Published theme: Talking about ASP.NET rights management and user verification Blue Whale 5DASP and .NET Moderator Gold Coin: 34 Experience: 5833 Posting: 2003 From: Zhejiang Registration: 2001-12-20 Posted on 2004-12-17 02:55:01
In the construction of the website, it will encounter the most common user management and operational permission setting verification. Although this is a very common management operation, it is not easy to be perfect. Recently, I have recently referred to a lot of .NET books, especially concerned with this, combined with their own characteristics, explore the user management method suitable for you, and complete the basic management class library. The user's management method takes "User-Role-License" three-level, which is the user management method of the Windows operating system. A user can have multiple characters, and one role can also have multiple licenses. So there are database design: user table: set userid, user name, user information role table: set RoleID, CategoryID, ROLENAME, DESCRIPTION User role table: userid, roleid classification table: categoryID, CategoryName, Description License list: PermissionID, CategoryID, Permissionname, Description Role Licensed Form: RoleId, PermissionID After designing the database, you can design the user, role, and license. Class library score data layer class, complete operation, query, deletion, update, etc. The class of the business layer needs to implement unrelated functions with data, establish a list of roles, licensing, and verification methods such as users. There is a very important way to use .NET's verification method, so two classes: First, the SiteIdentity class, which inherits the self-service layer base class, and uses the System.Security.Principal.iIndentity interface. This class mainly stores basic information about the user, including username, email, and ID number, password. Its method is simpler, and the basic information of the user is passed by verifying. The second is the Helloseaprincipal class, which also inherits the business base class, using the System.Security.Principal.IPrincipal interface. The main method of this class has the verification class and stores the verified user information, user role list, and license lists. Two methods in this class and a Property are the IIDENTITY interface must, namely ISINROLE, HASPERMISSION, and System.Security.Principal.iIndentity Identity. After designing the class library, you can use it to verify the user. For example, in the management login page, you need to determine if the user's password is correct, and determine if the user has a license to enter the management page. Here is a paragraph of verification:
Helloseaprincipal admin = helloseaprincipal.validatelogin (txtadminname.text); txtpassword.text
IF (admin == null)
{
Labinfo.text = "There is no administrator account, or the input password is incorrect."
}
Else if (! admin.haspermission (1))
{
Labinfo.text = "You are not managing roles and does not manage licenses, you cannot enter this system."
}
Else
{
CONTEXT.USER = Admin;
Formsauthentication.seTauthCookie (TXTADMINNAME.TEXT, TRUE); response.redirect ("adminIndex.aspx");
} Note:! Admin.Haspermission (1) 1 is that the ID number licensed in the database can be used in the internal page:
Helloseaprincipal CurrentPrincipal = (Helloseaprincipal) Context.user;
IF (! CurrentPrincipal.Haspermission (1))
{
} This method is to verify the user, although it is also cookie, but cookies in .NET are encrypted, it can achieve high security. There is also a disadvantage that this design is that the license ID number is a fixed value. Considering the permissions required by the general management page, the license is used in the config file. Some channels, etc., which requires regular changes, is placed in the channel table of the database. Below is the implementation of the installation method in the config file I have adopted, and you don't detail how to read and write. Reading and writing from config files can be easily implemented using XML serialization and anti-serialization, and can be encapsulated by class, and it is very convenient when used, and the following statement is read through the package class. : If (! Admin.Haspermission) {} About permissions and verification, you can introduce it here, you can only introduce it. Because the code implemented is very long, it only introduces a way of thinking, and the specific implementation of each person will have its own characteristics.
[This post has been edited by Blue Whale in this post (edited time: 2004-12-17 09:03:52)]
I am a huge beast of the East China Sea, the appetite is very large Eastern Sea Dragon Palace ridincal = ridincal = gold coins: 20 Experience: 17426 Posting: 5878 From: Galaxy - Earth Registration: 2001-07-27 Posted on 2004-12-17 10:02:18
Nice, very scientific authority grading management strategy ... The Dev style of the blue whale is quite like a um ~ classification table? Classified permissions?
