After ASP.net 2.0 came out, I have always wanted to use Membership 2.0, which is a well-packaged website permission management tool. I used SQLProvider, used aspnet_regsql to generate the required tables, and configured web.config. However, I encountered many problems in actual use, including obtaining the currently logged in user through Membership.GetUser() after logging in. , the result code returned to me was null... The authentication and authorization settings included in the webconfig seemed to have no effect at all. After some searching, I still couldn't solve this problem, so I had no choice but to use membership, but implements the entire authentication and authorization process by itself.
Because the login control didn't work, I wrote a login.aspx page myself. This page uses the Membership.ValidateUser() function to judge the user's login. After the user successfully logs in, the user's username is saved in the session.
I have implemented an XML serialized configurable object, which has the following structure
<?xml version="1.0"?>
<SecurityConfig xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance " xmlns:xsd=" http://www.w3.org/2001/XMLSchema ">
<PageLocations>
<PageLocation Location="~/admin/admin/RoleManager.aspx">
<Allow Roles="Administrator" />
</PageLocation>
</PageLocations>
</SecurityConfig>
PageLocations is a collection of List objects of PageLocation. The location in Pagelocation contains the page to which permissions are to be added. Pagelocation contains an Allow object, one of which is Roles, which contains the user roles that can be authorized by the page. They can be separated by commas, so that all pages are added to this XML structure.
Then implement the following function:
/// <summary>
/// Whether access to this page is allowed
/// </summary>
/// <param name="url">Authorized path</param>
/// <param name="rolenames">Authorization roles</param>
/// <returns>Whether authorized</returns>
public bool isAllow(Uri url,string[] rolenames,HttpContext context)
{
string path=context.Server.MapPath(url.AbsolutePath);
PageLocation theLocation = null;
foreach (PageLocation location in pageLocations)
{
string strlocation;
strlocation=context.Server.MapPath(location.Location);
if (strlocation.ToLower() == path.ToLower())
{
theLocation = location;
}
}
if (theLocation != null)
{
string[] roles = theLocation.Allow.Roles.Split(',');
foreach (string role in roles)
{
foreach (string rolename in rolenames)
{
if (rolename == role)
{
return true;
}
}
}
return false;
}
else
{
return false;
}
}
By comparing the absolute path of the currently visited page with the absolute path in xml, and then obtaining the Pagelocation object described in xml, to determine whether his Allow role matches the current user's role. Implement role security authorization.
Since my management is used for background security management, I wrote a user control to encapsulate the SecurityConfig class, obtain the logged-in user account through Context.Session[], and then obtain the login through Roles.GetRolesForUser(username) The user's role, and then pass Context.Request.Url and roles into the function just now. If the user is authorized, the current page will be displayed. Otherwise, it will jump to his own login page or prompt you that you do not have such permission.
Since I use MasterPage, in this case I only need to bind this control to the masterpage, so that each page is under management, and write a page in the background that edits and serializes the SecurityConfig object. This achieves permission control for all pages.
Adopting this method is also a good idea when Membership is not working. In this way, it not only takes advantage of the basic functions provided by Membership for users such as CreateUser and CreateRoles, but also meets the need for permission settings. This is the only way to deal with it now. .
This is my first time posting on the homepage, and I hope someone can tell me under what circumstances the .net authorization will not work.
http://www.cnblogs.com/livesite/archive/2006/08/14/membership.html