首页新闻找找看学习计划

forms验证权限问题

0
悬赏园豆:10 [已解决问题] 解决于 2014-09-11 23:19

我做了一个角色权限验证的,在admin文件夹下有文件

web.config

代码为:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <authorization>
          <allow roles="superadmin,admin" />
          <deny users="*" />
        </authorization>
    </system.web>
</configuration>

 

Global.asax下的代码为:

    protected void Application_AuthorizeRequest(object sender, EventArgs e)
    {
        HttpApplication App = (HttpApplication)sender;
        HttpContext Ctx = App.Context;
        if (Ctx.Request.IsAuthenticated == true)
        {
            FormsIdentity Id = (FormsIdentity)Ctx.User.Identity;
            FormsAuthenticationTicket Ticket = Id.Ticket;
            string[] roles = Ticket.UserData.Split(',');
            Ctx.User = new System.Security.Principal.GenericPrincipal(Id, roles);
        }
    }

 

login.aspx登录部分代码:

   protected void Lg_Click(object sender, EventArgs e)
    {
        if (string.IsNullOrEmpty(this.User_Name.Text.Trim()) || string.IsNullOrEmpty(this.User_Password.Text.Trim()))
        {
            ClientScript.RegisterStartupScript(GetType(), "message", "<script>alert('用户名和密码不能为空');</script>");
            return;
        }
        string UserRule = string.Empty; ;
        if (CheckUser(ref UserRule))
        {
            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, this.User_Name.Text, DateTime.Now, DateTime.Now.AddMinutes(30), true, UserRule.Trim(), FormsAuthentication.FormsCookiePath);
            string hash = FormsAuthentication.Encrypt(ticket);
            HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hash);
            if (ticket.IsPersistent)
                cookie.Expires = ticket.Expiration;
            Response.Cookies.Add(cookie);
            string returnUrl = Request.QueryString["ReturnUrl"];
            if (string.IsNullOrEmpty(returnUrl))
            {
                returnUrl = FormsAuthentication.DefaultUrl;
            }
            Response.Redirect(returnUrl);
        }
        else
        {
            ClientScript.RegisterStartupScript(GetType(), "message", "<script>alert('用户名或密码错误');</script>");
        }
    }

 

不知道为什么这样总是登录不了,

web.config改为:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <authorization>
          <deny users="?"/>
          <allow roles="superadmin,admin" />
        </authorization>
    </system.web>
</configuration>

就可以登录成功

而且用 HttpContext.Current.User.IsInRole("superadmin").ToString() 为true

但是这样的话什么角色都可以登录了,请教各位高手我的问题出现在哪里?

合仔茶的主页 合仔茶 | 初学一级 | 园豆:151
提问于:2010-12-07 14:50
< >
分享
最佳答案
0

没有把角色赋值给GenericPrincipal实列,把登录代码改成如下个试试看。

protected void Lg_Click(object sender, EventArgs e)
    {
        if (string.IsNullOrEmpty(this.User_Name.Text.Trim()) || string.IsNullOrEmpty(this.User_Password.Text.Trim()))
        {
            ClientScript.RegisterStartupScript(GetType(), "message", "<script>;</script>");
            return;
        }
        string UserRule = string.Empty; ;
        if (CheckUser(ref UserRule))
        {
            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, this.User_Name.Text, DateTime.Now, DateTime.Now.AddMinutes(30), true, UserRule.Trim(), FormsAuthentication.FormsCookiePath);

            string[] arrRule= UserRule.Split(',');
            FormsIdentity id = new FormsIdentity(ticket);
            GenericPrincipal principal = new GenericPrincipal(id, arrRule);
            
            string hash = FormsAuthentication.Encrypt(ticket);
            HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hash);
            if (ticket.IsPersistent)
                cookie.Expires = ticket.Expiration;
            Response.Cookies.Add(cookie);

            HttpContext.Current.User = principal;

            string returnUrl = Request.QueryString["ReturnUrl"];
            if (string.IsNullOrEmpty(returnUrl))
            {
                returnUrl = FormsAuthentication.DefaultUrl;
            }
            Response.Redirect(returnUrl);
        }
        else
        {
            ClientScript.RegisterStartupScript(GetType(), "message", "<script>;</script>");
        }
    }

收获园豆:10
阿松 | 小虾三级 |园豆:601 | 2010-12-07 15:22
试过了,好像也是一样哦
合仔茶 | 园豆:151 (初学一级) | 2010-12-07 15:28
其他回答(1)
0

你deny*,也就是说拒绝所有用户了,怎么能登录呢?

如果你是想拒绝所有用户,但是角色是你允许的角色的话,两个顺序要反过来,

先deny*

然后alow role“admin,guest”

顾晓北 | 园豆:9534 (大侠五级) | 2010-12-07 15:18
试过了,都不行哦
支持(0) 反对(0) 合仔茶 | 园豆:151 (初学一级) | 2010-12-07 15:28
看看deny rols * alow roles “xxx,xxx" 这样。
支持(0) 反对(0) 顾晓北 | 园豆:9534 (大侠五级) | 2010-12-08 08:56
deny rols * 提示错误
支持(0) 反对(0) 合仔茶 | 园豆:151 (初学一级) | 2010-12-08 13:22
那你把*改成?试试。
支持(0) 反对(0) 顾晓北 | 园豆:9534 (大侠五级) | 2010-12-08 13:38
清除回答草稿
   您需要登录以后才能回答,未注册用户请先注册