问题描述
关于这个主题的每一项研究都展示了如何使用 MVC 完成这项任务,我的项目是基于 MVP 网络表单的.我已经完成了身份验证,但是否有一种模式或策略可以最好地进行授权?
例如根据用户的角色检查特定页面上的盗链,或隐藏给定角色的 ASP 控件.
目前我正在做的事情是:
if(user.Roles.Contains("Admin")){lnkAdmin.Visibility = true;}而且我认为这不是很干净或可维护,有没有更好的方法来做这些事情?
解决方案 使特定控件仅对某些角色可用的 Web 窗体方法是使用 LoginView 控件.文档中的示例:
<匿名模板>请登录以获取个性化信息.</匿名模板><登录模板>感谢您登录<asp:LoginName id="LoginName1" runat="Server"></asp:LoginName>.</LoggedInTemplate><角色组><asp:RoleGroup Roles="管理员"><内容模板><asp:LoginName id="LoginName2" runat="Server"/>,您以管理员身份登录.</内容模板></asp:RoleGroup></角色组></asp:LoginView>
为了防止非特定角色的用户访问页面,您可以使用 location 元素在你的 web.config 文件.再次,文档中的另一个示例:
<预><代码><配置><system.web><认证模式=表单"><forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" ></表格></认证><!-- 此部分拒绝访问此应用程序中的所有文件,但您未使用其他设置明确指定的文件除外.--><授权><拒绝用户=?"/></授权></system.web><!-- 此部分仅允许未经身份验证的用户访问 Default1.aspx 页面.它与此配置文件位于同一文件夹中.--><location path="default1.aspx"><system.web><授权><允许用户=*"/></授权></system.web></位置><!-- 此部分允许未经身份验证的用户访问存储在 Subdir1 文件夹中的所有文件.--><location path="subdir1"><system.web><授权><允许用户=*"/></授权></system.web></位置></配置>同样,它可以是 基于角色.
<system.web><授权><allow roles="Admin"/>//允许具有管理员角色的用户<deny users="*"/>//拒绝其他人</授权></system.web></位置><location path="CustomerFolder"><system.web><授权><允许角色=管理员,客户"/>//允许具有管理员和客户角色的用户<deny users="*"/>//拒绝其余的</授权></system.web></位置> Every bit of research on this topic is showing how to do this tasks with MVC, my project is MVP webforms based. I have the authentication done, but is there a pattern or strategy to best do authorization?
Such as checking for hotlinking on specific pages against a user's role, or hiding ASP controls given a role.
Currently I'm doing things like:
if(user.Roles.Contains("Admin")){
lnkAdmin.Visibility = true;
}
And I don't think that's very clean or maintainable, is there a better way to do these things?
The Web Forms way of making specific controls available only to certain roles is to use a LoginView control. Example from the documentation:
<asp:LoginView id="LoginView1" runat="server">
<AnonymousTemplate>
Please log in for personalized information.
</AnonymousTemplate>
<LoggedInTemplate>
Thanks for logging in
<asp:LoginName id="LoginName1" runat="Server"></asp:LoginName>.
</LoggedInTemplate>
<RoleGroups>
<asp:RoleGroup Roles="Admin">
<ContentTemplate>
<asp:LoginName id="LoginName2" runat="Server" />, you are logged in as an administrator.
</ContentTemplate>
</asp:RoleGroup>
</RoleGroups>
</asp:LoginView>
To prevent users not in certain roles from accessing pages, you can use the location elements in your web.config file. Again, another example from the documentation:
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
Similarly, it can be role based.
<location path="AdminFolder">
<system.web>
<authorization>
<allow roles="Admin"/> //Allows users in Admin role
<deny users="*"/> // deny everyone else
</authorization>
</system.web>
</location>
<location path="CustomerFolder">
<system.web>
<authorization>
<allow roles="Admin, Customers"/> //Allow users in Admin and Customers roles
<deny users="*"/> // Deny rest of all
</authorization>
</system.web>
</location>
这篇关于在网络表单中进行授权的最佳方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!