ASP.NET MVC角色和安全 [英] ASP.NET MVC Roles and Security

问题描述

假设像这是我SampleController操作方法

Assume like this is my SampleController action method

public ActionResult AdminView()
{
    return View()
}

如果想如果登录的用户属于管理员角色被称为该控制器的方法，否则该方法调用应该被阻塞，用户应该获得一些自定义的未经授权的访问错误页面。

If want this controller method to be called if the logged in user belongs to admin role, otherwise this method call should be blocked and the user should get an some custom unauthorized access error page.

在我的ASP.NET MVC Web应用程序，当，我存储在一个会话作为一个字符串的用户角色的用户登录。而每当有需要验证的用户角色，我比较储存在对一个恒定的会话中的价值说ADMIN_ROLE。但我写了一张code，以检查用户角色几乎在每一个控制器的操作方法，然后要么返回给用户或未经授权的访问页面视图相应的视图，如果用户的角色被限制在控制器的操作方法

In my asp .net mvc web application, when the user logs in, I am storing the user role in a session as a string. And whenever there is a need to validate the user role, I compare the value stored in the session against a constant say "ADMIN_ROLE". But I am writing that piece of code to check for the user role in almost every controller action method and then either return an appropriate view for the user or an unauthorized access page view if the user role is restricted for the controller action method.

我用Google搜索和阅读，我们可以使用这样的事情。

I googled and read that we can use something like this.

[Authorize(Roles="admin")]
public ActionResult AdminView()
{
  return View()
}

但我不知道如何授权和角色关键字作品。如何把角色=管理员的时候，是要在检查我的用户角色的字符串保存在session，或如何，我可以将用户重定向到未经授权的网页，如果角色不匹配标记的操作方法中的作用有所帮助。

But I am not sure how the Authorize and the Roles keyword works. How when putting Roles = "Admin", is going to help in checking my user role string stored in the session, or how I can redirect a user to unauthorized page, in case the role does not match the role tagged for the action method.

推荐答案

按我的想法，你需要code进行授权。

As per my thinking you need to code for authorization.

public class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter
{
    private readonly RoleEnum[] _acceptedRoles;

    public AuthorizeAttribute(params RoleEnum[] acceptedroles)
    {
        _acceptedRoles = acceptedroles;
    }

    public AuthorizeAttribute(params bool[] allowAll)
    {
        if (allowAll[0])
            _acceptedRoles = new RoleEnum[] { RoleEnum.Admin, RoleEnum.user};
    }

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        if (SessionHelper.UserInSession == null)//user not logged in
        {
            FormsAuthentication.SignOut();
            filterContext.Result =
                 new RedirectToRouteResult(new System.Web.Routing.RouteValueDictionary {{ "controller", "Home" },
                                             { "action", "Index" },
                                             { "returnUrl",    filterContext.HttpContext.Request.RawUrl } });//send the user to login page with return url
            return;
        }
        if (!_acceptedRoles.Any(acceptedRole => SessionHelper.UserInSession.UserRoles.Any(currentRole => acceptedRole == currentRole.Role)))
            //allow if any of the user roles is among accepted roles. Else redirect to login page
            throw new UnauthorizedAccessException();

    }
}

这也工作返回URL。

这篇关于ASP.NET MVC角色和安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！