角色身份验证和授权
本文关键字:授权 身份验证 角色 | 更新日期: 2023-09-27 18:25:21
我正在为我的管理页面进行身份验证。我从各种网站上学习了一些例子,但每次我试图访问产品页面时,它总是把我踢回登录页面。
这是我的代码
login.aspx.cs
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
if (User.Identity.IsAuthenticated && Request.QueryString["ReturnUrl"] != "")
{
divError.Visible = true;
divError.InnerHtml = accessErrorMessage;
}
}
}
protected void btn_enter_Click(object sender, EventArgs e)
{
using (var db = new MainDB())
{
administrator=db.Administrators.Where(q => q.Name == txtUsername.Text && q.Password == txtPassword.Text).FirstOrDefault();
if(administrator!=null)
{
administrator.DateLastLogin = DateTime.Now;
roles = administrator.Role;
adminID = administrator.AdministratorId;
db.SaveChanges();
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // Ticket version
adminID.ToString(), // Username associated with ticket
DateTime.UtcNow, // Date/time issued
DateTime.UtcNow.AddMinutes(30), // Date/time to expire
true, // "true" for a persistent user cookie
**roles, // User-data, in this case the roles(data example: product,feedback,subscribes**
FormsAuthentication.FormsCookiePath); // Path cookie valid for
// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName, // Name of authentication cookie
hash); // Hashed ticket
// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;
// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);
// Redirect to requested URL, or homepage if no previous page
// requested
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null)
{
returnUrl = "~/admin/";
}
// Don't call FormsAuthentication.RedirectFromLoginPage since it
// could
// replace the authentication ticket (cookie) we just added
Response.Redirect(returnUrl);
}
else
{
divError.Visible = true;
divError.InnerHtml = loginErrorMessage;
}
//if (FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text))
//{
// FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, false);
//}
}
global.asax
void Application_AuthenticateRequest(object sender, EventArgs e)
{
if(Request.IsAuthenticated)
{
FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
//Add the roles to the User Principal
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(HttpContext.Current.User.Identity, identity.Ticket.UserData.Split(new char[] { ',' }));
}
}
web.config
<location path="admin/product">
<system.web>
<authorization>
<!--<allow users="admin"/>-->
<allow roles="product"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="admin/spotlight">
<system.web>
<authorization>
<!--<allow users="admin"/>-->
<allow roles="spotlight"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="admin/career">
<system.web>
<authorization>
<!--<allow users="admin"/>-->
<allow roles="career"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="admin/emailshare">
<system.web>
<authorization>
<!--<allow users="admin"/>-->
<allow roles="emailshare"/>
<deny users="*"/>
</authorization>
</system.web>
我是不是做错了什么?
首先允许一个角色,然后拒绝所有用户。
规则是按顺序执行的,所以尽量将最具体的规则指定为最后一条。
<deny users="*"/>
<allow roles="emailshare"/>
另一件事是,在对DB中的用户进行身份验证后,您不会设置Principal。您需要在HttpContext中设置用户,并且标志为Authenticated。否则,如果(Request.IsAuthenticated)将始终为false。
GenericIdentity userIdentity =
new GenericIdentity(ticket.Name);
GenericPrincipal userPrincipal =
new GenericPrincipal(userIdentity, roles);
Context.User = userPrincipal;
请注意,角色参数是一个逗号分隔的字符串。
另外,使用内置提供者模型不是更容易吗?这会阻止您自己编写所有身份验证代码。然后,您可以在需要时使用自己的数据访问逻辑创建自定义成员资格提供程序。