Asp.net permission authentication: Forms authentication, asp. netforms

Asp.net permission authentication: Forms authentication, asp. netforms

Abstract:

Tomorrow's New Year's Eve, and I am also idle. I would like to summarize some methods for permission authentication under. net.

 

1. Forms authentication

Forms authentication is form authentication, which requires authentication and authorization management based on the id and password.

It should be a type that everyone is familiar with. net may learn this thing.

Let's see how he works:

 

2. The figure is too boring. I have prepared a demo.

 

Because the default homepage is IndexController/Index, only one line of "Index" is required for this page ",

:

OK, the page does not have any permission control, and the display is normal.

 

Next let's take a look at defacontroller Controller/Index

using System.Web.Mvc;namespace Forms.Controllers{    public class DefaultController : Controller    {        [Authorize]        public ActionResult Index()        {            return View();        }    }}

　　

Access: http: // localhost: 12463/default

Obviously, we do not have the permission to view it, because we have set permission authentication.

[Authorize]public ActionResult Index()

 

Generally, the production environment does not allow direct display of this 401 error.

If the user does not have a logon credential, we will ask the user to return to the logon page to complete the authentication,

Forms authentication supports setting logon addresses in web. config

 

Okay, let's try again: http: // localhost: 12463/default

Go to the authentication page as scheduled! Click login. If the authentication succeeds, it will jump back to http: // localhost: 12463/default.

Let's look at the background processing logic of login.

        public ActionResult Index()        {            var returnUrl = Request["ReturnUrl"];            if (Request.HttpMethod == "POST")            {                var userid = Request["userid"];                var password = Request["password"];                if (userid == "123456" && password == "123456")                {                    var ticket = new FormsAuthenticationTicket(                        1,                        userid,                        DateTime.Now,                        DateTime.Now.AddMinutes(20),                        true,                        "role1,role2,role3",                        "/"                    );                    var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));                    cookie.HttpOnly = true;                    HttpContext.Response.Cookies.Add(cookie);                    return Redirect(returnUrl);                }            }            ViewBag.ReturnUrl = returnUrl;            return View();        }

　　

　　

 

OK, as expected! Now, simple permission authentication is complete.

 

3. Add a role

The front end only performs simple login authentication. If the project requires a fine-grained authentication of permissions, it cannot meet the requirements.

For example, IndexNeedRole4 is only available to a role4.

[MyAuthorize(Roles = "role4")]public ActionResult IndexNeedRole4(){    return View();}

 

We need to create the Authorize feature for verifying the role and User name: MyAuthorize

    public class MyAuthorizeAttribute : AuthorizeAttribute    {        protected override bool AuthorizeCore(System.Web.HttpContextBase httpContext)        {            var cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];            var ticket = FormsAuthentication.Decrypt(cookie.Value);            var roles = ticket.UserData;            var inRoles = false;            foreach (var role in roles.Split(','))            {                if (Roles.Contains(role))                {                    inRoles = true;                    break;                }            }            return inRoles;        }    }

　　

After the code is added, let's try http: // localhost: 12463/default/IndexNeedRole4.

Return to the permission authentication interface.

Click login,The page is refreshed and all inputs are cleared.

This is normal, because the ticket role of the login logic in login/index is assigned only "role1, role2, role3"

Add role4

        public ActionResult Index()        {            var returnUrl = Request["ReturnUrl"];            if (Request.HttpMethod == "POST")            {                var userid = Request["userid"];                var password = Request["password"];                if (userid == "123456" && password == "123456")                {                    var ticket = new FormsAuthenticationTicket(                        1,                        userid,                        DateTime.Now,                        DateTime.Now.AddMinutes(20),                        true,                        "role1,role2,role3,role4",                        "/"                    );                    var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket));                    cookie.HttpOnly = true;                    HttpContext.Response.Cookies.Add(cookie);                    return Redirect(returnUrl);                }            }            ViewBag.ReturnUrl = returnUrl;            return View();        }

　　

Click login again

OK, as scheduled