stackoom
  简体   繁体   中英

Manage user access to pages in ASP.NET

 原文  2012-12-28 13:26:55       asp.net/ membership-provider/ roleprovider

Question

I am using MembershipProvider and currently a have 3 roles: User, Super User, Admin.

Also I have pages that can be seen only by Admin and Super User. For these pages a I use configuration in web config: 

  <location path="Users.aspx">
    <system.web>
      <authorization>
        <allow roles="Admin, Super User"/>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

And this works perfectly fine.

But I have bunch of pages 

Evaluations
Actions
Reports
Files

to which a I want separate access. I want grant access to each page individually.

Is there better way to do it than create roles for each page and than assign to these roles?

PS I am using ASP.NET, not MVC

3 answers

solution1
 2 ACCPTED  2012-12-28 13:33:09

Yes, modify your folder structure to be something like this: 

- Super User
  - Admin
    - All

And then you can do stuff like this: 

<location path="Super User">
  <system.web>
    <authorization>
      <allow roles="Super User"/>
      <deny users="*" />
    </authorization>
  </system.web>
</location>

<location path="Super User/Admin">
  <system.web>
    <authorization>
      <allow roles="Admin"/>
      <deny users="*" />
    </authorization>
  </system.web>
</location>

<location path="Super User/Admin/All">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

And now simply place the pages in the appropriate folders. Per the MSDN Documentation the location element applies to all sub-directories:

Specifies the resource that the contained configuration settings apply to. Using location with a missing path attribute applies the configuration settings to the current directory and all child directories. If location is used with no path attribute and allowOverride is False, configuration settings cannot be altered by Web.config files that are in child directories.

so Super User by definition will have access to all other pages below and so on.

solution2
 1  2012-12-28 13:32:48

Yes, there is a better a simpler way. Put all your restricted pages in a separate folder and create an additional web.config in this folder. This additional web.config should contain the authorization section only.

The runtime will evaluate your web.configs from the request folder up to the application root. Because the authorization section exists in this additional web.config it will overwrite your root authorization section.

This way a single setting (single web.config) can guard arbitrary number of files (all files in the directory).

solution3
 1  2012-12-28 13:33:39

You can also assign permissions to a folder instead using the <location> element. This way, you can group a bunch of pages into one permission set. Also, you could validate permissions in code; in global.asax, the application_postauthenticaterequest runs for each request to the server (so for each aspx page), and you can write code here to do the validation, and redirect away if the user doesn't have the permissions.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ASP.NET Identity Manager to manage page level user access Manage user session in ASP.net Admin pages to manage asp.net membership provider & Role management Restrict access to all asp.net pages Multiple access rules to pages in ASP.NET Add User Control to asp.net pages ASP.NET Forms Authentication, allowing a user to access specific pages only with username ASP.NET Web Forms Authorization allow access for anonymous user to specific pages How to manage passwords for database access from an asp.net website How to manage COM access in ASP.NET application
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM