• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    公众号

ASP.NET2.0:ImplementingSingleSignOn(SSO)withMembershipAPI

原作者: [db:作者] 来自: [db:来源] 收藏 邀请
The membership API is awesome. No doubt about that. But I wish it had a more obvious in-built support for SSO. The only authenticate method takes in a username and password, there is no support for a token based system. Also, if you did add another method to verify against a ticketing authority - the membership API simply ignores it.

So the question is, How to do SSO using the Membership API - custom provider or otherwise.

Now ASP.NET has 3 kinds of authentication -

Passport - nobody uses it anymore, and that is SSO by definition anyway.
Windows - SSO is like a moot point here.
Forms - This is where the problem begins. So thats all I'm gonna discuss here.

Well, single sign on is almost always implemented using a central ticketing authority. The idea being similar to the concept of visiting a bar. You get a "token" stamped on the back of your hand as you walk into the bar, and then everywhere in the bar, you are recognized as "over 21".

Similarly, in a ticketing based SSO implementation, a central ticketing authority issues you a "ticket" at logon. Then you can integrate with any other system by passing the "ticket", rather than your authentication credentials. Then as long as the protected system can verify the "ticket" as being valid, you're in. Else, you're out.

Anyway, so the first thing you need to do is setup a ticket verification webservice. The idea being, anytime you successfully authenticate, you will be issued a ticket, which will ideally be a GUID, stored as cookie that expires when the user hits the CROSS button on his browser. Then you can circumvent the membership API's "Authenticate" method, by instead verifying the ticket - IF one is present.

So lets assume that the ticket is being passed as a querystring called "ssoToken". Obviously, if someone else sniffed your ticketID, then he could masquerade as you - so this approach requires some kind of encryption.

So in the Page_Load for your login.aspx page, write the following code -

protected void Page_Load(object sender, EventArgs e)

{

    string unescapedtokenID = Uri.UnescapeDataString(Request.QueryString["ReturnURL"]);

    string tokenID = ParseURL(unescapedtokenID);

 

 

    if (IsTokenValid(tokenID))

    {

        FormsAuthentication.SetAuthCookie(GetUserName(tokenID), false);

        Response.Redirect(unescapedtokenID);

    }

}

 

Basically "tokenID" is the token that was passed in as QueryString (or any other means), and IsTokenValid queries the ticketing web service to check the validity of the ticket. The ParseURL method is simply some magic to seperate out querystring peices out of the URL contained in the "ReturnURL" query string. If you're interested, the code for that looks like as below -

    private string ParseURL(string unescapedTokenID)

    {

        UriBuilder bldr = new UriBuilder("http://dummyurl" + unescapedTokenID);

        QueryStringParser coll = new QueryStringParser(bldr.Query);

        return coll["ssoToken"];

    }

 

The QueryStringParser class looks like this -

internal class QueryStringParser : System.Collections.Specialized.NameValueCollection

{

    internal QueryStringParser(string s)

    {

        if (s.Length != 0) s = s.Substring(1);

        int num1 = (s != null) ? s.Length : 0;

        for (int num2 = 0; num2 < num1; num2++)

        {

            int num3 = num2;

            int num4 = -1;

            while (num2 < num1)

            {

                char ch1 = s[num2];

                if (ch1 == '=')

                {

                    if (num4 < 0)

                    {

                        num4 = num2;

                    }

                }

                else if (ch1 == '&')

                {

                    break;

                }

                num2++;

            }

            string text1 = null;

            string text2 = null;

            if (num4 >= 0)

            {

                text1 = s.Substring(num3, num4 - num3);

                text2 = s.Substring(num4 + 1, (num2 - num4) - 1);

            }

            else

            {

                text2 = s.Substring(num3, num2 - num3);

            }

           

            base.Add(HttpUtility.UrlDecode(text1, Encoding.ASCII), HttpUtility.UrlDecode(text2, Encoding.ASCII));

 

            if ((num2 == (num1 - 1)) && (s[num2] == '&'))

            {

                base.Add(null, string.Empty);

            }

        }

    }

}

Thats it !! Put all these together, and you have at your hands SSO using Membership API.


鲜花

握手

雷人

路过

鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

专题导读
上一篇:
[摘]ASP.Net标准控件(TextBox控件)发布时间:2022-07-10
下一篇:
ASP.NET个性化生成excel文件发布时间:2022-07-10
热门推荐
热门话题
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap