角色身份验证在 asp.net 中不起作用
[英]Roles authentication is not working in asp.net
问题描述
I am using the code below to access a page base based upon user authentication
我正在使用下面的代码来访问基于用户身份验证的页面库
if (user.FirstOrDefault() == HashedPassword)
{
string roles = "Member";
// Create the authentication ticket
FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(1, // version
loginName.Text, // user name
DateTime.Now, // creation
DateTime.Now.AddMinutes(60),// Expiration
false, // Persistent
roles); // User data
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the
// cookie as data.
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie);
Response.Redirect("/Members/ClientAccount.aspx");
}
else
{
Response.Redirect("signin.aspx");
}
} }
The user is getting directed to ClientAccount.aspx if the login details are correct but I want that to happen only if his/her role is set as Admin as shown in the web.config file below.如果登录详细信息正确,用户将被定向到 ClientAccount.aspx,但我希望只有当他/她的角色设置为管理员时才会发生这种情况,如下面的 web.config 文件所示。
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="members.aspx">
<system.web>
<authorization>
<allow roles="Member" />
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="ClientAccount.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny roles="Member"/>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
How do I make this happen?我该如何做到这一点?
I guess the web.config file is not looking at the cookie to do the authorization so I am doing something wrong there.我猜 web.config 文件没有查看 cookie 来进行授权,所以我在那里做错了。
2 个解决方案
解决方案1
2 已采纳 2011-05-25 21:04:02
Double check your location path relative to the web.config, my guess is that is the problem.仔细检查您相对于 web.config 的位置路径,我猜这就是问题所在。
<location path="/Members/ClientAccount.aspx">
...
</location>
Of course you'll need to do something else instead of this line, you were just doing this for testing I'd assume?当然,您需要做其他事情而不是这条线,您只是为了测试而这样做吗?
Response.Redirect("/Members/ClientAccount.aspx");
ie redirect them to a page you know they're not allowed to hit.即,将它们重定向到您知道它们不允许访问的页面。 I figure you're going to beef that part up once you're sure its not allowing members to access that page.我认为一旦您确定不允许成员访问该页面,您就会加强该部分。
You should make sure your web.config has the following tag:您应该确保您的 web.config 具有以下标签:
<authentication mode="Forms" />
You need to configure it right, there are lots of options:您需要正确配置它,有很多选项:
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name=".ASPXAUTH"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false" />
</authentication>
http://msdn.microsoft.com/en-us/library/ff647070.aspx http://msdn.microsoft.com/en-us/library/ff647070.aspx
解决方案2
0 2011-05-25 20:54:49
hey there, did you mean to have嘿那里,你的意思是
< deny roles="Member"/> <拒绝角色="会员"/>
right now, the deny policy really doesn't need the member role listed.现在,拒绝策略确实不需要列出成员角色。 If you are wanting member to also be allowed to that page, you will need to swap out the deny, to allow:如果您希望成员也被允许访问该页面,则需要换出拒绝,以允许:
<authorization>
<allow roles="Admin" />
<allow roles="Member"/>
<deny users="?" />
</authorization>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.