做在web表单认证的最佳方法 [英] Best way to do authorization in webforms

问题描述

研究关于这一主题的每一位展示了如何做这MVC的任务，我的项目是基于MVP web表单。我也做了验证，但有一个模式或战略最好做授权？

Every bit of research on this topic is showing how to do this tasks with MVC, my project is MVP webforms based. I have the authentication done, but is there a pattern or strategy to best do authorization?

如检查特定页面上盗链针对用户的角色，或隐藏赋予了角色ASP控制。

Such as checking for hotlinking on specific pages against a user's role, or hiding ASP controls given a role.

目前我正在做这样的事情：

Currently I'm doing things like:

if(user.Roles.Contains("Admin")){
     lnkAdmin.Visibility = true; 
}

我不认为这是非常干净或维护，有没有更好的方法做这些事情？

And I don't think that's very clean or maintainable, is there a better way to do these things?

推荐答案

使得只对某些角色的具体控制的Web窗体的方法是使用一个的 LoginView 控制。从文档的例子：

The Web Forms way of making specific controls available only to certain roles is to use a LoginView control. Example from the documentation:

 <asp:LoginView id="LoginView1" runat="server">
     <AnonymousTemplate>
         Please log in for personalized information.
     </AnonymousTemplate>
     <LoggedInTemplate>
         Thanks for logging in 
         <asp:LoginName id="LoginName1" runat="Server"></asp:LoginName>.
     </LoggedInTemplate>
     <RoleGroups>
         <asp:RoleGroup Roles="Admin">
             <ContentTemplate>
                 <asp:LoginName id="LoginName2" runat="Server" />, you are logged in as an administrator.
             </ContentTemplate>
         </asp:RoleGroup>
     </RoleGroups>
 </asp:LoginView>

要prevent用户没有访问页面某些角色，您可以使用位置在你的web.config文件中的元素。再次，从文档另外一个例子：

To prevent users not in certain roles from accessing pages, you can use the location elements in your web.config file. Again, another example from the documentation:

<configuration>
    <system.web>
        <authentication mode="Forms" >
            <forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
            </forms>
        </authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
        <authorization>
            <deny users="?" /> 
        </authorization>
    </system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
        <location path="default1.aspx">
        <system.web>
        <authorization>
            <allow users ="*" />
        </authorization>
        </system.web>
        </location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder.  -->
        <location path="subdir1">
        <system.web>
        <authorization>
            <allow users ="*" />
        </authorization>
        </system.web>
        </location>
</configuration>

同样，也可以是<一个href=\"http://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config\"相对=nofollow>基于角色的。

<location path="AdminFolder">
    <system.web>   
        <authorization>
            <allow roles="Admin"/> //Allows users in Admin role    
            <deny users="*"/> // deny everyone else
        </authorization>    
    </system.web>
</location>    
<location path="CustomerFolder">
    <system.web>    
        <authorization>
            <allow roles="Admin, Customers"/> //Allow users in Admin and Customers roles    
            <deny users="*"/> // Deny rest of all
        </authorization>    
     </system.web>
</location>

这篇关于做在web表单认证的最佳方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！