如何设置拒绝访问页面 [英] How to set denied access to page

问题描述

大家好，



我担心我的应用程序的安全性。在这里，我为员工设置了角色权限。当我为员工设置角色权限时，页面会显示给用户帐户。用户浏览页面时显示。直到这里可以，但是当用户试图访问没有给他权利的路径时，页面将显示。它不是保持安全。

，例如 http://www.comapanyname.net/elm/Appraisal/finalreport [ ^ ]



这个最终报告只适用于管理员但是它可以让每个人看起来如何保持安全。

Hello all,

I am worry about the security of my application. Here i am set roles rights to the employee. When i set roles rights to employee then pages shows to user account. When user browse page it shows. till here all right but when user try to access path which rights is not given to him then page will display. it is not maintain security.
e.g. http://www.comapanyname.net/elm/Appraisal/finalreport[^]

actualy this final report is only for admin but it can look everyone so how i will maintain security.

推荐答案

将您的页面划分为单独的文件夹：

Divide your pages into separate folders:

~/Users
~/Admins
~/WebMaster

并为每个文件夹指定一个web.config文件，该文件指定访问权限：

And give each folder a web.config file which specifies the access rights:

<configuration>
    <system.web>
        <authorization>
          <allow roles="admin" />
          <deny users ="*" />
        </authorization>
    </system.web>
</configuration>

如果您使用会员资格或类似资格，它将自动生效。



如果如果您允许用户使用自制您的身份验证系统，则需要检查每个页面（或相关的母版页） - 这是一种不好的做法！

Provided you are using Membership or similar, it will work automatically.

If you have "home-brewed" your authentication system, then you will need to check in every page (or the relevant master page) if the user is allowed - which is a bad practice!

这篇关于如何设置拒绝访问页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！