问题
I started a new MVC5 project and am implementing forms authentication (which I used to do using custom code to check the user credentials and the FormsAuthentication object to login and logoff).
Now I've read that the identity model has changed, but I saw this line of code in the generated code:
private IAuthenticationManager AuthenticationManager
{
get
{
return HttpContext.GetOwinContext().Authentication;
}
}
Because later on the login is done on that object
( AuthenticationManager.SignIn)
I want to make sure I've got the right object.
I've read that OWIN is about decoupling ASP.NET from IIS, so I'm not sure why I need this GetOwinContext, because I am not using OWIN (at least I think)?
回答1:
ASP.NET MVC 5 is using regular IIS Integrated Pipeline to operate which involves a lot of steps such as AuthenticateRequest, PostAuthenticateRequests and so on. FormsAuthenticationModule is responsible for management of Forms Authentication process which involves decryption / extracting user information from cookie and it is integrated in several of those steps.
Now, when it comes to part with OWIN, it is operating on the completely different approach, which will be the only approach in the nearby future, so you might consider dropping Forms authentication completely because at this point, there are several better ways to implement your security.
If you go with IIS Integrated Pipeline and want to skip all the OWIN thing (which I strongly recommend against), you might check classes ClaimsAuthenticationManager, ClaimsAuthorizationManager and SessionAuthenticationModule. These effectively replace RoleManagerModule and FormsAuthenticationModule in order to allow Claims-Based Access Control, which is based on concept of Claims, which again in turn are used for all modern authentication protocols such as WS-Federation, OAuth2, etc.
Back to OWIN part - OWIN has it's own pipeline, which with usage of some "bridge" assemblies can hook up on IIS events as well, meaning that you have OWIN web server running in the background (Microsoft.Owin.SystemWeb) and also System.Web that is leveraging IIS for MVC purposes.
So when you use OWIN authentication in MVC 5, you're basically still using IIS Integrating Pipeline for MVC, but you're using OWIN middleware for security, which is part of OWIN pipeline.
Now in order to access that OWIN pipeline, you need to do GetOwinContext. OwinContext is OWIN version of previously used HttpContext, except on the base level it is quite different. OWIN middleware operates exclusively on OwinContext (IOwinContext), so to use middleware you need to access the context, since context has information that is required by the middleware.
This is unfortunately quite complex, but I would strongly suggest to you to start reading about OWIN and Katana, and pay attention on vNext as well, as Forms Authentication is right now pretty much obsolete, and will definitely stop being supported with vNext so you might start building an application now that will require a lot of refactoring later.
来源:https://stackoverflow.com/questions/23823505/asp-net-mvc5-forms-authentication-how-does-owin-come-in-to-place