lsm/Orchard
1
0
Fork 0
mirror of https://github.com/OrchardCMS/Orchard.git synced 2025-10-15 19:54:57 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

#5536: Removed dependency on IContentManager from FormsAuthenticationService.

Browse Source 
FormsAuthenticationService now uses IMembershipService instead. Also introduced a NullMembershipService implementation in Orchard.Framework, used only for dependency resolution during setup. Fixes #5536.
This commit is contained in:
Daniel Stolt
2015-07-18 22:05:39 +01:00
parent 56addb2629
commit 83cae5f0a0
4 changed files with 54 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Orchard.Web/Modules/Orchard.Users/Services/MembershipService.cs
View File

@@ -15,8 +15,10 @@ using System.Collections.Generic;
using Orchard.Services;
using System.Web.Helpers;
using Orchard.Environment.Configuration;
using Orchard.Environment.Extensions;
namespace Orchard.Users.Services {
[OrchardSuppressDependency("Orchard.Security.NullMembershipService")]
public class MembershipService : IMembershipService {
private const string PBKDF2 = "PBKDF2";
private const string DefaultHashAlgorithm = PBKDF2;

1
src/Orchard/Orchard.Framework.csproj
View File

@@ -165,6 +165,7 @@
<Compile Include="Localization\Services\ILocalizationStreamParser.cs" />
<Compile Include="Localization\Services\LocalizationStreamParser.cs" />
<Compile Include="Security\ISslSettingsProvider.cs" />
<Compile Include="Security\NullMembershipService.cs" />
<Compile Include="Security\Providers\DefaultSslSettingsProvider.cs" />
<Compile Include="Security\Providers\DefaultMembershipValidationService.cs" />
<Compile Include="StaticHttpContextScope.cs" />

30
src/Orchard/Security/NullMembershipService.cs Normal file
View File

@@ -0,0 +1,30 @@
using System;
namespace Orchard.Security {
/// <summary>
/// Provides a default implementation of <c>IMembershipService</c> used only for dependency resolution
/// in a setup context. No members on this implementation will ever be called; at the time when this
/// interface is actually used in a tenant, another implementation is assumed to have suppressed it.
/// </summary>
public class NullMembershipService : IMembershipService {
public IUser CreateUser(CreateUserParams createUserParams) {
throw new NotImplementedException();
}
public MembershipSettings GetSettings() {
throw new NotImplementedException();
}
public IUser GetUser(string username) {
throw new NotImplementedException();
}
public void SetPassword(IUser user, string password) {
throw new NotImplementedException();
}
public IUser ValidateUser(string userNameOrEmail, string password) {
throw new NotImplementedException();
}
}
}

40
src/Orchard/Security/Providers/FormsAuthenticationService.cs
View File

@@ -3,16 +3,18 @@ using System.Web;
using System.Web.Security;
using Orchard.Environment.Configuration;
using Orchard.Logging;
using Orchard.ContentManagement;
using Orchard.Mvc;
using Orchard.Mvc.Extensions;
using Orchard.Services;
using Orchard.Utility.Extensions;
namespace Orchard.Security.Providers {
public class FormsAuthenticationService : IAuthenticationService {
private const int _cookieVersion = 3;
private readonly ShellSettings _settings;
private readonly IClock _clock;
private readonly IContentManager _contentManager;
private readonly IMembershipService _membershipService;
private readonly IHttpContextAccessor _httpContextAccessor;
private readonly ISslSettingsProvider _sslSettingsProvider;
private readonly IMembershipValidationService _membershipValidationService;
@@ -23,13 +25,13 @@ namespace Orchard.Security.Providers {
public FormsAuthenticationService(
ShellSettings settings,
IClock clock,
IContentManager contentManager,
IMembershipService membershipService,
IHttpContextAccessor httpContextAccessor,
ISslSettingsProvider sslSettingsProvider,
IMembershipValidationService membershipValidationService) {
_settings = settings;
_clock = clock;
_contentManager = contentManager;
_membershipService = membershipService;
_httpContextAccessor = httpContextAccessor;
_sslSettingsProvider = sslSettingsProvider;
_membershipValidationService = membershipValidationService;
@@ -45,12 +47,13 @@ namespace Orchard.Security.Providers {
public void SignIn(IUser user, bool createPersistentCookie) {
var now = _clock.UtcNow.ToLocalTime();
// the cookie user data is {userId};{tenant}
var userData = String.Concat(Convert.ToString(user.Id), ";", _settings.Name);
// The cookie user data is "{userName.Base64};{tenant}".
// The username is encoded to Base64 to prevent collisions with the ';' seprarator.
var userData = String.Concat(user.UserName.ToBase64(), ";", _settings.Name);
var ticket = new FormsAuthenticationTicket(
1 /*version*/,
_cookieVersion,
user.UserName,
now,
now.Add(ExpirationTimeSpan),
@@ -121,29 +124,28 @@ namespace Orchard.Security.Providers {
var formsIdentity = (FormsIdentity)httpContext.User.Identity;
var userData = formsIdentity.Ticket.UserData ?? "";
// the cookie user data is {userId};{tenant}
// The cookie user data is {userName.Base64};{tenant}.
var userDataSegments = userData.Split(';');
if (userDataSegments.Length < 2) {
return null;
}
var userDataId = userDataSegments[0];
var userDataName = userDataSegments[0];
var userDataTenant = userDataSegments[1];
try {
userDataName = userDataName.FromBase64();
}
catch {
return null;
}
if (!String.Equals(userDataTenant, _settings.Name, StringComparison.Ordinal)) {
return null;
}
int userId;
if (!int.TryParse(userDataId, out userId)) {
Logger.Error("User id not a parsable integer");
return null;
}
// todo: this issues a sql query for each authenticated request
_signedInUser = _contentManager.Get(userId).As<IUser>();
_signedInUser = _membershipService.GetUser(userDataName);
if (_signedInUser == null || !_membershipValidationService.CanAuthenticateWithCookie(_signedInUser)) {
return null;
}