NoonecanstopyouExcePtyourseelf ~~~ Get up, then sleep ... JanLayX Coat (Nokia6600) Gold Coin: 27 Experience: 22102 Posting: 6959 From: wuhan Registration: 2001-02-06 Posted on 2004-12-17 10:19:59
Well, like a standardized relational database design I have some doubts about the feature of the classification table. From the description, it seems to be the outer key of the role table and the license table, which is not clear. If you are bother, please let it be.
MSN / QQ Tab: www.5d.cn/msntabresource ftp: www.5d.cn/bbs/fap.aspseti@home: setiathome.ssl.berkeley.edu Blue Whale 5DASP and .NET Moderator Gold Coin: 34 Experience: 5833 Post: 2003 From: Zhejiang Registration: 2001-12-20 Posted on 2004-12-17 10:23:10
The classification table is primarily classified for licensing and role. Since the license and role classification are generally the same, the same classification is shared. Such as license can be divided into system management classes, article management classes, forum management classes, so as long as the role of the forum management class may be, it is not necessary to list other.
I am a huge beast, appetite, big Donghai Dragon Palace JanLayX Coat (Nokia6600) Gold Coles: 27 Experience: 22102 Posting: 6959 From: wuhan Registration: 2001-02-06 Posted on 2004-12-17 10:39:32 I I feel that this is not very good, if the classification of the license and the role will be troublesome. I would rather separate two categories at the beginning. When I was doing an IDC system, I added a inheritance function relative to you. My authority itself is a tree structure, and a permission can contain several permissions, and each permission can still contain other permissions. I have implemented your Category function in this way. The permission item has an attribute that inherits the upper level privilege by default, so that when the permissions and roles are many, the right definition can be effectively reduced.
MSN / QQ Tab: www.5d.cn/msntabResource ftp: www.5d.cn/bbs/fap.aspseti@home: setiathome.ssl.berkeley.eduriditis, = ridincal = Gold coins: 20 Experience: 17426 Posting: 5878 From: Galaxy - Earth Registration: 2001-07-27 Posted on 2004-12-17 10:45:54
Consistent with my guess, classification is permission (blue whale is called "license", and individuals think this is incomplete, permissible permissions should include "licenses" and "prohibited", just like Windows local security strategy, is the default A summary of an effective supplement, more secure, more secure), for example: article management (prohibition) | - Increase users (prohibition) | - Delete users (prohibition) | - Edit users (forbidden) Forum Article Management (License) | Edit Article (License) | - Delete Articles (License) Forum Announcement Management (Partial License) | - Increase Announcement (License) | - Edit Announcement (License) | - Delete Announcement (Prohibition) ... ..................
NoonecanstopyouExcePtyourseelf ~~~ Get up, then sleep ... JanLayX Coat (Nokia6600) Gold Coin: 27 Experience: 22102 Posting: 6959 From: wuhan Registration: 2001-02-06 Published on 2004-12-17 10:51:46
Windows Account Permissions Management itself is a model of learning, and its "prohibited" permission priority is higher than "license". I want to have a lot of learning in the calculation of valid privileges, maybe it can introduce a bitwise operation to calculate the final valid permission.
MSN / QQ Tab: www.5d.cn/msntabresource ftp: www.5d.cn/bbs/fap.aspseti@home: setiathome.ssl.berkeley.edu Blue Whale 5DASP and .NET Moderator Gold Coin: 34 Experience: 5833 Post: 2003 From: Zhejiang Registration: 2001-12-20 Posted on 2004-12-17 14:35:14
Two insights are very deep, I really should study hard. Maybe I consider there are fewer, prohibiting and licensed this concept is very good, but this "partial license" is necessary, with the prohibition of the subordinates, the "license" of the parent class itself has become partial license. The tree structure is very powerful, I am a little fear of this kind of design, which may not be complex at the beginning. However, with the increased website function, this complex design may be necessary and easy to expand. I have to think about it again. I have done a tree shape you before design, but the design is for general usage, more complex systems have not been paid, and the basic class is not allowed. In short, I still have a lot to learn, I am a huge beast of the East China Sea, the appetite is very large Eastern Sea Dragon Palace ridincal = ridincal = gold coins: 20 Experience: 17426 Posting: 5878 From: Galaxy - Earth Registration: 2001-07-27 Published 2004-12-17 15:10:24
"Part Permission" is a permission description of the permissions containing the detailed permissions list, actually there is no specific role.
NoonecanstopyouExcePtyourseelf ~~~ Get up, then sleep ... Blue Whale 5DASP and .NET Master Gold Coin: 34 Experience: 5833 Posting: 2003 From: Zhejiang Registration: 2001-12-20 Published on 2004-12-17 16: 36:20
Add some point, the above design is the case, and the license owned by a role is like the wealth of the wealth. If there is no license, it will not be possible. So only recognize that there is a good location, this pass is a license, so there is no need to consider the passage when designing is "prohibited", because there is only one, pass. Every operation is like a station, you need a variety of pass tickets. If not, you can't enter this door. Going back, thinking about it, whether it is also different from two in the database design. I really want to get this, but my own experience and level can not speculate a better way, just want to know more, I will encounter the shortcomings and superiority of these design.
[This post has been edited by Blue Whale (edited time: 2004-12-17 16:45:04)]
I am a huge beast of the East China Sea, the appetite is very large Eastern Sea Dragon Palace ridincal = ridincal = gold coins: 20 Experience: 17426 Posting: 5878 From: Galaxy - Earth Registration: 2001-07-27 Posted on 2004-12-17 17:08:40
Single license-like licenses are not unlucky, but in supporting inheritance permissions and default permissions (for an example of a role with administrative privileges for a parent section, this role has all subsets in this sector. The large system of administering permissions) will become less secure and convenient.
NoonecanstopyouExcePtyourself ~~~ Get up, then sleep ... Blue Whale 5DASP and .NET Master Gold Coin: 34 Experience: 5833 Posting: 2003 From: Zhejiang Registration: 2001-12-20 Published on 2004-12-17 21: 40:40
Ridincal said in a post
Quote:
Single license-like licenses are not unlucky, but in supporting inheritance permissions and default permissions (for an example of a role with administrative privileges for a parent section, this role has all subsets in this sector. The large system of administering permissions) will become less secure and convenient.
There is a lot of permission design, it is not easy, I will consider it for inheritance. At present, I want to achieve a slightly simple, but it is easy to expand the database, and then have a certain understanding of understanding. The category table can be available, but there is a classification display for a list. Now I still don't consider inheritance, because the current permissions are relatively simple, I am afraid that I will not come back. In fact, the database is still scalable, but only the license looks all the classification tree with only one level. I found a lot of information, the permission design is really a five-flowers and adds a lot of attributes. Very valuable research, there are very many knowledge, and the two give me a lot. Just now I am more simple, but it is not easy to make mistakes, although there are many inconvenient places that realize it. On the Internet, some design licensing have read, write, edit, delete, etc. I am a huge beast of the East China Sea, the appetite is very large Eastern Sea Dragon Palace Shilinow Junior User Gold Coin: 0 Experience: 229 Posting: 60 From: Zhejiang Registration: 2000-11-30 Published on 2004-12-24 16:30:25
Very good discussion, listening to a lot of ideas, I like your primary users gold coins: 0 Experience: 19 Posting: 5 From: Chongqing Registration: 2004-04-09 Posted on 2004-12-25 19:43:24
Ask, can you use it in the ASP? Discussion is really wonderful
Good people live in a lifetime, Blue Whale 5dasp and .NET moderator gold coins: 34 experience: 5833 Posting: 2003 From: Zhejiang Registration: 2001-12-20 Posted on 2004-12-25 22:17:26
The design of the license and role is independent of the language, and any language can be used. The form verification method in the following is limited to ASP.NET, and the ASP does not have such a verification method, but can be used instead with the cookie or session.
I am a huge animal in the East China Sea, the appetite is very large Eastern Sea Dragon Palace
