Forms authentication based on role authorization
1 Authentication
The settings in <authentication> are still the same:
<authentication mode="forms">
<forms name=".ASPXAUTH" loginUrl="/" timeout="30" path= "/">
</forms>
</authentication>
/In the page of Verify user legitimacy, after verifying the user's legitimacy, there is also a process of obtaining which roles this user belongs to. This depends on how each application itself is designed. Generally, there is a use_role table in the database. You can obtain which roles this user belongs to from the database. If you don't go into detail about how to obtain the roles that the user corresponds to, in the end, you will definitely be able to obtain all the roles that this user is separated by commas.
In the above non-role-based method, we used the method to complete a series of actions such as generating authentication tickets, writing back to the client, and browser redirection. This method will use some accurate settings to complete a series of actions. In role-based verification, we cannot use this method to implement it. We need to do it step by step so that some customized settings can be added:
1. First, create an authentication ticket based on the user's label and the string of the role the user belongs to.
public FormsAuthenticationTicket(
int version, //Set to 1
string name, //user label
DateTime issueDate, //Cookie issuance time, set to
DateTime expiration, //Expiration time
bool isPersistent, // Whether it is persistent (set as needed, if it is set to persistence, it is issued
When cooking, the Expires setting of cookies must be set)
string userData, // Here is a role string that is separated by commas as prepared above
string cookiePath // set to "/", which must be the same as the path to issue the cookie, because refreshing the cookie
Use this path
);
FormsAuthenticationTicket Ticket = new FormsAuthenticationTicket (1,"kent",, (30), false,UserRoles,"/") ;
2. Cookies that generate authentication tickets
2.1 Serialize authentication tickets to a string
string HashTicket = (Ticket) ;
2.2 Generate cookies
HttpCookie UserCookie = new HttpCookie(, HashTicket) ;
It is used to obtain the name of the authentication cookie set in it, and the default is ".ASPXAUTH".
If the isPersistent property in the authentication ticket is set to a persistent class, the Expires property of this cookie must be set so that this cookie will be saved to the client's cookie file as a persistent cookie.
3. Output the authentication ticket cookie to the client
Append the authentication ticket cookie to the output cookie collection through (UserCookie) and send it to the client.
4. Redirect to the user's initial examination page.
Verify part of the code (this part of the code is the event processing code that clicks the login button on the page):
private void Buttonlogin_Click(object sender, e)
{
string user = ; //Read username
string password = ; //Read password
if(Confirm(user,password) == true) //Confirm method is used to verify user legitimacy
{
string userRoles = UserToRole(user); //Calling the UserToRole method to get the role string
FormsAuthenticationTicket Ticket = new FormsAuthenticationTicket (1,user,, (30), false,userRoles,"/"); //Create an authentication ticket object
string HashTicket = (Ticket); // Encryption serialization verification ticket is a string
HttpCookie UserCookie = new HttpCookie(, HashTicket) ;
//Generate cookies
(UserCookie) ; //Output Cookie
(["ReturnUrl"]) ; // Redirect to the initial page of the user's application
}
else
{
// Code when the user's identity is not confirmed
}
}
//This method is used to verify the legitimacy of the user
private bool Confirm(string user,string password)
{
//Relevant code
}
//This method is used to obtain a string of all the roles corresponding to the user that are separated by commas.
private string UserToRole(string user)
{
//Relevant code
}
2. Role-based access authorization
What we need to do here is to restore the information representing roles saved in UserData in the authentication ticket saved by the client to the GenericPrincipal object representing the user's identity on the server (remember, during the original verification process, the GenericPrincipal object only contains user information and does not contain role information)
During an Http request, the event indicates that the security module has established a user identity, that is, the identity of this user has been established on the web side. After this event, we can obtain the user identity information.
Before the event, start to obtain the page requested by the user and establish the HttpHandler control point. At this time, the user's permissions need to be verified, so the work of restoring the user's role can only be done in the process between events and events.
We choose Application_AuthorizeRequest event to do this work, and we can handle all events of HttpApplication in the file. The code is as follows:
protected void Application_AuthorizeRequest(object sender, e)
{
HttpApplication App = (HttpApplication) sender;
HttpContext Ctx = ; //Get the HttpContext object related to this Http request
if ( == true) // Only verified users will handle role
{
FormsIdentity Id = (FormsIdentity) ;
FormsAuthenticationTicket Ticket = ; // Obtain the ID verification ticket
string[] Roles = (',') ; //Convert role data in authentication tickets into string array
= new GenericPrincipal (Id, Roles); // Create a new GenericPrincipal to represent the current user, so that the current user has role information
}
}
The visitor has both user and role information, so he can use role to control user access rights based on this.
Previous page123Read the full text