In the past, development projects often developed a set of user permission management systems for verification, which is flexible. Recently, I checked the self-built authentication method of ASP. net for the Single Sign-On problem, and found that this method is more convenient and the function is also available. In ASP. NET provides three common authentication methods: Windows and IIS can be combined to achieve basic, abstract, integrated windows and other authentication; passport uses Windows Live ID accounts for unified authentication. Forms use common forms for verification.
This article mainly discusses the Common Implementation of Forms authentication, custom implementation, user-defined role providers, and how to use single sign-on (can be combined with MOSS.
I. Common Implementation Methods
This method is the simplest. You only need to configure it.
1. Run the aspnet_regsql command to create a database.
The aspnet_regsql command inC:/Windows/Microsoft. NET/framework/v2.0.50727Directory, run as prompted.
2. Create a web site
Add configuration in Web. config:
<Connectionstrings>
<Add name = "mysqlconnection" connectionstring = "Data Source = dbserver; initial catalog = database; user id = userid; Password = *****;"/>
</Connectionstrings>
<System. Web>
<Authorization>
<Deny users = "? "/>
</Authorization>
<Authentication mode = "forms">
<Forms loginurl = "login. aspx" name = ". aspxauth"/>
</Authentication>
<Membership defaultprovider = "sqlprovider">
<Providers>
<Clear/>
<Add connectionstringname = "mysqlconnection" applicationname = "myapplication"
Enablepasswordretrieval = "false" enablepasswordreset = "true" requiresquestionandanswer = "true"
Requiresuniqueemail = "true" passwordformat = "hashed" name = "sqlprovider"
Type = "system. Web. Security. sqlmembershipprovider"/>
</Providers>
</Membership>
</System. Web>
It mainly specifies the database used for Forms authentication. If no database is specified, the local default aspnetdb database will be used.
Deny users = "? "Anonymous users are not allowed to access the login. ASPX page configured below.
For details about other attributes in the authorization and authentication sections, refer to msdn.
3. Create the default. aspx and login. aspx pages on the website.
In login. put the login and createuserwizard controls in the ASPX page (because one user in the new library does not exist, the createuserwizard control is only used to create a test user. After the user is created, delete the control)
Add some content to the default. aspx page.
When we access default. aspx, it is automatically transferred to login. aspx for verification.
Ii. Custom implementation
When using the first method, a database is required. Many tables may not meet our own business requirements. You can use the following custom methods:
1. Use the authenticate event of the login Control
This event is used for verification and can be verified by specifying the true value:
Protected void login=authenticate (Object sender, authenticateeventargs E)
{
// Determine whether the user name and password are correct
//
E. Authenticated = true;
}
2. Write your own code by dropping all the login and other controls.
In fact, the core of the login control is to put some values into the cookie, so we can perform this operation in our own code:
Protected void button#click (Object sender, eventargs E)
{
// Determine whether the user name and password are correct
//.
Formsauthentication. setauthcookie (username, false );
If (context. request ["returnurl"]! = NULL)
{
Response. Redirect (context. request ["returnurl"]);
}
Else
{
Response. Redirect (formsauthentication. defaulturl );
}
}
If you use the above two methods, you do not need to create a default database and use our logic for verification.
3. Custom role providers
All of the above are user-level authentication. In some cases, it is necessary to verify based on the role. For example, specifying a directory or An ASPX file can only be accessed by users of which roles, it is more convenient and flexible to Control Based on roles.
1. Save the role information to the cookie during login verification:
Protected void button#click (Object sender, eventargs E)
{
// Determine whether the user name and password are correct
//.
// Get the role of the user, and write it to death temporarily during the test
String userroles = "admins, testst ";
Formsauthenticationticket ticket = new formsauthenticationticket (1, user, datetime. Now, datetime. Now. addminutes (30), false, userroles ,"/");
String hashticket = formsauthentication. Encrypt (ticket );
// Save the role information to the cookie
Httpcookie usercookie = new httpcookie (formsauthentication. formscookiename, hashticket );
Response. Cookies. Add (usercookie );
If (context. request ["returnurl"]! = NULL)
{
Response. Redirect (context. request ["returnurl"]);
}
Else
{
Response. Redirect (formsauthentication. defaulturl );
}
}
Encrypt role information into a specific format and save it.