基于角色(Role-Based)的表单验证
src:http://www.cnblogs.com/caca/archive/2004/07/26/27267.aspx
要求:
using System.Web.Security
using System.Security.Principal
[Principal]:主要的(这里怎样翻译呢??)
==================================
目录
+admin1 -default.aspx -web.config //web.config#1+admin2 -default.aspx -web.config//web.config#2+bin-web.config//web.config#root-login.aspx
==========================
目的:
admin1文件夹:只有role是administrator可以访问.
admini2文件夹:只有role是controler可以访问.
帐号,密码,角色存储在特定数据库中.
本例目的(其他道理相同):
caca是administrator
wawa是controler
所以caca可以访问admin1,不能访问admin2;wawa反之.
==========================
配置:
(1)web.config#root
<?xml version="1.0" encoding="utf-8"?><configuration> <system.web> <authentication mode="Forms"> <forms name="authenticationcookie" loginUrl="login.aspx" protection="All" path="/" timeout="40"/>
</authentication> </system.web></configuration>(2)web.config#1
<?xml version="1.0" encoding="utf-8"?><configuration> <system.web> <authorization> <allow roles="administrator"/> <deny users="*"/> </authorization> </system.web></configuration>(3)web.config#2
<?xml version="1.0" encoding="utf-8"?><configuration> <system.web> <authorization> <allow roles="controler"/> <deny users="*"/> </authorization> </system.web></configuration>==========================
关键代码:
(1)login.aspx
<script language=c# runat=server>private void signin(Object sender,EventArgs e)
{
string aRole="guest"; if(tbName.Text=="caca")aRole="administrator"; if(tbName.Text=="wawa")aRole="controler"; //建立role-based认证票据(我认为本质是cookie) FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket( 1, // version(版本?) tbName.Text, // user name(可能是生成票据验证cookie的名称) DateTime.Now, // creation(票据产生时间) DateTime.Now.AddMinutes(40),// Expiration(票据cookie失效时间) false, // Persistent(是否永久保持cookie) aRole ); // User data(角色)//修改票据cookie,使其加密(本质是写入一个与票据cookie同名的新cookie) string encryptedTicket = FormsAuthentication.Encrypt(authTicket); HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,encryptedTicket); Response.Cookies.Add(authCookie); //返回所请求的URL Response.Redirect( FormsAuthentication.GetRedirectUrl(tbName.Text, false ));
}private void signout(Object sender,EventArgs e){//注销票据 FormsAuthentication.SignOut();}</script>
<html><head><title>LogIn</title></head><body><form runat=server>Name:<asp:textbox runat=server id=tbName/>[caca/wawa]<asp:button runat=server text=LogIn onclick=signin/><asp:button runat=server text=SignOut onclick=signout/><hr><asp:label runat=server id=lblMessage/></form></body></html>(2)Global.asax
<% @ import namespace=System.Security.Principal %><% @ import namespace=System.Security %> <script language=c# runat=server>protected void Application_AuthenticateRequest(Object sender, EventArgs e) {// Extract the forms authentication cookie(还原加密的票据) string cookieName = FormsAuthentication.FormsCookieName; HttpCookie authCookie = Context.Request.Cookies[cookieName]; if(null == authCookie)
{
// There is no authentication cookie. return;
} FormsAuthenticationTicket authTicket = null; try { authTicket = FormsAuthentication.Decrypt(authCookie.Value); } catch(Exception ex) { // Log exception details (omitted for simplicity) return; } if (null == authTicket) { // Cookie failed to decrypt. return; } // When the ticket was created, the UserData property was assigned a // pipe delimited string of role names.(票据已经还原,提取票据的UserData即为验证用户的role) string[] roles = authTicket.UserData.Split(new char[]{'|'}); // Create an Identity object FormsIdentity id = new FormsIdentity( authTicket ); // This principal will flow throughout the request. GenericPrincipal principal = new GenericPrincipal(id, roles); // Attach the new principal object to the current HttpContext object Context.User = principal;//这几句话我还没有真正理解,希望以后能从本质上看透验证过程.}</script>posted on 2004-09-24 08:45 HelloSnoopy 阅读(532) 评论(0) 编辑 收藏 举报
