ASP.NET system user permission design and implementation

xiaoxiao2021-03-14  195

introduction

E-commerce systems have high requirements for security issues, traditional access control methods DAC (Discretionary Access Control, Autonomous Access Control Model), Mac (Mandatory Access Control, Forced Access Control Model) It is difficult to meet complex enterprise environmental needs. Therefore, NIST (National Institute of Standards and Technology, National Standardization and Technical Committee) proposed role-based access control methods in the 1990s, realizing logic separation of users and access rights, more in line with companies, organizations, data And application characteristics. ASP.NET is Microsoft's new generation ASP (Active Server Pages) scripting language launched by JSP, which draws on the advantages of JSP, and it has some new features.

This article will first introduce the basic situation of ASP.NET and the basic idea of ​​RBAC (Role Based Access Control). On this basis, a specific method of implementing user rights control in an e-commerce system is given.

ASP.NET overview

1, ASP.NET

ASP.NET is the latest version of Microsoft Popular Dynamic Web Programming Technology Active Server Page (ASP), but it is far from traditional ASP simple upgrade. The biggest difference between ASP.NET and ASP is the conversion of programming thinking, ASP.NET is an object-oriented (Object-Oriented), not just functional enhancement.

In ASP.NET, the web form page consists of two parts: visual elements (HTML, server controls, and static text) and programming logic for this page. Each part is stored in a separate file. The visual element is created in an extension. The code is located in a separate class file, which is called a code hidden class file extension is .aspx.vb or .aspx.cs. This way, save all elements to display in the .aspx file, save logic in the aspx.vb or .aspx.cs file.

2, user control (UserControl)

In order to enable users to easily define controls as needed, ASP.NET introduces the concept of Web Form User Controls. In fact, as long as the .aspx is slightly modified, it can be converted to the web user control, the extension is the .ascx, .ascx, .ascx, and .aspx file, there is also a memory logic code hidden class file, extension is .ascx.vb or. Ascx.cs, just it cannot be run as a standalone web form page, only when it is included in the .aspx file, the user control can work.

Set the user control in the web form page by the following two steps:

(1) Use the @ register instruction to register the user control in the .aspx file. To register, the headerinner.ascx in the relative path "../userControl/" is:

<% @ Register tagprefix = "acme" tagname = "Head" src = "../ userControl / headinner.ascx"%>

(2) The user control element is declared between the start tag of the server control and the end tag (

). For example, to declare the syntax of the controls imported above:

This control is part of the page and will be presented when the page is processed. Also, the public property, events, and methods of the control will open to the web form page and can be used by programming. According to this principle, the operation (such as login verification, role verification) to be executed (such as login verification, role verification) can be encapsulated during each page.

RBAC's basic idea

The basic idea of ​​RBAC (role access control) can be represented by Figure 1, i.e., dividing the entire access control process into two steps: access, the role is associated with the user, thereby implementing the logic of user and access rights Separate.

Since the RBAC implements logical separation of users and access rights, it greatly facilitates rights management. For example, if a user's position changes, just remove the user's current role, join the role representing new positions or new tasks, the changes between roles / permissions are relatively slow than the changes between roles / user relationships. Many, and delegated users to the role without many technologies, they can be implemented by administrative personnel, and the configuration rights to the role is more complicated. It takes certain technologies to be borne by specialized technicians, but do not give them users. Permissions, this is just consistent with the situation in reality.

Design and implementation of user permissions in .NET

Basic idea of ​​implementing permission control using .NET is: assign a role to the user based on the basic principle of role access control (RBAC), each role corresponds to some permissions, then use User Controls in ASP.NET (UserControl To determine whether the role corresponding to the user is accessible to the access page.

The specific implementation process will be set forth from three aspects of the database design, add role, and user controls.

1. Design of the table in the database

First, design three tables such as function module tables, functional tables, and role tables in the database.

(1) Function module table

In order to manage the permissions of the user, you must first organize the system module to design a functional module table for this purpose. See Table 1.

(2) Menu

The sub-function of each functional module is called function, such as the product management module Goods (the category of the function module) contains product information queries, product information update, product information deletion, product pricing information query, and commodity pricing information update five functions , The design of the menu is shown in Table 2.

The example mentioned above can be inserted into a function module table and a function table as such a record separately.

INSERT INTO TMODULE VALUES (0, /// 'Product Management Module ////', /// 'Goods /////////' Goods ///////// ' / 'selectgoods', 0); INSERT INTO TFUNCTION VALUES (1, ///' Product Information Update /// ', ///' Updategoods // ', 0); Insert Into TFunction Values ​​(2, /' Product Information Delete /// ', /' deletegoods', 0); INSERT INTO TFUNCTION VALUES (3, // 'Product pricing information query ///', // 'selectgoodsprice ////', 0); Insert Into TFunction VALUES 4, / 'Product Pricing Information Update ///', 'UpdateGoodsprice ///', 0); (3) Role Table

The key to the design of the role is the definition of the role value, which is a string of similar binary numbers constructed from 0 and 1. The FUNCNO field in the function table represents the position in the Role Value field in the role table, if the value corresponding to the location is 0, indicating that the role is no such authority, if the value is 1, then Indicates that the role has this authority. Such as the role of the role is 100100 ... 00 (a total of 100), as shown above, the function number of the product information query is 0, the 0th bit of the role value of 100100 ... 00 is 1, so the ordinary member role has product information The function of the query;, in contrast, the first bit of the role value is 0, and the function of the function number is 1 is updated for the product information, so the ordinary member role does not have the permissions of the product information update. Their relationship can be represented by Figure 2.

2, the role added

With the few tables, the functional modules of the role page and their corresponding functions can be read from the function module table and the function table, as shown in Figure 3.

When you insert a new role normal member into the database, you first set all the bits of the role value to 0, then use the Replace function in the .NET Framework class library to change the value of the function of the hook in the role value accordingly. To 1.

For example, the newly added role name is the role of ordinary members, and its features are available for product information query (function number 0) and commodity pricing information query (function number 3), the role value should be 1001000 ... 00 (100 Bit), that is, the value of the 0th and third bits in the role value is 1, and the rest is 0.

3. Implement access using user controls

When defining a user control .ascx file (head.ascx), and .ascx.cs (head.ascx, cs) file, then you can register and declare it in the .aspx file.

(1) Register

<% @ Register tagprefix = "acme" tagname = "Head" src = "../ userControl / headinner.ascx"%>

(2) statement

After practical, declare in .aspx file. TheaSCX file can be divided into several cases:

The first case: second case:

The third case:

Field Flag is the flag used to control how to perform permission check, FuncName refers to the function in the function table. If FLAG is empty, no permission check (first case); otherwise, if FLAG == "0", the role of both of these two privileges with selectgoods (product information query) and UpdateGoods Corresponding users have the right to view this page (second case); otherwise, if Flag == "1", it is considered that there is any one of these two privileges with SELECTGOODS or UPDATEGOODS (product information update). Users who have permission to see this page (third case).

The process of permission check is all implemented by the user control, all of which are encapsulated in the .ascx.cs file, the most important method is Checkauth (String RoleID, String, which checks if a role has certain values. Funcename) method. The idea of ​​this method is shown in Figure 4.

Figure 4 of the 0th bit of the RoleValue (the function number of SelectGoods) value is 1, indicating that the role has the authority of SelectGoods (product information query). In this way, we package all logic on the permissions in the user control, so it is necessary to determine the user when you import this page when importing the .ascx file. Permissions without any changes to ASPX.CS.

As described above, it can be clearly seen that as long as the user rights are controlled in the user control, it includes it in the .aspx file (this author is going to do), then when programming You don't have to consider complex permission issues.

Conclude

This article discovered in the practice of developing an e-commerce system, the company attaches great importance to the rights control of system users. Therefore, it is essential for designing a simple and convenient and active privilege control mechanism to e-commerce systems. The ASP.NET-based e-commerce system user permission design and implementation methods have been verified in practical work, and the operation of modifying the specified 权 权 is very convenient.

转载请注明原文地址:https://www.9cbs.com/read-129262.html

New Post(0)