确定如果当前页面需要授权? [英] Determine if current page requires authorization?
问题描述
所以,我有一个像这样web.configs Web应用程序:
So, I have web apps with web.configs like so:
<authorization>
<deny users="?"/>
</authorization>
...
<location path="SomeUnsecuredPage.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
在换句话说,大多数页面需要身份验证和授权,但有些则没有。
In other words, most pages require authentication and authorization, but some don't.
然后我有一个将所有不同的应用程序使用的IHttpModule的。所有我想要做的是检查,如果当前请求是安全的说法。如果页面不需要授权的,我不希望我的IHttpModule的做任何事情。我使用FormsAuthentication,我认为FormsAuthentication已拥有的某处缓存此信息,不是吗?此外,由于该检查将不断运行,所以它必须非常快。
Then I have an IHttpModule that will be used by all the different applications. All I want to do is check if the current request is "secured" at all. If the page doesn't require authorization I don't want my IHttpModule to do anything at all. I am using FormsAuthentication and I assume that FormsAuthentication already has all of this information cached somewhere, doesn't it? Also, since this check will be running constantly so it has to be very quick.
我目前订阅该HttpApplication.AuthorizeRequest,但令人惊讶的这一事件触发即使资源允许匿名访问的。
I am currently subscribing to the HttpApplication.AuthorizeRequest, but surprisingly this event fires even for resources that allow anonymous access.
任何想法?感谢您的阅读!
Any ideas? Thanks for reading!
推荐答案
创建一个盗版的IPrincipal,然后你必须使用的。如果盗版主要有访问,则允许匿名访问。
Create a bootleg IPrincipal and then you have to use that. If the bootleg principal has access then anonymous access is allowed.
public static class AnonymousAccessCheck
{
public static bool IsAnonymousAccessAllowed(HttpRequest request)
{
// unfortunately checking if a page allows anonymous access is more complicated than you'd think(I think).
// here we have to create a "Fake" IPrincipal that will only ever have access to
// pages that allow anonymous access. That way if our fake principal has access,
// then anonymous access is allowed
UrlAuthorizationModule urlAuthorizationModule = new UrlAuthorizationModule();
return UrlAuthorizationModule.CheckUrlAccessForPrincipal(request.Path, AnonymousPrincipal.Instance, request.RequestType);
}
private class AnonymousPrincipal : IPrincipal
{
private static AnonymousPrincipal _Instance;
public static AnonymousPrincipal Instance
{
get
{
if (_Instance == null)
_Instance = new AnonymousPrincipal();
return _Instance;
}
}
private AnonymousPrincipal()
{
_Identity = new AnonymousIdentity();
}
private readonly IIdentity _Identity;
#region IPrincipal Members
public IIdentity Identity
{
get { return _Identity; }
}
public bool IsInRole(string role)
{
return false;
}
#endregion
private class AnonymousIdentity : IIdentity
{
#region IIdentity Members
public string AuthenticationType
{
get { return string.Empty; }
}
public bool IsAuthenticated
{
get { return false; }
}
public string Name
{
get { return string.Empty; }
}
#endregion
}
}
}
这篇关于确定如果当前页面需要授权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!