asp.net| Design | User Rights summary based on the basic idea of RBAC, this paper uses the user control technology in asp.net to design a specific realization method of user Privilege control in e-commerce system.
Keyword asp.net role access control user control
Introduction
E-commerce systems have higher requirements for security issues, traditional access control methods DAC (discretionary access controls, autonomic access control models), MAC (Mandatory access controls, Mandatory access control model) is difficult to meet complex enterprise environment requirements. As a result, NIST (national Institute of Standards and Technology, United States Committee on Standardization and Technology) proposed a role-based access control approach in the early 90 to achieve a logical separation of user and access rights, more in line with enterprise users, Organization, data, and application characteristics. Asp. NET is a new generation of ASP (Active Server Pages) scripting language, which is introduced by Microsoft in order to contend with JSP, it borrows the advantages of JSP, and it has its own characteristics.
This paper will first introduce the basic situation of asp.net and the basic idea of RBAC (role Based Access Control), and on this basis, give a specific method to realize the user's rights controlling in e-commerce system.
Asp. NET Overview
1, asp.net
Asp. NET is the latest version of Microsoft's popular Dynamic Web programming Technology Activity Server Web page (ASP), but it is far from a traditional ASP simple upgrade. Asp. NET and ASP the biggest difference is the conversion of programming thinking, ASP. NET is a real object-oriented (object-oriented), not just a feature enhancement.
In ASP.net, Web forms pages are made up of two parts: visual elements (HTML, server controls, and static text) and programming logic for the page. Each of these parts is stored in a separate file. The visual element is created in an. aspx file with an extension, and the code is in a separate class file called the code-behind class file name extension. aspx.vb or. aspx.cs. In this way, the. aspx file holds all the elements to be displayed, and the Aspx.vb or. aspx.cs file holds the logic.
2, User control (UserControl)
In order to enable users to easily define controls as needed, the ASP. NET introduces the concept of Web forms user controls. As a matter of fact, you can convert. aspx to a WEB user control as long as the. Ascx,.ascx and. aspx files also have a logical code-behind class file with an extension of. ascx.vb or. Ascx.cs, except that it cannot be used as a standalone web Form page to run, the user control can work only if it is included in the. aspx file.
Use the following two steps to set up a user control in a Web Forms page:
(1) Register the user control in the. aspx file using the @ Register directive. If you want to register on the relative path "... /usercontrol/the header file under Headinner.ascx method is:
<%@ Register tagprefix= "Acme" tagname= "Head" src= ". /usercontrol/headinner.ascx "%>
(2) Declares the user control element between the opening and closing tags of the server control (<form runat=server> </form>). For example, to declare the syntax of the control being imported above is:
<acme:head runat= "Server"/>
In this way, the control becomes part of the page and is rendered when the page is processed. Also, the control's public properties, events, and methods are exposed to the Web Forms page and can be programmatically used. Based on this principle, the actions to be performed (such as logon verification, role validation) for each page initialization are encapsulated in the user control.
The basic idea of RBAC
The basic idea of RBAC (role access control) can be represented simply by graph, that is, the whole access control process is divided into two steps: access rights and roles, and roles are associated with users, thus realizing the logical separation of user and access rights.
Because RBAC realizes the logic separation of user and access rights, it is very convenient for the privilege management. For example, if a user's position is changed, as long as you remove the user's current role and join a role that represents a new job or new task, the change in roles/permissions is much slower than the change between role/user relationships, and delegating users to roles does not require a lot of technology, which can be performed by administrators. The task of configuring permissions to roles is complex and requires some technology that can be borne by specialized technicians, but does not give them permission to delegate users, which is exactly the same as in reality.
User permissions are in the. NET in the design and implementation
Use. NET, the basic idea of implementing permission control is: According to the basic principle of Role access control (RBAC), assigning a role to the user, each role corresponding to some permissions, The user control (UserControl) in asp.net is then used to determine whether the user's corresponding role has the right to access the page.
The following will illustrate the implementation process from the database design, add roles, and use of user controls.
1, the design of the table in the database
First of all, in the Database Design function module table, function table and role table three tables.
(1) Function Module table
In order to manage the user's permissions, first of all, we should organize the module of the system and design a function module table. See table 1.
(2) Function table
Each function module has the child function called the function, like commodity Management module goods (belongs to the functional module category) contains the commodity information inquiry, the Commodity information update, the Commodity information deletion, the commodity pricing information inquiry as well as the commodity pricing information Update five functions, the function table design see table 2.
