摘自;http://stackoverflow.com/a/16734651/1616023

See the summaries below each quote for a quick answer, and the paragraphs for detail. Also see the References section at the end for the authoritative sources.

Summaries

1.What is SimpleMembership/SimpleMembershipProvider (WebMatrix.WebData) and what is it/are they responsible for?

SimpleMembership (a term that covers both the SimpleMembershipProvider and SimpleRoleProvider) is responsible for providing a clean and quick way of implementing an 80 %-there plug and play authentication and authorisation framework with secure password storage, that anyone can use.

2.What is WebSecurity (WebMatrix.WebData)?

WebSecurity is a helper class for common membership tasks that works alongside Membership and OAuthWebSecurity. Roles are still accessed separately through Roles.

3.What is the Membership (System.Web.Security) class?

Membership is a static class from the original ASP.NET membership implementation that manages user settings and operations. Many user operations are still done here rather than repeating them in WebSecurity. They both use the same provider of your choice.

4.Why does MVC4 create a UserProfile table and a webpages_Membership table? What are they for and what is the difference? What is the UserProfile class that MVC4 creates?

The two tables perform different functions. The webpages_Membership schema is controlled by the framework and used for credentials, the UserProfile schema is controlled by us and used for any properties we want to store against a user.

5.What is the UsersContext class?

It is a DbContext (part of the DbContext API) provided as a starting by the MVC Internet Application template. Its only job is to contain the UserProfile class so we can work with it (e.g. through InitializeSimpleMembershipAttribute).

6.How do all of these work together to make user authentication?

This should now be evident from the summaries above and the detail below. Use: WebSecurity for common tasks; UserProfile for custom properties to store against a user, accessed through the UsersContext (in the Visual Studio "MVC Internet Application" template); Membership when WebSecurity or OAuthWebSecurity doesn't have the method; and Roles for roles. Use the VS template's controller to see examples of use.

Edit. In case anyone got this far

Suppose I have an existing database ...

If you have an existing database, and your only reason for writing a custom membership provider is to deal with your legacy password storage method, then you could use a workaround. This will only work if you can move away from your old password storage to the SimpleMembership algorithm (which uses the Rfc2898DeriveBytes class). See the footnote for details.

If you can't move away, then yes you are going to have to create your own provider to use your specific password algorithm, which you can do by deriving from SimpleMembershipProvider.

NOTE: SimpleMembershipProvider will HASH your passwords not ENCRYPT them. If you don't know the difference and why that is important then think twice before doing your own provider with custom security


Detail

1.What is SimpleMembership/SimpleMembershipProvider

To understand how it all fits together it helps to understand the history.

  • ASP.NET in 2005 introduced the ASP.NET Membership system
  • This system used providers to abstract away implementation details from common interfaces used to manage accounts and roles etc.
  • It also gave us a basic "user profile" capability (stored in a single column xml field which people therefore tended to avoid)
  • SimpleMembership was released into the world in 2010 ish as a provider that plugs in to the ASP.NET membership system, but also allows for OAuth authentication, and property-per-column user profile storage (instead of the single column storage used in the original implementation).
  • SimpleMembershipProvider implements ExtendedMembershipProvider to extend the original provider implementation

It is Open Source on codeplex (mirrored on github). As far as security goes you can therefore assess the code yourself, clone it, change it etc. You should take your own view on the benefits and drawbacks of open source security, and cook that up up with a pinch of NIH. (Personal view: I use it sometimes, I don't use it other times)

ExtendedMembershipProvider in itself adds commands like GeneratePasswordResetToken to the old membership provider apis.

2.What is WebSecurity (WebMatrix.WebData)?

WebSecurity is simply a facade, or helper class, to provide simple access to SimpleMembershipProvider and make common tasks easy and accessible in one place. It is there both to help and because the extension of the original framework through ExtendedMembershipProvider means some of the original classes like Membership aren't enough now. Examples:

  • WebSecurity.CurrentUserName - gets the name of the currently logged in user
  • WebSecurity.CreateUserAndAccount. Simultaneously create a user and set user profile properties (e.g. WebSecurity.CreateUserAndAccount(userName, pw, new { Email = model.Email });
  • WebSecurity.InitializeDatabaseConnection - Quickly setup a new/existing database for use with membership, choose your user id column and user natural key identifier etc.
  • ResetPassword to reset a user password, GeneratePasswordResetToken and many more

These methods generally defer to the provider you are using, they don't just depend on SimpleMembership, and they tie together objects like your provider and Membership to provide a common point to do membership functions.

