forms验证权限问题
0
悬赏园豆:10
[已解决问题]
解决于 2014-09-11 23:19
我做了一个角色权限验证的,在admin文件夹下有文件
web.config
代码为:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="superadmin,admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Global.asax下的代码为:
protected void Application_AuthorizeRequest(object sender, EventArgs e)
{
HttpApplication App = (HttpApplication)sender;
HttpContext Ctx = App.Context;
if (Ctx.Request.IsAuthenticated == true)
{
FormsIdentity Id = (FormsIdentity)Ctx.User.Identity;
FormsAuthenticationTicket Ticket = Id.Ticket;
string[] roles = Ticket.UserData.Split(',');
Ctx.User = new System.Security.Principal.GenericPrincipal(Id, roles);
}
}
login.aspx登录部分代码:
protected void Lg_Click(object sender, EventArgs e)
{
if (string.IsNullOrEmpty(this.User_Name.Text.Trim()) || string.IsNullOrEmpty(this.User_Password.Text.Trim()))
{
ClientScript.RegisterStartupScript(GetType(), "message", "<script>alert('用户名和密码不能为空');</script>");
return;
}
string UserRule = string.Empty; ;
if (CheckUser(ref UserRule))
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, this.User_Name.Text, DateTime.Now, DateTime.Now.AddMinutes(30), true, UserRule.Trim(), FormsAuthentication.FormsCookiePath);
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hash);
if (ticket.IsPersistent)
cookie.Expires = ticket.Expiration;
Response.Cookies.Add(cookie);
string returnUrl = Request.QueryString["ReturnUrl"];
if (string.IsNullOrEmpty(returnUrl))
{
returnUrl = FormsAuthentication.DefaultUrl;
}
Response.Redirect(returnUrl);
}
else
{
ClientScript.RegisterStartupScript(GetType(), "message", "<script>alert('用户名或密码错误');</script>");
}
}
不知道为什么这样总是登录不了,
把
web.config改为:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
<allow roles="superadmin,admin" />
</authorization>
</system.web>
</configuration>
就可以登录成功
而且用 HttpContext.Current.User.IsInRole("superadmin").ToString() 为true
但是这样的话什么角色都可以登录了,请教各位高手我的问题出现在哪里?
最佳答案
0
没有把角色赋值给GenericPrincipal实列,把登录代码改成如下个试试看。
protected void Lg_Click(object sender, EventArgs e)
{
if (string.IsNullOrEmpty(this.User_Name.Text.Trim()) || string.IsNullOrEmpty(this.User_Password.Text.Trim()))
{
ClientScript.RegisterStartupScript(GetType(), "message", "<script>;</script>");
return;
}
string UserRule = string.Empty; ;
if (CheckUser(ref UserRule))
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, this.User_Name.Text, DateTime.Now, DateTime.Now.AddMinutes(30), true, UserRule.Trim(), FormsAuthentication.FormsCookiePath);
string[] arrRule= UserRule.Split(',');
FormsIdentity id = new FormsIdentity(ticket);
GenericPrincipal principal = new GenericPrincipal(id, arrRule);
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hash);
if (ticket.IsPersistent)
cookie.Expires = ticket.Expiration;
Response.Cookies.Add(cookie);
HttpContext.Current.User = principal;
string returnUrl = Request.QueryString["ReturnUrl"];
if (string.IsNullOrEmpty(returnUrl))
{
returnUrl = FormsAuthentication.DefaultUrl;
}
Response.Redirect(returnUrl);
}
else
{
ClientScript.RegisterStartupScript(GetType(), "message", "<script>;</script>");
}
}
收获园豆:10
试过了,好像也是一样哦
其他回答(1)
0
你deny*,也就是说拒绝所有用户了,怎么能登录呢?
如果你是想拒绝所有用户,但是角色是你允许的角色的话,两个顺序要反过来,
先deny*
然后alow role“admin,guest”
试过了,都不行哦
看看deny rols *
alow roles “xxx,xxx"
这样。
deny rols * 提示错误
那你把*改成?试试。