使用表单身份验证时如何检查授权?
[英]How can I check for authorization when using forms authentication?
问题描述
I am developing an ASP.NET website. 
我正在开发一个ASP.NET网站。 I am planning to use Forms authentication in order to guarantee authentication/authorization, but I am facing two problems regarding the authorization: 我计划使用Forms身份验证以保证身份验证/授权,但是我在授权方面面临两个问题:
I know how to set in the web config that the authenticated users are allowed to visit a webpage (say myPage.aspx).
我知道如何在Web配置中设置允许经过身份验证的用户访问网页(例如myPage.aspx)。 But I do not know how to define that UserA is able to access myPage to retrieve his information, not UserB's information. 但是我不知道如何定义UserA能够访问myPage来检索他的信息,而不是UserB的信息。 I was thinking about generating a token when the user authenticates, so I am able to check to whom this token belongs to and verify if this information is available to him. 我正在考虑在用户进行身份验证时生成令牌,因此我能够检查此令牌属于谁,并验证此信息是否可供他使用。 What do you think about this approach? 您如何看待这种方法? Does the Form Authentication generates a token like that? 表单身份验证会生成这样的令牌吗? (I couldn't find any mention about it in my research). (我在研究中找不到任何提及)。 If not, could I adapt the Form authentication mechanisms in order to generate or would I need to write everything on my own? 如果没有,我是否可以调整表单身份验证机制以生成表单,还是需要自己编写所有内容? I would like to access webservices, and these should only return information if the user is logged.
我想访问Web服务,并且只有在用户登录后,这些服务才应该返回信息。 For this reason, I would like to use the same token explained above. 因此,我想使用上面说明的相同令牌。 What do you think about it? 你怎么看待这件事? Is it a good approach? 这是一个好方法吗?
I am asking this because I have no experience on designing authentication/authorization mechanisms, any help/hint would be appreciated. 我之所以这样问是因为我没有设计认证/授权机制的经验,任何帮助/提示都将不胜感激。
1 个解决方案
解决方案1
1 已采纳 2012-01-24 20:30:52
Regarding question one, after forms authentication occurs in an ASP.Net web forms app, the user's identity is exposed as a FormsIdentity object in the Page.User.Identity property. 关于问题一,在ASP.Net Web表单应用程序中进行表单身份验证后,用户的身份作为Pages.User.Identity属性中的FormsIdentity对象公开。 This object has a Name property which contains the username that a user use to log into your site. 该对象具有Name属性,其中包含用户用来登录您的网站的用户名。 You can use this value to restrict what a user can access. 您可以使用此值来限制用户可以访问的内容。 For example, let's say you have a table in your database with user information containing the following fields: 例如,假设您的数据库中有一个表,其中的用户信息包含以下字段:
userId int
userName varchar(25)
...more fields containing user information...
You can restrict a user to only access information from the row in this table in which the userName equals the Page.User.Identity.Name property, either directly if you are using direct ADO.Net or via your query to your ORM-mapped (ie nHibernate or EF) domain object. 您可以限制用户仅访问该表中userName等于Page.User.Identity.Name属性的行中的信息,或者直接使用ADO.Net或通过对ORM映射的查询来访问用户(即nHibernate或EF)域对象。
Regarding question two, the FormsIdentity object exposed by Page.User.Identity has a boolean "IsAuthenticated" property. 关于第二个问题,由Page.User.Identity公开的FormsIdentity对象具有布尔“ IsAuthenticated”属性。 You can use this to restrict access to your web service as follows: 您可以使用它来限制对Web服务的访问,如下所示:
if(Page.User.Identity.IsAuthenticated)
{
//Call your web service in a secure manner
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.