MVC 3位置允许在web.config中的用户 [英] MVC 3 location allow users in web.config

问题描述

我试图用web.config中进行授权。
在我的用户注册，它不使用ASP.NET配置。
我与处理数据库的登录页面。
我要保护管理页面来自其他人的地址手动输入。
我把这个code在Web.config中。

I am trying to make authorize by using web.config. In my user registration, it is not using ASP.NET Configuration. I am handling the login page with database. I want to protect admin page as manual typing in address from other people. I put this code in Web.config.

//Web.config
<location path="Product">
<system.web>
  <authorization>
    <allow users="*"/>
  </authorization>
</system.web>

当管理员登录网站首页，从具有局部登录页，
它会获取用户名和管理是通过数据库或真或假。

When admin log in website from homepage which has partial logon page, It will get userName and admin whether is false or true through database.

[HttpPost]
    public ActionResult Index(Customer model)
    {
        if (ModelState.IsValid)
        {
            //define user whether admin or customer
            SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["rentalDB"].ToString());
            String find_admin_query = "SELECT admin FROM Customer WHERE userName = '" + model.userName + "' AND admin ='true'";
            SqlCommand cmd = new SqlCommand(find_admin_query, conn);
            conn.Open();
            SqlDataReader sdr = cmd.ExecuteReader();
            //it defines admin which is true or false
            model.admin = sdr.HasRows;
            conn.Close();

            //if admin is logged in
            if (model.admin == true) {
                if (DAL.UserIsVaild(model.userName, model.password))
                {
                    FormsAuthentication.SetAuthCookie(model.userName, true);
                    return RedirectToAction("Index", "Product");
                }
            }

            //if customer is logged in
            if (model.admin == false) { 
                if (DAL.UserIsVaild(model.userName, model.password))
                {
                    FormsAuthentication.SetAuthCookie(model.userName, true);                   
                    return RedirectToAction("Index", "Home");
                }
            }
                ModelState.AddModelError("", "The user name or password is incorrect.");
        }
        // If we got this far, something failed, redisplay form
        return View(model);
    }

然后我的问题是，我如何才能通过web.config中，而不是定义用户*，喜欢用model.userName或model.admin？你能告诉我如何定义用户？谢谢。

Then my question is, how can I define the user by web.config instead of "*", like using model.userName or model.admin? Could you tell me how to define the users? thanks.

推荐答案

首先，你不能使用在web.config中的授权元素来保护路径就像你可以为ASP.NET的WebForms。这是因为在MVC中的路线不是物理路径就像WebForms的。

Firstly, you cannot use the authorization element in the web.config to protect paths like you can for ASP.NET WebForms. This is because the routes in MVC are not physical paths like in WebForms.

其次，你可能希望推出自己的的MembershipProvider 和 RoleProvider ，因为它会与ASP很好地集成。 NET和MVC。这是pretty琐碎，你可以替换自己DAL履行提供商合同。

Secondly, you may wish to roll your own MembershipProvider and RoleProvider, as it will integrate nicely with ASP.NET and MVC. it's pretty trivial, and you can substitute your own DAL to fulfill the provider contracts.

这是你的控制器可能是什么样子，一旦你实现你自己的供应商：

Here's what your controllers might look like once you've implemented your own providers:

public class AuthController : Controller
{
    public ActionResult Index(Customer model)
    {
        if (ModelState.IsValid)
        {
            if (Membership.ValidateUser(model.userName, model.password))
            {
                if (Roles.IsUserInRole(model.userName, "admin")) return RedirectToAction("Index", "Product");

                return RedirectToAction("Index", "Home");
            }

            ModelState.AddModelError("", "The user name or password is incorrect.");
        }
        // If we got this far, something failed, redisplay form
        return View(model); 
    }
}

[Authorize(Roles = "user")]
public class HomeController : Controller
{

    public ActionResult Index()
    {
        return View();
    }
}

[Authorize(Roles = "admin")]
public class ProductController : Controller
{

    public ActionResult Index()
    {
        return View();
    }
}

如果你不想使自己的供应商，还有其他两个选项来获得相同的功能的 [授权] 装饰品：

If you don't want to make your own providers, there are two other options to get the same functionality as the [Authorization] decorations:

1. 订阅你的global.asax.cs的的AuthenticateRequest 事件，检查以确保 User.Identity.IsAuthenticated 属性为true（这将能够从身份验证票证将在此时被处理为你的表格告诉你）。如果这是真的，从你的DAL加载你的角色并创建一个新的会员对象，你从DAL中发现的角色加入。现在你可以使用 AuthorizeAttribute 其他地方。

1. Subscribe to the AuthenticateRequest event in your global.asax.cs, check to make sure the User.Identity.IsAuthenticated property is true (which it will be able to tell you from the forms auth ticket will have been processed for you at this point). If it is true, load your roles from your DAL and create a new membership object, adding in the roles you found from the DAL. Now you can use AuthorizeAttribute anywhere else.

创建自己的衍生 AuthorizeAttribute 使用您DAL来获取用户的角色。

Create your own derivative AuthorizeAttribute that uses your DAL to get the user's roles.

这篇关于MVC 3位置允许在web.config中的用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！