Note there is also OAuthWebSecurity which is the equivalent of WebSecurity for OAuth authentication.

3.What is the Membership (System.Web.Security) class?

Membership is from the original implementation; it manages user settings and performs user-related operations using the basic MembershipProvider implementation which ExtendedMembershipProvidernow extends. It is a static class, so is available anywhere you declare the namespace, and is therefore an easy way to, for example, retrieve the current user: Membership.GetUser

There is confusion caused by the fact that WebSecurity does some things and not others, and Membership does some things and not others. If you view WebSecurity as a toolkit for higher level operations, and Membership as a toolkit to do things to a user, you'll be ok; they work together on your provider.

4.Why does MVC4 create a UserProfile table and a webpages_Membership table? What are they for and what is the difference? What is the UserProfile class that MVC4 creates?

  • webpages_Membership is a table with a fixed schema that we leave alone, and allows the provider to do the basic account operations, mainly storing credentials.
  • UserProfile is a table that we customise to store information against a user account, and have that made available in a strongly typed format through the UserProfile class.
  • There is an extra table called webpages_OAuthMembership which does the same job as webpages_Membership, but for OAuth login providers that you want to integrate with.

The magic of this setup is that a single user can have a membership login on your own site, and any number of OAuth logins with different providers like google, facebook, and they all share a common profile stored in UserProfile

Generally if a table starts with webpages_, it means there is an API to access it. The UserProfiletable is represented by the UserProfile class in your UsersContext (if you use the default MVC Internet Application template). Therefore we access this through the usual methods we would use with any class contained in a DbContext.

UserProfile is very code-first friendly: you can add columns (like the user's Email address), and then set up a migration to include that column in your database on your next release (if you like using migrations). In fact, the UserProfile table does not have to be called that - you can change that using the WebSecurity.InitializeDatabaseConnection call, [Table("UserProfile")] public class UserProfile, and your own migrations.

5.What is the UsersContext class?

This is from the MVC Internet Application template provided in Visual Studio New Project. The first thing I do is make sure that it shares a common connection string with my own database context (assuming the membership tables are in the same database). You can change this and decouple them later if you want.

You don't need to have it separate to your own context - that is only necessary if you want to store membership information in a different database now or in the future If you get rid of it you can just change references to UsersContext to your own context, adjusting Database.SetInitializer.

References:

Using SimpleMembership With ASP.NET WebPages - Matthew Osborn - This is the original reference about SimpleMembership and what it is, why it is, and what it does:

MSDN - Introduction to Membership - Membership is still at the core of SimpleMembership, so it helps to understand a bit about it.


EDIT Footnote: the detail for doing a rolling password upgrade

  • Add a property to UserProfile which stores what password version the account is on (e.g. 1 for legacy, 2 for SimpleMembership)
  • In the "Login" Action, write code so that:
    • If they are on your SimpleMembership password version, you do a normal login
    • If they are on the legacy password version, you:
      • check it using your old method
      • if it is correct you reset it using ResetPassword then ChangePassword to use the SimpleMembership version, this will update the field to the new password version
      • and finally update the Password version on the UserProfile
  • Update any other AccountsController methods that use password in a similar way.
  • Live with the hacky workaround and coupling to the webpages_Membership table we aren't meant to touch as you didnt have to write a new custom provider.

It is possible to make all this transactional with TransactionScope. The only nasty thing going on is the extra code in the controller, and the coupling to webpages_Membership.

参考

  1. Membership三步曲之入门篇 - Membership 基础示例
  2. Membership三步曲之进阶篇 - 深入剖析Provider Model
  3. Membership三步曲之高级篇 - 从Membership到 ASP.NET Identity

Introducing ASP.NET Identity – A membership system for ASP.NET applications

AspnetIdentitySample

OSharp框架

MVC的Membership的更多相关文章

  1. MVC使用Membership配置

    MVC的权限管理,环境是MVC4.5,SQL Server2008 修改前 Web.config文件: <system.web> <authentication mode=" ...

  2. MVc Forms Membership rolemanage 角色权限验证管理

    Forms  登录验证Membership 权限验证rolemanage 角色管理 以往的项目中只有单纯的Forms 验证今天想把这三个结合到mvc 中发现要导入aspnet_ 相关表,但是有个问题验 ...

  3. 怎么在MVC中使用自定义Membership

    首先我们来看看微软自带的membership: 我们打开系统下aspnet_regsql.exe 地址一般位于: C:\WINDOWS\Microsoft.NET\Framework\v2.0.507 ...

