个或两个简单的表来保存您自己的用户详细信息。接下来,您必须对任何OpenId内容使用DotNetOpenAuth (*使用DotNetOpenAuth处理它们的OpenId登录)。
Good Luck :)
祝你好运:)
(I'm sure my opnions of the ASP.NET Membership provider + Sql Server to persist that info will cause a few people to nerd-rage, here).
我敢肯定我对ASP的看法。NET Membership provider + Sql Server保存该信息会导致一些人在这里感到厌烦)。
#2
13
If you have to ask, you shouldn't be writing your own provider. Doing security well is really hard. Doing it wrong is incredibly easy.
如果你要问,你不应该写你自己的供应商。做好保安工作真的很难。做错是非常容易的。
But the good news is that what you want is incredibly common, and there are tested, off-the-shelf tools which already do it. An example is Janrain. There are others, too. Use an existing, proven tool whenever possible.
但好消息是,你想要的东西是非常普遍的,而且已经有经过测试的现成工具可以做到这一点。一个例子就是名为Janrain。也有其他人。尽可能使用现有的、经过验证的工具。
#3
8
Take a look at what's happening with NerdDinner. They've recently (6 months ago) integrated with OpenID, with Google, Yahoo as featured providers. They're still allowing all their 'native' logins as well. Here's an example of a site allowing the user to authenticate in different ways.
看看NerdDinner发生了什么。他们最近(6个月前)与OpenID集成,以谷歌作为特色提供商。他们仍然允许所有的“本地”登录。这里有一个站点示例,允许用户以不同的方式进行身份验证。
If you can mirror some of their functionality, you'd be able to roll in Facebook, OpenAuth, etc. The big benefit is that it's already been implemented in ASP.NET MVC, and you'd just have to borrow some of that implementation.
如果你能镜像他们的一些功能,你就能在Facebook, OpenAuth等上滚动。最大的好处是它已经在ASP中实现了。NET MVC,你只需要借用其中的一些实现。
#4
4
Here is an option and one that I use successfully.
这是我成功使用的一个选项。
You essentially have a single user which can be authenticated multiple ways.
实际上,您只有一个用户,可以通过多种方式进行身份验证。
Using the built in provider, which you could of course switch out at any time, does not preclude you from authenticating that user multiple ways.
使用内置的提供程序(当然您可以随时退出)并不妨碍您以多种方式对该用户进行身份验证。
When a user authenticates with OpenID, Facebook, etc. match that login against a table that matches the specific login method and identity to the Forms identity and just set the set the user as logged in with their canonical Membership user name.
当用户使用OpenID、Facebook等进行身份验证时,将该登录与与与特定登录方法和标识匹配的表匹配,并将用户登录的设置设置为用户的规范成员用户名。
If a new user authenticates to your site and doesn't have an account just create one in the membership provider automatically. Set the password to some random garbage because they'll never use it. Let them continue to associate multiple login types with it as well.
如果一个新用户对您的站点进行身份验证,并且没有帐户,那么就自动在成员提供程序中创建一个帐户。将密码设置为随机垃圾,因为它们永远不会使用它。让他们继续将多个登录类型与它关联起来。
If a user wants to then also have a direct login just use the standard Membership provider password reset mechanisms and provide them with one.
如果用户想要直接登录,只需使用标准的会员提供程序密码重置机制,并为他们提供一个。
Long story short: use the built in mechanism for now. It doesn't stop you from doing what you want to do.
长话短说:现在使用内置机制。它不会阻止你做你想做的事。
#5
1
The recently introduced SimpleMembershipProvider addresses many issues with the old asp.net membership. Namely ease of use and control over User table schema. This should be the starting point for any new apps (as of 11/2012).
最近引入的SimpleMembershipProvider可以解决asp.net旧成员关系的许多问题。即易于使用和控制用户表模式。这应该是任何新应用的起点(截至2012年11月)。
See the below link for a primer on SimpleMembershipProvider along with a decent history on asp.net membership.
查看下面的链接,了解关于simplembershipprovider的入门知识,以及asp.net成员资格的良好历史。
http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx
#1
25
Personally, I hate using the ASP.NET Membership provider that's available in the core framework ... when it persists to a SQL SERVER database. All the tables and views are such an overkill for a single website. For a hosting company? .. maybe ... but for all the enterprise sites I've done .. it's been such a fraking overkill and hassle. As to the actual provider interface, etc ... it's very good .. but still very hardcore, etc. An overkill for simple-medium sites, IMO.
就我个人而言,我讨厌使用ASP。在核心框架中可用的净会员提供者……当它持续到一个SQL SERVER数据库时。对于一个网站来说,所有的表格和视图都是多余的。托管公司吗?. .也许……但是对于我所做的所有企业网站…这是如此的疯狂和麻烦。至于实际的提供者接口,等等……很好. .但仍然是非常硬的核心,等等。在我看来,这是一个过于简单的中型网站。
So personally, I would use some simple custom code to handle membership persistence for most basic-medium websites.
