Currently, we have many web applications (external & internal) developed using Classic ASP through .NET 2.0 technologies. Each of those web applications have their own login screen authenticating against their own custom database or using Windows authentication. Users have access to one or more of these applications, meaning they have to log out and log back into applications that they would like to access. All applications share some part of the back-end data sources. Also, the business logic is embedded in the UI in addition to being duplicated across applications because there is no code/business logic sharing. Screenshot #1 gives a brief idea of the existing architecture.
目前,我们有许多web应用程序(外部和内部)通过。net 2.0技术使用经典的ASP开发。每一个web应用程序都有自己的登录屏幕,对自己的自定义数据库进行身份验证,或者使用Windows身份验证。用户可以访问其中的一个或多个应用程序,这意味着他们必须退出并登录到他们想要访问的应用程序中。所有应用程序都共享后端数据源的一部分。此外,由于没有代码/业务逻辑共享,业务逻辑被嵌入到UI中,并且跨应用程序被复制。屏幕截图#1简要介绍了现有的体系结构。
Screenshot #2 shows the suggested architecture, which I hope will help in faster development, code/business re-usability and may be simpler maintenance. Users will access either external or internal url. In external, users will provide credentials and will be authenticated against custom database. In internal site, users will be automatically logged in using Windows authentication. After creating some samples, I have begun to like ASP.NET MVC 3. It keeps business logic separate from UI and I also like the unit testing capabilities.
屏幕截图#2显示了建议的架构,我希望这将有助于更快的开发、代码/业务重用性,并且可能更简单的维护。用户将访问外部或内部url。在外部,用户将提供凭据并根据自定义数据库进行身份验证。在内部站点,用户将自动登录使用Windows身份验证。在创建了一些示例之后,我开始喜欢ASP。净MVC 3。它使业务逻辑与UI分离,我也喜欢单元测试功能。
Here are my questions:
这里是我的问题:
-
Based on what I have found on the web so far, multiple authentications are not feasible within a single website. My understanding is that I have to host one website for each type of authentication (Forms and Windows). How do I redirect users to common landing page after they are authenticated so they can see the modules (links/menus) that they are authorized to access? Should I have to publish the same code set (dlls and content) to both the websites?
根据我到目前为止在web上发现的情况,在一个网站中多个身份验证是不可行的。我的理解是,我必须为每种类型的身份验证(表单和窗口)托管一个网站。如何在用户通过身份验证后将其重定向到公共着陆页面,以便他们能够看到授权访问的模块(链接/菜单)?我是否应该向两个网站发布相同的代码集(dll和内容)?
-
Has anyone faced a similar architecture problem? If yes, could you please share the challenges that you faced and how you tackled them? What are the industry standards in designing applications of this sort?
有人遇到过类似的架构问题吗?如果可以,你能分享一下你所面临的挑战以及你是如何应对的吗?设计这类应用程序的行业标准是什么?
-
Does the suggested architecture make any sense or is it a really bad design? Are there any drawbacks in doing this in ASP.NET MVC 3?
建议的架构有意义吗?或者它是一个非常糟糕的设计?在ASP中这样做有什么缺点吗?净MVC 3 ?
I would really appreciate your inputs.
非常感谢您的意见。
Thanks in advance.
提前谢谢。
3 个解决方案
#1
3
I would set up a seperate web site which only handles the windows authentication. I would then rely on something like OpenID and/or OAuth to ask for credentials/token to make sure to user has proper access.
我将设置一个独立的web站点,它只处理windows身份验证。然后,我将依赖诸如OpenID和/或OAuth之类的东西来请求凭证/令牌,以确保用户具有适当的访问权限。
The user that want to sign in using windows credentials go through that process because you are right in that a IIS server running windows authentication is hard to mix with other stuff.
想要使用windows凭据登录的用户要经过这个过程,因为您认为运行windows身份验证的IIS服务器很难与其他东西混合使用。
You can set up some kind of claim based network of thrust in which you applications get thier credentials from trusted sources and through that process you can negotiate and control access privileges cross many web sites. As long as your not doing custom hosting or white label branding you can have everything in one place (or even if you did you could design it so that you have a central solution of handing out authentication tokens).
