问题描述

我已经建立在ASP.Net MVC的HR Web应用程序分成区域，例如经理，雇员。这些区域代表不同类型的系统中的用户谁能够以不同的任务。存在参与并为每个用户类型信息被存储在不同的表中的旧的数据库。此外，为每个用户存储类型信息的类型是不同的，所以它是有道理的表是分开的。

I have an HR web application built in ASP.Net MVC split into areas, for example Manager, Employee. These areas represent different types of users in the system who are able to to different tasks. There is a legacy database involved and information for each user type is stored in a different table. Also, The the type of information stored for each user type is different so it makes sense that the tables are separate.

我期待实现基于声明的身份验证的一对夫妇原因：1，它会更容易储存的细节有关每个用户，在客户端上，如用户名，角色等。另一个原因是，ClaimsPrincipal支持多种身份。因为在某些情况下，一个人可能需要在同一时间，根据多个标识访问系统，这是非常重要的。例如。管理者需要对系统的访问来执行管理任务，但是经理也恰好是一个员工，应该能够登录到系统作为一个雇员。每个区域单独处理，让用户即使既是经理和员工，他们必须分别登录到每个区域

I am looking to implement claims based authentication for a couple reasons: One, it will be easier to store details about each user, on the client, such as username, roles etc. The other reason is that ClaimsPrincipal supports multiple Identities. This is important because in some cases a single person may need to access the system under multiple Identities at the same time. Eg. A Manager needs access to the system to perform administrative tasks, however the Manager also happens to be an Employee and should be able to log into the system as an Employee. Each area is treated separately, so that a even if a user is both a Manager and Employee they must log in separately to each area.

因此，这里是我的问题：是否通过ClaimsPrincipal多个标识要走的路？有我俯瞰一些其他的技术？如果有多个身份是要走的路，我怎么注销用户一个领域，而是让他们登录到另一个区域，如果他们碰巧也同时记录到另一个领域？通常情况下，注销，代码会是这个样子：

So here are my questions: Are multiple Identities through ClaimsPrincipal the way to go? Is there some other technique I am overlooking? If multiple Identities are the way to go, how do I log a user out of one area, but keep them logged in to another area if they happen to also be logged in to another area at the same time? Normally, to log out, the code would look something like this:

FederatedAuthentication.SessionAuthenticationModule.SignOut();

我的假设是，这将注销用户这两个领域。它是否正确？
假设是这样的话，我想我可以简单地从ClaimsPrincipal删除的具体身份，然后复位，写SessionSecurityToken，但ClaimsPrincipal没有remove方法，只有AddIdentity。所以，我想出了下面的伪代码：

My assumption is that this will log the user out of both areas. Is this correct?Assuming that is the case, I thought I could simply remove the specific Identity from ClaimsPrincipal, then reset and write the SessionSecurityToken, but ClaimsPrincipal has no remove method, only AddIdentity. So I came up with the following pseudo code:

在注销：

• 在ClaimsPrincipal身份的计数


• 如果计数== 1注销正常


• 如果计数> 1，因为我们不能删除一个身份，通过身份循环，并创建一个新的ClaimsPrincipal排除我们要注销身份，然后复位并写入SessionSecurityToken

我是在正确的轨道上？是否有如何在ClaimsPrincipal实现多个标识一些很好的例子？我已搜查，虽然我已经找到多重身份简短地提到，我没有发现任何实际的例子。

Am I on the right track? Are there some good examples of how to implement multiple Identities in ClaimsPrincipal? I have searched and while I have found brief mention of multiple Identities, I have found no actual examples.

推荐答案

这感觉就像你问题可能是人为的：

It feels like your problem may be an artificial one:

每个区域单独处理，使既有经理和员工，即使用户是他们必须分别登录到各个区域。

什么是需求推动这种分离？这就是问题的症结所在，它很可能会更容易解决这个问题不是试图捏造与多个身份为单个用户一个可行的解决方案。

What is the requirement driving this separation? This is the crux of the problem and it is likely going to be easier to fix this than try to fudge a workable solution with multiple identities for a single user.

要回答你直接问，不，你不能从主体中删除身份。您只能创建一个新的本金和取代现有的与任何设置所需索赔。

To answer your direct question, no, you cannot remove an identity from a principal. You can only create a new principal and replace the existing one with whatever set of claims you require.

Thread.CurrentPrincipal = new ClaimsPrincipal(...);

如果您搭建起的身份或现有的本金债权本金，就可以过滤掉的那些要删除。

If you build the principal from the identities or claims of the existing principal, you can filter out the ones you want to remove.

基本权利要求为基础的身份验证是从机制分离机制进行身份验证的想法授权。您的身份验证的时候，你需要知道用户的身份。当你的授权的使用与用户相关的权利要求来执行访问控制的决定，比如让他们进入你的系统的管理领域。

Fundamental to claim-based authentication is the idea of separating the mechanism for authentication from the mechanisms for authorisation. You authenticate when you need to know the identity of the user. When you authorize you use the claims associated with the user to perform an access-control decision, such as letting them into a management area of your system.

的用户的身份应的它们是在系统的上下文谁。在大多数系统中，用户将有一个单独的标识。它可以是有技术原因多个标识，如系统，其允许用户与多个，多变身份单一验证关联有用的，但通常是一个系统是最简单的，如果你有每个用户单个身份，因为现实。你有谁通常提供了一个独立的身份给你单用户

The identity of the user should be who they are in the context of the system. In most systems, the user will have a single identity. It can be useful to have multiple identities for technical reasons, such as systems which allow the user to associate a single authentication with multiple, changeable identities, but generally a system is simplest if you have a single identity for each user, because the reality is that you have single user who typically presents a single identity to you.

我只能想到一个正当的理由登录到具有多重身份的系统用户：在用户希望使用多个身份到他们的活动，例如分离操作一个工作帐户和个人帐户。

I can only think of one legitimate reason for a user to log into a system with multiple identities: the user wants to operate using multiple identities to separate their activities, e.g. a work account and a personal account.

您系统应该能够用一个经过验证的身份进行操作。如果你的经理需要经过一个额外的认证步骤以达到管理部分，不要试图删除其现有的身份 - 不是与提升系统进行认证，并添加身份现有的校长。用户并没有改变，你刚刚获得了与它们相关的更多的要求。

Your system should be able to operate with a single authenticated identity. If your managers need to go through an additional authentication step to reach the management section, don't try and remove their existing identity - instead perform authentication with elevating system and add the identity to their existing principal. The user has not changed, you have just gained more claims associated with them.