asp.net Forums 之安全

在上一篇文章中,我们讨论了asp.net Forums 之HttpHandler和HttpModule,在这里放这个链接,是因为在本篇文件中需要用到上HttpModule相关的内容。

首先在Web.Config中配制为匿名用户不允许查看相关贴子。

 

<location path="EditPost.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="PostAttachmentManager.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="PrivateMessage.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="Download.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="License.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

 

 


用户登录时验证用户信息

 

代码
// *********************************************************************
// LoginButton_Click
//
/// <summary>
/// Event handler to handle the login button click event
/// </summary>
// ***********************************************************************/
public void LoginButton_Click(Object sender, EventArgs e)
{
User userToLogin
= new User();
// 增加返回url by venjiang
string redirectUrl = forumContext.ReturnUrl;

if (!Page.IsValid)
return;

// [FRUM-183]增加验证码 by venjiang 2005/10/10
if(Globals.GetSiteSettings().EnableAntiSpamTextGenerate
&& Globals.GetSiteSettings().EnableAntiSpamTextGenerateForLogin)
{
if(antiSpamText.Text != Globals.GetForumsAntiSpamText())
throw new ForumException(ForumExceptionType.AntiSpamTextNotMatch);
}

userToLogin.Username
= username.Text;
userToLogin.Password
= password.Text;
userToLogin.IPLastLogin
= Globals.IPAddress;
// 用户代理信息增加 by venjiang 2005/01/21
userToLogin.IPLocation = IPScanner.IPLocation(Globals.IPAddress);
userToLogin.Platform
= Users.GetUsersInfo(forumContext.Context.Request.UserAgent, 1);
userToLogin.Browser
= Users.GetUsersInfo(forumContext.Context.Request.UserAgent, 2);

LoginUserStatus loginStatus
= Users.ValidUser(userToLogin);

if (loginStatus == LoginUserStatus.Success)
{
// 如果系统设置不允许登录
if (!Globals.GetSiteSettings().AllowLogin)
{
bool allowed = false;

int userid = Users.FindUserByUsername(userToLogin.Username).UserID;
ArrayList roles
= Roles.GetRoles(userid);
// 如果是管理员,则设置允许登录
foreach (Role role in roles)
{
if (role.Name == "Site Administrators" || role.Name == "Global Administrators")
{
allowed
= true;
break;
}
}

// 处理用户登录处理
if (!allowed)
{
throw new ForumException(ForumExceptionType.UserLoginDisabled);
}
}

// FormsAuthentication.SetAuthCookie(userToLogin.Username, autoLogin.Checked);罗田040823


// 根据cookies下拉列表选择项的值设置cookie
SetLoginCookie(userToLogin.Username, autoLogin.SelectedValue);


// 设置返回url
if (redirectUrl != null && redirectUrl.Length > 0)
{
// 增加返回url判断 by venjiang 2005/01/20
// redirectUrl = (redirectUrl.IndexOf("MessageID") == -1 ? redirectUrl : Globals.GetSiteUrls().Home);
// 修订 by venjiang 2005/03/28
if ((redirectUrl.IndexOf("MessageID") != -1)
|| (redirectUrl.IndexOf(Globals.GetSiteUrls().Logout) != -1)
|| (redirectUrl.IndexOf("ChangePassword") != -1)
|| (redirectUrl.IndexOf("EmailForgottenPassword") != -1))
Page.Response.Redirect(Globals.GetSiteUrls().Home,
true);
else
Page.Response.Redirect(redirectUrl,
true);
}
else
{
//Page.Response.Redirect(Globals.ApplicationPath, true);
// 修订 by venjiang 2005/01/20
Page.Response.Redirect(Globals.GetSiteUrls().Home, true);
}

}
else if (loginStatus == LoginUserStatus.InvalidCredentials)
{
// Invalid Credentials
throw new ForumException(ForumExceptionType.UserInvalidCredentials, "UserName:" + userToLogin.Username);
}
else if (loginStatus == LoginUserStatus.AccountPending)
{
// Account not approved yet
throw new ForumException(ForumExceptionType.UserAccountPending);
}
else if (loginStatus == LoginUserStatus.AccountBanned)
{
// Account banned
throw new ForumException(ForumExceptionType.UserAccountBanned, userToLogin.Nickname + "(" + userToLogin.Username + ")");
}
else if (loginStatus == LoginUserStatus.AccountDisapproved)
{
// Account disapproved
throw new ForumException(ForumExceptionType.UserAccountDisapproved, userToLogin.Nickname + "(" + userToLogin.Username + ")");
}
else if (loginStatus == LoginUserStatus.UnknownError)
{
// Unknown error because of miss-syncronization of internal data
throw new ForumException(ForumExceptionType.UserUnknownLoginError);
}
}