  4. MVC中关于Membership类跟数据库的问题

    Membership它们用的是ASPNETDB这个数据库,但我们可以使用我们自定义的数据库,然而除非我们自定义的数据库有着跟这个ASPNETDB一样的模式,否则ASP.NET提供的默认的SqlMemb ...

  5. [转]怎么在MVC中使用自定义Membership

    本文转自:http://www.cnblogs.com/angelasp/p/4078244.html 首先我们来看看微软自带的membership: 我们打开系统下aspnet_regsql.exe ...

  6. asp.net MVC中如何用Membership类和自定义的数据库进行登录验证

    asp.net MVC 内置的membershipProvider可以实现用户登陆验证,但是它用的是自动创建的数据库,所以你想用本地数据库数据去验证,是通过不了的. 如果我们想用自己的数据库的话,可以 ...

  7. 在ASP.NET MVC中使用MySQL【并使用membership】

            大多数情况下我们使用.NET或ASP.NET(包括MVC)程序时,我们会同时选择SQL Server 或者SQL Express (其他微软产品)做数据库.但是今天使用MVC已经完全没 ...

  8. ASP.net MVC 无法初始化 ASP.NET Simple Membership 数据库

    1.错误信息 解决办法 1 更改Web.config的连接字符串 <connectionStrings> <add name="DefaultConnection" ...

  9. 从Membership 到 .NET4.5 之 ASP.NET Identity

    我们前面已经讨论过了如何在一个网站中集成最基本的Membership功能,然后深入学习了Membership的架构设计.正所谓从实践从来,到实践从去,在我们把Membership的结构吃透之后,我们要 ...

随机推荐

  1. 洛谷.1782.旅行商的背包(背包DP 单调队列)

    题目链接(卡常背包) 朴素的多重背包是: \(f[i][j] = \max\{ f[i-1][j-k*v[i]]+k*w[i] \}\),复杂度 \(O(nV*\sum num_i)\) 可以发现求\ ...

  2. AJAX请求状态码返回200却跳到error的function

    最近在搞公司的项目时,发现了一个神奇的问题,就是AJAX请求成功,却莫名其妙的不返回到success函数中,而是跳到了error函数中.公司的项目是ASP.NET,这个和用的什么语言没有多大关系,只要 ...

  3. 潭州课堂25班:Ph201805201 第三课:序列类型的方法 (课堂笔记)

    列表的方法: li = [] 添加: li.append( 'a' ) 追加元素进入列表 li.insert( 1, 'b' ) 插入元素到指定索引位置 ----->>>  li.i ...

  4. Struts2标签里面调用java方法

    <s:if test="#session.user.hasPrivilegeByName(name)"> hasPrivilegeByName(name) 为User类 ...

  5. struts2标签在jsp页面中构建map集合,循环显示

    <s:radio name="gender" list="{'男', '女'}"></s:radio> <s:select nam ...

  6. 网络名词拾遗--part2

    网络名词拾遗--part2 关于所谓的连接上限 先要明白服务端和客户端的交互逻辑: 服务端创建socket 与提供对外服务的port端口绑定 开始监听 客户端向这个端口提出请求 服务端接收到这个请求后 ...

  7. Shell中的>/dev/null 2>&1 与 2>&1 >/dev/null 与&>/dev/null 的区别

    默认情况下,总是有三个文件处于打开状态,标准输入(键盘输入).标准输出(输出到屏幕).标准错误(也是输出到屏幕),它们分别对应的文件描述符是0,1,2 .那么我们来看看下面的几种重定向方法的区别: & ...

  8. C++使用thread类多线程编程

    转自:C++使用thread类多线程编程 C++11中引入了一个用于多线程操作的thread类,下面进行简单演示如何使用,以及如果进行多线程同步. thread简单示例 #include <io ...

  9. Linux TC(Traffic Control)框架原理解析

    近日的工作多多少少和Linux的流控有点关系.自打几年前知道有TC这么一个玩意儿而且多多少少理解了它的原理之后,我就没有再动过它,由于我不喜欢TC命令行,实在是太繁琐了.iptables命令行也比較繁 ...

  10. Android NDK 使用自己的共享库(Import Module)

    LOCAL_PATH := $(call my-dir)//标准mk语句,指编译路径,所有mk文件第一句都是这个 /**这个模块表示引用了一个本地的静态库include $(CLEAR_VARS) / ...