

关于这个主题的每一项研究都展示了如何使用 MVC 完成这项任务,我的项目是基于 MVP 网络表单的.我已经完成了身份验证,但是否有一种模式或策略可以最好地进行授权?

例如根据用户的角色检查特定页面上的盗链,或隐藏给定角色的 ASP 控件.


if(user.Roles.Contains("Admin")){lnkAdmin.Visibility = true;}



使特定控件仅对某些角色可用的 Web 窗体方法是使用 LoginView 控件.文档中的示例:

 <匿名模板>请登录以获取个性化信息.</匿名模板><登录模板>感谢您登录<asp:LoginName id="LoginName1" runat="Server"></asp:LoginName>.</LoggedInTemplate><角色组><asp:RoleGroup Roles="管理员"><内容模板><asp:LoginName id="LoginName2" runat="Server"/>,您以管理员身份登录.</内容模板></asp:RoleGroup></角色组></asp:LoginView>

为了防止非特定角色的用户访问页面,您可以使用 location 元素在你的 web.config 文件.再次,文档中的另一个示例:

<system.web><认证模式=表单"><forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" ></表格></认证><!-- 此部分拒绝访问此应用程序中的所有文件,但您未使用其他设置明确指定的文件除外.--><授权><拒绝用户=?"/></授权></system.web><!-- 此部分仅允许未经身份验证的用户访问 Default1.aspx 页面.它与此配置文件位于同一文件夹中.--><location path="default1.aspx"><system.web><授权><允许用户=*"/></授权></system.web></位置><!-- 此部分允许未经身份验证的用户访问存储在 Subdir1 文件夹中的所有文件.--><location path="subdir1"><system.web><授权><允许用户=*"/></授权></system.web></位置></配置>

同样,它可以是 基于角色.

<system.web><授权><allow roles="Admin"/>//允许具有管理员角色的用户<deny users="*"/>//拒绝其他人</授权></system.web></位置><location path="CustomerFolder"><system.web><授权><允许角色=管理员,客户"/>//允许具有管理员和客户角色的用户<deny users="*"/>//拒绝其余的</授权></system.web></位置>

Every bit of research on this topic is showing how to do this tasks with MVC, my project is MVP webforms based. I have the authentication done, but is there a pattern or strategy to best do authorization?

Such as checking for hotlinking on specific pages against a user's role, or hiding ASP controls given a role.

Currently I'm doing things like:

     lnkAdmin.Visibility = true;

And I don't think that's very clean or maintainable, is there a better way to do these things?


The Web Forms way of making specific controls available only to certain roles is to use a LoginView control. Example from the documentation:

 <asp:LoginView id="LoginView1" runat="server">
         Please log in for personalized information.
         Thanks for logging in
         <asp:LoginName id="LoginName1" runat="Server"></asp:LoginName>.
         <asp:RoleGroup Roles="Admin">
                 <asp:LoginName id="LoginName2" runat="Server" />, you are logged in as an administrator.

To prevent users not in certain roles from accessing pages, you can use the location elements in your web.config file. Again, another example from the documentation:

        <authentication mode="Forms" >
            <forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
            <deny users="?" />
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
        <location path="default1.aspx">
            <allow users ="*" />
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder.  -->
        <location path="subdir1">
            <allow users ="*" />

Similarly, it can be role based.

<location path="AdminFolder">
            <allow roles="Admin"/> //Allows users in Admin role
            <deny users="*"/> // deny everyone else
<location path="CustomerFolder">
            <allow roles="Admin, Customers"/> //Allow users in Admin and Customers roles
            <deny users="*"/> // Deny rest of all


05-28 04:21