The examples mentioned above can be inserted into the functional modules table and the function table, respectively, as a few of these records.
INSERT into Tmodule values (0, ' Commodity Management module ', ' Goods ', 5);
INSERT into tfunction values (0, ' Commodity information inquiry ', ' Selectgoods ', 0);
INSERT into tfunction values (1, ' Commodity Information update ', ' Updategoods ', 0);
INSERT into tfunction values (2, ' Product information deletion ', ' Deletegoods ', 0);
INSERT into tfunction values (3, ' Commodity pricing information inquiry ', ' Selectgoodsprice ', 0);
INSERT into tfunction values (4, ' Commodity pricing Information update ', ' Updategoodsprice ', 0);
(3) Role table
The key to the design of the role table is the definition of the role value, which is a string of similar binary numbers consisting of 0 and 1. The FUNCNO (functional number) field in the function table indicates the position of the feature in the Rolevalue (role value) field of the role table, and if the position corresponds to a value of 0, the role does not have this permission, and if the value is 1, that role has this permission. If the role of the ordinary members of the role of the value of 100100 ... 00 (total 100 bits), as shown above, the product information query function number is 0, the role value 100100 ... 00 of the No. 0 digit is 1, so the ordinary member role has the function of the product information query; instead, the role value of the 1th bit is 0, and the function number 1 is updated for the commodity information, so the ordinary member role does not have the right to update the product information. Their relationships can be represented by graphs.
2, the role of the addition
With the above tables, the function module of the role page and its corresponding functions can be read from the Function module table and the function table, as shown in Figure 3.
When you insert a new role regular member into the database, you first set all the bits of the role value to 0, and then use the Replace function in the. NET Framework class Library to change the value of the function number in the role value to 1.
For example, add a new role named Ordinary member, it has the function of the Product information query (function number 0) and commodity pricing information query (function number 3), the role value should be 1001000 ... 00 (100-bit), where the No. 0 and 3rd digits of the role value are 1, and the remainder is 0.
3, the use of user control to achieve access rights
When you define a user control. ascx file (Head.ascx) and. Ascx.cs (head.ascx,cs) file, you can then simply register and declare it in the. aspx file.
(1) Registration
<%@ Register tagprefix= "Acme" tagname= "Head" src= ". /usercontrol/headinner.ascx "%>
(2) statement
In practice, declaring an. ascx file in an. aspx file can be divided into several situations:
In the first case: <acme:head runat= "Server"/>
In the second case: <acme:head runat= "Server" flag=0 funcname1=selectgoods funcname2=updategoods/>
In the third case: <acme:head runat= "Server" flag=1 funcname1= selectgoods funcname2=updategoods/>
Field flag is a flag used to control how permissions are checked, funcname refers to functions in the function table. If the flag is empty, the permission check is not performed (the first case), otherwise if flag== "0" indicates that both selectgoods (commodity information query) and Updategoods (Product information Update) the user of the two permissions has the right to view the page (the second case); otherwise, if flag== "1", it is considered that there is selectgoods (commodity information query) or Updategoods (Commodity information Update) a user of either of these permissions has the right to view the page (the third case).
The procedure for permission checking above is implemented by the user control, and all of its methods are encapsulated in the. ascx.cs file, the most important of which is to check whether a role has a certain permission Checkauth (string roleid,string Funcename) method. The idea of this method is shown in Figure 4.
The No. 0 bit (selectgoods function number) value of the Rolevalue (role value) in Figure 4 is 1, indicating that the role has selectgoods (commodity information query) permissions. In this way, we encapsulate all the logic of the permission check in the user control, so for the Web Forms page. aspx file, you only need to determine the permissions that the user should have when accessing the page when you import the. ascx file without making any changes to the aspx.cs.
As noted above, it is clear that as long as you control the user's permissions in the user control and then include it in the. aspx file (which is what the author would have done), then you don't have to think about complex permission issues when you're programming.
Conclusion
In the practice of developing an e-commerce system, the company attaches great importance to the control of the users ' rights in the system. Therefore, the design of a simple and convenient and effective authority control mechanism for E-commerce system is essential. The design and implementation of user rights for e-commerce system based on ASP.net has been validated in practical work, and it is very convenient to modify the operation of the specified permission group.