 

 

 

public static bool AuthenticateUser(User userToLogin)
{
LoginUserStatus loginStatus
= Users.ValidUser(userToLogin);

if (loginStatus == LoginUserStatus.Success)
{
// Are we allowing login?
// TODO -- this could be better optimized
if (!Globals.GetSiteSettings().AllowLogin)
{
bool allowed = false;

int userid = Users.FindUserByUsername(userToLogin.Username).UserID;
ArrayList roles
= Roles.GetRoles(userid);

foreach (Role role in roles)
{
if (role.Name == "Site Administrators" || role.Name == "Global Administrators")
{
allowed
= true;
break;
}
}

// Check the user is in the administrator role
if (!allowed)
{
throw new ForumException(ForumExceptionType.UserLoginDisabled);
}
}
return true;
}
else
{
if (loginStatus == LoginUserStatus.InvalidCredentials)
{
// Invalid Credentials
throw new ForumException(ForumExceptionType.UserInvalidCredentials, userToLogin.Username);
}
else if (loginStatus == LoginUserStatus.AccountPending)
{
// Account not approved yet
throw new ForumException(ForumExceptionType.UserAccountPending);
}
else if (loginStatus == LoginUserStatus.AccountBanned)
{
// Account banned
throw new ForumException(ForumExceptionType.UserAccountBanned, userToLogin.Username);
}
else if (loginStatus == LoginUserStatus.AccountDisapproved)
{
// Account disapproved
throw new ForumException(ForumExceptionType.UserAccountDisapproved, userToLogin.Username);
}
else if (loginStatus == LoginUserStatus.UnknownError)
{
// Unknown error because of miss-syncronization of internal data
throw new ForumException(ForumExceptionType.UserUnknownLoginError);
}
return false;
}
}

 

 

 

// 用户验证
/// <summary>
/// 验证用户有效性
/// </summary>
/// <param name="user">
/// 要验证的用户,用户名和密码属性是必须的.
/// </param>
/// <returns>返回当前用户登录状态</returns>
public static LoginUserStatus ValidUser(User user)
{
return ValidUser(user, false);
}

/// <summary>
/// 验证用户登录状态
/// </summary>
/// <param name="user">要验证的用户</param>
/// <param name="isRequestFromWebService">是否来自Web服务请求</param>
/// <returns>返回用户登录状态</returns>
// 登录验证-1
public static LoginUserStatus ValidUser(User user, bool isRequestFromWebService)
{
ForumsDataProvider dp
= ForumsDataProvider.Instance();

// Lookup account by provided username
// 查找用户状态,以确保根据用户帐户状态进行操作.
// 检查用户登录用户名密码是否统一,帐户是否禁止等.
User userLookup = Users.FindUserByUsername(user.Username);
if (userLookup == null)
return LoginUserStatus.InvalidCredentials;

// 检测帐号状态
if (userLookup.IsBanned && DateTime.Now <= userLookup.BannedUntil)
{
// 帐号禁止
return LoginUserStatus.AccountBanned;
}
// 帐号封禁
else if (userLookup.IsBanned && DateTime.Now > userLookup.BannedUntil)
{
// Update to back to datastore
userLookup.AccountStatus = UserAccountStatus.Approved;
userLookup.BannedUntil
= DateTime.Now;

Users.UpdateUser(userLookup);
}
// 待批准
if (userLookup.AccountStatus == UserAccountStatus.ApprovalPending)
{
return LoginUserStatus.AccountPending;
}
// 未批准
if (userLookup.AccountStatus == UserAccountStatus.Disapproved)
{
return LoginUserStatus.AccountDisapproved;
}

// if (HttpContext.Current.User.Identity.AuthenticationType == "" )
// 如果不是来自WS请求
if (!isRequestFromWebService)
{
// 获取用户Salt和密码加密格式,密码
user.Salt = userLookup.Salt;
user.PasswordFormat
= userLookup.PasswordFormat; // Lucian: I think it must be reused. Usefull when there are a wide range of passwd formats.
// Set the Password
user.Password = Users.Encrypt(user.PasswordFormat, user.Password, user.Salt);
}
// 通过数据库中验证用户.
return (LoginUserStatus) dp.ValidateUser(user);
}

 

 


在ForumsHttpModule中,每次验证用户授权Application_AuthorizeRequest。

posted @ 2010-06-04 17:33  Jesong  阅读(349)  评论(0编辑  收藏  举报