因此,就我个人而言,我将使用一些简单的自定义代码来处理大多数基础媒体网站的会员持久性。
This then segues to your second question: OpenId. Use Andrew Arnott's DotNetOpenAuth .NET framework -> it litterally Kicks Serious Ass (tm). Using this is independent of HOW you save the user membership data to a repository. Ie. if you go ahead and use the Sql Server + ASP.NET Membership provider, you can still (and should) use DotNetOpenAuth. If you have a simple, custom way to save user details to a database (which is what I do), you can also still use DotNetOpenAuth -- the two are independent of each other.
这就引出了第二个问题:OpenId。使用Andrew Arnott的DotNetOpenAuth . net框架->,它可以很好地踢你的屁股(tm)。使用它与如何将用户成员关系数据保存到存储库无关。Ie。如果您继续使用Sql Server + ASP。NET会员提供者,您仍然(并且应该)使用DotNetOpenAuth。如果您有一种简单的自定义方法将用户详细信息保存到数据库中(我就是这么做的),那么您还可以使用DotNetOpenAuth——这两者是相互独立的。
So, IMO, don't use the overcomplicated ASP.NET Membership + Sql Server stuff but a simple table or two to save your own user details. Next, you MUST use DotNetOpenAuth for any OpenId stuff (* uses DotNetOpenAuth to handle their OpenId login).
所以,在我看来,不要用太复杂的ASP。NET Membership + Sql Server之类的东西,不过是一个或两个简单的表来保存您自己的用户详细信息。接下来,您必须对任何OpenId内容使用DotNetOpenAuth (*使用DotNetOpenAuth处理它们的OpenId登录)。
Good Luck :)
祝你好运:)
(I'm sure my opnions of the ASP.NET Membership provider + Sql Server to persist that info will cause a few people to nerd-rage, here).
我敢肯定我对ASP的看法。NET Membership provider + Sql Server保存该信息会导致一些人在这里感到厌烦)。
#2
13
If you have to ask, you shouldn't be writing your own provider. Doing security well is really hard. Doing it wrong is incredibly easy.
如果你要问,你不应该写你自己的供应商。做好保安工作真的很难。做错是非常容易的。
But the good news is that what you want is incredibly common, and there are tested, off-the-shelf tools which already do it. An example is Janrain. There are others, too. Use an existing, proven tool whenever possible.
但好消息是,你想要的东西是非常普遍的,而且已经有经过测试的现成工具可以做到这一点。一个例子就是名为Janrain。也有其他人。尽可能使用现有的、经过验证的工具。
#3
8
Take a look at what's happening with NerdDinner. They've recently (6 months ago) integrated with OpenID, with Google, Yahoo as featured providers. They're still allowing all their 'native' logins as well. Here's an example of a site allowing the user to authenticate in different ways.
看看NerdDinner发生了什么。他们最近(6个月前)与OpenID集成,以谷歌作为特色提供商。他们仍然允许所有的“本地”登录。这里有一个站点示例,允许用户以不同的方式进行身份验证。
If you can mirror some of their functionality, you'd be able to roll in Facebook, OpenAuth, etc. The big benefit is that it's already been implemented in ASP.NET MVC, and you'd just have to borrow some of that implementation.
如果你能镜像他们的一些功能,你就能在Facebook, OpenAuth等上滚动。最大的好处是它已经在ASP中实现了。NET MVC,你只需要借用其中的一些实现。
#4
4
Here is an option and one that I use successfully.
这是我成功使用的一个选项。
You essentially have a single user which can be authenticated multiple ways.
实际上,您只有一个用户,可以通过多种方式进行身份验证。
Using the built in provider, which you could of course switch out at any time, does not preclude you from authenticating that user multiple ways.
使用内置的提供程序(当然您可以随时退出)并不妨碍您以多种方式对该用户进行身份验证。
When a user authenticates with OpenID, Facebook, etc. match that login against a table that matches the specific login method and identity to the Forms identity and just set the set the user as logged in with their canonical Membership user name.
当用户使用OpenID、Facebook等进行身份验证时,将该登录与与与特定登录方法和标识匹配的表匹配,并将用户登录的设置设置为用户的规范成员用户名。
If a new user authenticates to your site and doesn't have an account just create one in the membership provider automatically. Set the password to some random garbage because they'll never use it. Let them continue to associate multiple login types with it as well.
如果一个新用户对您的站点进行身份验证,并且没有帐户,那么就自动在成员提供程序中创建一个帐户。将密码设置为随机垃圾,因为它们永远不会使用它。让他们继续将多个登录类型与它关联起来。
If a user wants to then also have a direct login just use the standard Membership provider password reset mechanisms and provide them with one.
如果用户想要直接登录,只需使用标准的会员提供程序密码重置机制,并为他们提供一个。
Long story short: use the built in mechanism for now. It doesn't stop you from doing what you want to do.
长话短说:现在使用内置机制。它不会阻止你做你想做的事。
#5
1
The recently introduced SimpleMembershipProvider addresses many issues with the old asp.net membership. Namely ease of use and control over User table schema. This should be the starting point for any new apps (as of 11/2012).
最近引入的SimpleMembershipProvider可以解决asp.net旧成员关系的许多问题。即易于使用和控制用户表模式。这应该是任何新应用的起点(截至2012年11月)。
See the below link for a primer on SimpleMembershipProvider along with a decent history on asp.net membership.
查看下面的链接,了解关于simplembershipprovider的入门知识,以及asp.net成员资格的良好历史。
http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx