Role verification authorization based on Forms verification in ASP.NET
There are three kinds of authentication of ASP.NET, namely "Windows | Forms | Passport", which is mostly used in Forms to verify the most, and most flexible. The Forms verification method provides good support based on user authentication authorization, can verify the user's identity by a login page, send this user's identity back to the client's cookie, then this user will access this web application will be along with this Identity cookie is sent together to the server. The authorization settings on the server can be controlled for different users' access authorizations according to different directories. The problem is, it is actually used in the use of character, or based on the role, or based on the authentication and authorization of the user group. For a website, the general verification authorization mode should be like this: according to the actual needs to divide the user into different identities, the role, or the user group, the verification process must not only verify the identity of this user, but also verify It belongs to which role. The access authorization is set according to the role, and some of the characters can access which resources can be accessed. If the user's authorization access will be a very unpractory practice, there are many users, but it is also possible to increase or decrease at any time, and it is impossible to increase access authorization for increasing new users at any time in the configuration file. Let's take a look at the process of Forms. Forms Authentication Basic Principle: One Authentication To use Forms authentication, first do the corresponding settings in Web.config in the application root directory:
The default is Default.aspx. LoginURL specified by the page is used to verify the user's identity. Generally, this page provides users enter the username and password. After the user is submitted, the user's legitimacy is verified according to its own needs (most cases, enter the user into the database with the database. The user table is compared.) Generate a series of actions such as authentication ticket, write back to client, browser redirection, etc.public static void RedirectFromLoginPage (String UserName, Bool CreatePersister (String StrCookiePath); where: username: is the sign of this user, used to mark this user The only sign is not necessarily mapped to the user account name .CreatePersisterCookie: The label is launched for a long-lasting cookie. If you are not a lasting cookie, the Validity period of the cookie has the current time plus the timeout of the timeout. When each request page, during the verification, it will determine whether the validity is half, if you update a cookie Validity period; if it is a lasting cookie, the expression attribute is meaningless. At this time, the validity period of the authentication ticket has a cookie's Expires decision, and the RedirectFromLoginPage method is set to the Expires property of the 50-year validity period. StrCookiePath: Marking the path to the client to the client, saving this path in the authentication ticket is used when refreshing authentication ticket cookies (this is also generated cookie's Path), if there is no strcookiepath parameter, use Web.config The setting of the Path property. It can be seen here that this method parameter is only three, and the attributes of authentication tickets have seven, and the four parameters of the insufficient are: Issuedate: cookie issued by the current time, expiration: expiration time by the current time And the Timeout parameter is calculated in the
The above is based on Forms authentication process, which completed confirmation of the user identity. Here is an access authorization based on Forms authentication. Second access authorization verify the identity, is to use this identity, according to different identities, we can do different operations, processing, the most common is to separate different identities, Forms authentication provides such functions. Forms authorization is a directory-based, you can set access to a directory, for example, these users can access this directory, those users cannot access this directory. Similarly, the authorization setting is set in the web.config file in the directory you want to control:
For Forms authentication, the httpContext.user property is an object of GenericPrincipal, and GenericPrincipal has only one public property Identity. It is a private m_role property. It is a string [] type. The user is the array belonging to which Role, there is an open public Method is ISINROLE (String Role) to determine if this user belongs to a role. Since the authentication ticket is not available in the cookie of the authentication ticket, it is said that the Forms authentication ticket does not provide this user's role information, so for Forms verification, the M_Role properties of the genericprincipal user objects received in the server are always empty. 3. GenericPrincipal. Identity property is an object of a FormSIDETY type. This object has a Name property, which is the name of this user. Access authorization is to perform this property as a User to authorize authentication. FormSident has a property, which is a Ticket property. This property is the authentication ticket FormSauthenticationalTicket type, which is previously written to the client's authentication ticket. After getting the authentication ticket FormsAuthenticationalTicket object, it is not a long-lasting authentication. If you want to update this authentication ticket according to the validity period set by the timeout property in Web.config (to avoid endanger performance After more than half of the specified time, this cookie can result in the loss of accuracy. Persistent cookie does not timeout.) 4. Before the httpapplication.resolverequestCache event, ASP.NET starts obtaining the user request page, establishing Httphandler control point. This means that at the httpapplication.resolverequestCache event to verify user access, see if this user or role has permission to access this page, then change this user's identity or role in this request lifecycle. . The above is the whole process of Forms verification, it can be seen that this Forms verification is based on the user's, and there is no direct support for the validation of the role. The name attribute in the FormsauthenticationalTicket is the user's name, in fact, there is still a property userData, which can be written to customized data by the application, we can use this field to store the role-based information based on role verification the goal of.
Forms Authentication Based on Role Authorization One Authentication in Web.config's
This method uses some of the provincial settings to complete a series of actions. In role-based verification, we cannot use this method to implement, to step by step, so that some custom settings are added: 1. First Create an authentication ticket PUBLIC FORMSAUTHENTICTICKET (int version, // set to 1String name, //), set to datetime.now datetime, based on user marking strings Expiration, // Expired time BOOL ISPERSISTENT, / / Whether it is persistence (setting as needed, if it is set to persistence, when emitting cookies, cookie's Expires setting must be set) String UserData, // Here is ready for use. The comma-divided role string string cookiepath / / set to "/", this is the same as the path to the cookie, because refreshing cookies want to use this path); FormsAuthenticationalTicket Ticket = New FormsauthenticationTicket (1, "Kent", DateTime.now, DateTime.now.addminutes (30), False, Userroles, "/"); 2. Cookie2.1 generating authentication tickets into a string String Hashticket = FormSauthentication.encrypt (Ticket); 2.2 Generation cookieHttpCookie userCookie = new HttpCookie (FormsAuthentication.FormsCookieName, HashTicket);. FormsAuthentication.FormsCookieName is used to obtain the name of the authentication cookie web.config set, the default is ".ASPXAUTH" If isPersistent property is set in the authentication ticket is Helder, this cookie's Expires property must be set so that this cookie is used as a cookie file that lasts for lasting cookies. 3. 3. Output authentication ticket cookies to the client via response.cookies.add (usercooki e) Add the authentication ticket cookie to the output cookie collection, send it to the client. 4. Redirect to the user application's initial test page. Verify partial code (this part of the code is on the login.aspx page Click the login button on the login.aspx page processing code): private void Buttonlogin_Click (object sender, System.EventArgs e) {string user = TextBoxUser.Text; // read the user name string password = TextBoxPassword.Text; // read the password if (Confirm (user, password) == True) // CONFIRM method To verify {string userroles = useerTorole (user) of user legitimacy; // calls the Usertorole method to get the Role string FormsauthenticationalTicket Ticket = New FormsauthenticationalTicket (1, user, datetime.now, datetime. Now.addminutes (30), False, Userroles, "/"); // Establish an authentication ticket object string hashticket = forMsauthentication.encrypt (ticket);