使用httpModule做权限系统
reference:
http://blog.csdn.net/andyhooo/archive/2007/04/29/1591890.aspx
http://topic.csdn.net/t/20050417/19/3944040.html
http://www.cnblogs.com/fanrsh/archive/2006/05/24/408136.html
页面请求过程:
根据这个流程,网上一般的权限验证在:
Http.Module.AuthorizeRequest
Http.Module.PreRequestHandlerExecute
例如使用前者:
或者使用后者:
http://blog.csdn.net/andyhooo/archive/2007/04/29/1591890.aspx
http://topic.csdn.net/t/20050417/19/3944040.html
http://www.cnblogs.com/fanrsh/archive/2006/05/24/408136.html
页面请求过程:
根据这个流程,网上一般的权限验证在:
Http.Module.AuthorizeRequest
Http.Module.PreRequestHandlerExecute
例如使用前者:
using System;
using System.Web;
using System.Security.Principal;
namespace MyModules
{
public class CustomModule : IHttpModule
{
public CustomModule() { }
public void Dispose() { }
public void Init(HttpApplication app)
{
//建立安全模块
app.AuthenticateRequest += new EventHandler(this.AuthenticateRequest);
}
private void AuthenticateRequest(object o, EventArgs e)
{
HttpApplication app = (HttpApplication)o;
HttpContext content = (HttpContext)app.Context;
if ((app.Request["userid"] == null) || (app.Request["password"] == null))
{
content.Response.Write("未提供必需的参数!!");
content.Response.End();
}
string userid = app.Request["userid"].ToString();
string password = app.Request["password"].ToString();
string[] strRoles = AuthenticateAndGetRoles(userid, password);
if ((strRoles == null) || (strRoles.GetLength(0) == 0))
{
content.Response.Write("未找到相配的角色!!");
app.CompleteRequest();
}
GenericIdentity objIdentity = new GenericIdentity(userid, "CustomAuthentication");
content.User = new GenericPrincipal(objIdentity, strRoles);
}
private string[] AuthenticateAndGetRoles(string r_strUserID, string r_strPassword)
{
string[] strRoles = null;
if ((r_strUserID.Equals("Steve")) && (r_strPassword.Equals("15seconds")))
{
strRoles = new String[1];
strRoles[0] = "Administrator";
}
else if ((r_strUserID.Equals("Mansoor")) && (r_strPassword.Equals("mas")))
{
strRoles = new string[1];
strRoles[0] = "User";
}
return strRoles;
}
}
}
using System.Web;
using System.Security.Principal;
namespace MyModules
{
public class CustomModule : IHttpModule
{
public CustomModule() { }
public void Dispose() { }
public void Init(HttpApplication app)
{
//建立安全模块
app.AuthenticateRequest += new EventHandler(this.AuthenticateRequest);
}
private void AuthenticateRequest(object o, EventArgs e)
{
HttpApplication app = (HttpApplication)o;
HttpContext content = (HttpContext)app.Context;
if ((app.Request["userid"] == null) || (app.Request["password"] == null))
{
content.Response.Write("未提供必需的参数!!");
content.Response.End();
}
string userid = app.Request["userid"].ToString();
string password = app.Request["password"].ToString();
string[] strRoles = AuthenticateAndGetRoles(userid, password);
if ((strRoles == null) || (strRoles.GetLength(0) == 0))
{
content.Response.Write("未找到相配的角色!!");
app.CompleteRequest();
}
GenericIdentity objIdentity = new GenericIdentity(userid, "CustomAuthentication");
content.User = new GenericPrincipal(objIdentity, strRoles);
}
private string[] AuthenticateAndGetRoles(string r_strUserID, string r_strPassword)
{
string[] strRoles = null;
if ((r_strUserID.Equals("Steve")) && (r_strPassword.Equals("15seconds")))
{
strRoles = new String[1];
strRoles[0] = "Administrator";
}
else if ((r_strUserID.Equals("Mansoor")) && (r_strPassword.Equals("mas")))
{
strRoles = new string[1];
strRoles[0] = "User";
}
return strRoles;
}
}
}
编辑Web.config文件:
<system.web>
<httpModules>
<add name="Custom" type="MyModules.CustomModule,Custom"/>
</httpModules>
</system.web>
<system.web>
<httpModules>
<add name="Custom" type="MyModules.CustomModule,Custom"/>
</httpModules>
</system.web>
Custom.aspx页面内容:
<script language="c#" runat="server">
public void page_load(Object obj,EventArgs e)
{
lblMessage.Text = "<H1>Hi, " + User.Identity.Name + "</H1>";
if(User.IsInRole("Administrator"))
lblRole.Text="<H1>You are an Administrator</H1>";
else if(User.IsInRole("User"))
lblRole.Text = "<H1>You are a normal user</H1>";
}
</script>
<form runat="server">
<asp:Label id="lblMessage" forecolor="red" font-size="10pt" runat="server"/>
<asp:Label id="lblRole" forecolor="red" font-size="10pt" runat="server"/>
</form>
<script language="c#" runat="server">
public void page_load(Object obj,EventArgs e)
{
lblMessage.Text = "<H1>Hi, " + User.Identity.Name + "</H1>";
if(User.IsInRole("Administrator"))
lblRole.Text="<H1>You are an Administrator</H1>";
else if(User.IsInRole("User"))
lblRole.Text = "<H1>You are a normal user</H1>";
}
</script>
<form runat="server">
<asp:Label id="lblMessage" forecolor="red" font-size="10pt" runat="server"/>
<asp:Label id="lblRole" forecolor="red" font-size="10pt" runat="server"/>
</form>
或者使用后者:
using System;
using System.Web;
namespace MyModule
{
public class MyModule : IHttpModule
{
public void Init(HttpApplication application)
{
application.AcquireRequestState += (new
EventHandler(this.Application_AcquireRequestState));
}
private void Application_AcquireRequestState(Object source, EventArgs e)
{
HttpApplication Application = (HttpApplication)source;
User user = Application.Context.Sesseion["User"]; //获取User
string url = Application.Context.Request.Path;
//获取客户访问的页面
Module module = xx; //根据url得到所在的模块
if (!RightChecker.HasRight(user, module))
Application.Context.Server.Transfer("ErrorPage.aspx");
//如果没有权限,引导到错误处理的页面
}
public void Dispose()
{
}
}
}
using System.Web;
namespace MyModule
{
public class MyModule : IHttpModule
{
public void Init(HttpApplication application)
{
application.AcquireRequestState += (new
EventHandler(this.Application_AcquireRequestState));
}
private void Application_AcquireRequestState(Object source, EventArgs e)
{
HttpApplication Application = (HttpApplication)source;
User user = Application.Context.Sesseion["User"]; //获取User
string url = Application.Context.Request.Path;
//获取客户访问的页面
Module module = xx; //根据url得到所在的模块
if (!RightChecker.HasRight(user, module))
Application.Context.Server.Transfer("ErrorPage.aspx");
//如果没有权限,引导到错误处理的页面
}
public void Dispose()
{
}
}
}
