MVC 5 中具有 ASP.NET 身份的 Autofac 不验证 OWIN 管道中的安全标记
Autofac with ASP.NET Identity in MVC 5 does not validate Security Stamp in OWIN pipeline
我将 AutoFac 设置为使用 MVC 5 中的 ASP.NET Identity。表面上一切似乎都工作正常,即用户可以创建帐户并登录。但后来我发现用户没有登录更改安全标记时输出。在 AspNetUsers table 中通过暴力破解,或者通过用户更改密码并期望在其他浏览器中注销。
这就是我按照 this unofficial article.
设置 AutoFac 的方式
public void Configuration(IAppBuilder app)
{
var builder = new ContainerBuilder();
builder.RegisterType<ApplicationDbContext>().AsSelf().InstancePerRequest();
builder.RegisterType<ApplicationUserStore>().As<IUserStore<ApplicationUser>>().InstancePerRequest();
builder.RegisterType<ApplicationUserManager>().AsSelf().InstancePerRequest();
builder.RegisterType<ApplicationSignInManager>().AsSelf().InstancePerRequest();
builder.Register<IAuthenticationManager>(c => HttpContext.Current.GetOwinContext().Authentication).InstancePerRequest();
builder.Register<IDataProtectionProvider>(c => app.GetDataProtectionProvider()).InstancePerRequest();
builder.RegisterControllers(typeof(MvcApplication).Assembly);
var container = builder.Build();
DependencyResolver.SetResolver(new AutofacDependencyResolver(container));
app.UseAutofacMiddleware(container);
app.UseAutofacMvc();
ConfigureAuth(app);
}
我就是这样设置cookie认证中间件的。这是默认值,除了 验证间隔 更短的时间跨度。
public void ConfigureAuth(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromSeconds(15),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
}
如果我在 GenerateUserIdentityAsync 中设置断点,那么它只会在用户第一次登录时被调用。
安全戳验证程序需要 ApplicationUserManager,它会尝试从 OWIN 上下文中解析实例(因为它不知道更好)。所以你还需要用OWIN注册ApplicationUsreManager:
app.CreatePerOwinContext(() => DependencyResolver.Current.GetService<ApplicationUserManager>());
我将 AutoFac 设置为使用 MVC 5 中的 ASP.NET Identity。表面上一切似乎都工作正常,即用户可以创建帐户并登录。但后来我发现用户没有登录更改安全标记时输出。在 AspNetUsers table 中通过暴力破解,或者通过用户更改密码并期望在其他浏览器中注销。
这就是我按照 this unofficial article.
设置 AutoFac 的方式public void Configuration(IAppBuilder app)
{
var builder = new ContainerBuilder();
builder.RegisterType<ApplicationDbContext>().AsSelf().InstancePerRequest();
builder.RegisterType<ApplicationUserStore>().As<IUserStore<ApplicationUser>>().InstancePerRequest();
builder.RegisterType<ApplicationUserManager>().AsSelf().InstancePerRequest();
builder.RegisterType<ApplicationSignInManager>().AsSelf().InstancePerRequest();
builder.Register<IAuthenticationManager>(c => HttpContext.Current.GetOwinContext().Authentication).InstancePerRequest();
builder.Register<IDataProtectionProvider>(c => app.GetDataProtectionProvider()).InstancePerRequest();
builder.RegisterControllers(typeof(MvcApplication).Assembly);
var container = builder.Build();
DependencyResolver.SetResolver(new AutofacDependencyResolver(container));
app.UseAutofacMiddleware(container);
app.UseAutofacMvc();
ConfigureAuth(app);
}
我就是这样设置cookie认证中间件的。这是默认值,除了 验证间隔 更短的时间跨度。
public void ConfigureAuth(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromSeconds(15),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
}
如果我在 GenerateUserIdentityAsync 中设置断点,那么它只会在用户第一次登录时被调用。
安全戳验证程序需要 ApplicationUserManager,它会尝试从 OWIN 上下文中解析实例(因为它不知道更好)。所以你还需要用OWIN注册ApplicationUsreManager:
app.CreatePerOwinContext(() => DependencyResolver.Current.GetService<ApplicationUserManager>());