您可以建立某种基于声明的推力网络,在这个网络中,您的应用程序可以从受信任的源获取凭证,通过这个过程,您可以跨许多web站点协商和控制访问特权。只要您不做自定义托管或白色标签标识,您就可以将所有内容放在一个地方(或者即使您这样做了,您也可以设计它,以便您有分发身份验证令牌的中心解决方案)。
#2
2
Keep in mind the difference between Authentication and Authorization. You presumably want a single authentication mechanism (or maybe two, one for internal and one for external users). There is a similar post here that lays out some pretty good guidelines: How to allow multiple authentication methods in ASP.NET?
请记住身份验证和授权之间的区别。您可能想要一个单一的身份验证机制(或者两个,一个用于内部用户,一个用于外部用户)。这里有一个类似的文章,列出了一些非常好的指导方针:如何在ASP.NET中允许多个身份验证方法?
#3
0
On one project we built a common controller class used in every page of the site. It handled authentication and access control. When a user tried to access any page it checked to see if they had a session identification cookie. If they did not they were required to authenticate(login). A challenge was doing a good implementation of the security. Current browsers have many flaws that make this difficult.
在一个项目中,我们在网站的每一页都建立了一个通用的控制器类。它处理身份验证和访问控制。当用户试图访问任何页面时,它会检查是否有会话识别cookie。如果没有,则要求他们进行身份验证(登录)。一项挑战是如何很好地实施安全措施。目前的浏览器有很多缺陷,这使得这一问题变得困难。
#1
3
I would set up a seperate web site which only handles the windows authentication. I would then rely on something like OpenID and/or OAuth to ask for credentials/token to make sure to user has proper access.
我将设置一个独立的web站点,它只处理windows身份验证。然后,我将依赖诸如OpenID和/或OAuth之类的东西来请求凭证/令牌,以确保用户具有适当的访问权限。
The user that want to sign in using windows credentials go through that process because you are right in that a IIS server running windows authentication is hard to mix with other stuff.
想要使用windows凭据登录的用户要经过这个过程,因为您认为运行windows身份验证的IIS服务器很难与其他东西混合使用。
You can set up some kind of claim based network of thrust in which you applications get thier credentials from trusted sources and through that process you can negotiate and control access privileges cross many web sites. As long as your not doing custom hosting or white label branding you can have everything in one place (or even if you did you could design it so that you have a central solution of handing out authentication tokens).
您可以建立某种基于声明的推力网络,在这个网络中,您的应用程序可以从受信任的源获取凭证,通过这个过程,您可以跨许多web站点协商和控制访问特权。只要您不做自定义托管或白色标签标识,您就可以将所有内容放在一个地方(或者即使您这样做了,您也可以设计它,以便您有分发身份验证令牌的中心解决方案)。
#2
2
Keep in mind the difference between Authentication and Authorization. You presumably want a single authentication mechanism (or maybe two, one for internal and one for external users). There is a similar post here that lays out some pretty good guidelines: How to allow multiple authentication methods in ASP.NET?
请记住身份验证和授权之间的区别。您可能想要一个单一的身份验证机制(或者两个,一个用于内部用户,一个用于外部用户)。这里有一个类似的文章,列出了一些非常好的指导方针:如何在ASP.NET中允许多个身份验证方法?
#3
0
On one project we built a common controller class used in every page of the site. It handled authentication and access control. When a user tried to access any page it checked to see if they had a session identification cookie. If they did not they were required to authenticate(login). A challenge was doing a good implementation of the security. Current browsers have many flaws that make this difficult.
在一个项目中,我们在网站的每一页都建立了一个通用的控制器类。它处理身份验证和访问控制。当用户试图访问任何页面时,它会检查是否有会话识别cookie。如果没有,则要求他们进行身份验证(登录)。一项挑战是如何很好地实施安全措施。目前的浏览器有很多缺陷,这使得这一问题变得困难。