ASP. NET implements Anonymous Access Control

ASP. NET implements Anonymous Access Control

I learned two control methods to achieve Anonymous Access Control for websites, one is through IIS, and the other is through ASP. NET. I personally feel that there is no difference between the two functions, but ASP. NET makes management and maintenance easier.

The implementation of IIS is clear. You can set access permissions for folders or individual files (pages). IIS provides "Directory Security" and "file security" settings. You can directly set the permissions of different accessors. The anonymous access control method is provided.

 

ASP. NET control method:

First, we will introduce the implementation of the example. After logging on to a website, you can store user information in a cookie and identify that the user is authenticated, when you access other pages, you can directly determine whether the user's identity has been verified. If it passes the authentication, you can continue to access the page. If it is an unauthenticated anonymous user, that is, the user is not logged on) the logon page is displayed, prompting you to log on. Set one of the user registration pages to allow anonymous access, because the business logic only allows registration to log on.

On the login page, you must first verify the user name and password. You can use the database-to-database method or verify the password in AD, then, identify the current user as a verified user in the cookie using the following method, and jump to the page requested before the user jumps to the login page.

Formsauthentication. redirectfromloginpage (username, createpersistentcookie );

Formsauthentication. redirectfromloginpage (useremail. Value, persistcookie. Checked );

On the page directly requested by the user, we use the following method to verify the user.

Context. User. Identity. isauthenticated

Context: gets the system. Web. httpcontext object associated with the page.

User: obtains or sets security information for the current HTTP request.

Identity: obtains the identity of the current user.

Isauthenticated: gets a bool value that indicates whether the user has been verified

 

Then we perform security settings in Web. config.

<Authentication mode = "forms">

<Forms loginurl = "login. aspx"> </Forms>

</Authentication>

"Forms" you provide a custom form (web page) for users to enter creden。, and then verify their identity in your application. User creden are stored in cookies.

<Authorization>

<Deny users = "? "/>

</Authorization>

Deny indicates disabled. Users = "? "Anonymous user

<Location Path = "newuser. aspx">

<System. Web>

<Authorization>

<Allow users = "*"/>

</Authorization>

</System. Web>

</Location>

Newuser. aspx indicates the new user registration page, which can be accessed by anyone.

In this way, access control for anonymous users is implemented.

For confidential directories, refer to the following instructions:

We set a secret directory (that is, a "security directory". A specific user, such as the Administrator, has the permission to access the directory ). First, check whether the Web. config file exists in the root directory of your web application. If not, create one. You can also create a web. config file in your subdirectory. Of course, this web. config file is limited (some parameters cannot be set ). To implement security authentication, find

Program code
<Authentication mode = "Windows"/>, change it

<Authentication mode = "forms">
<Forms name = "amuhouse. aspxauth"
Loginurl = "login. aspx"
Protection = "all"
Path = "./"/>
</Authentication>
<Authorization>
<Allow users = "*"/>
</Authorization>

In the above name = "amuhouse. aspxauth", the amuhouse. aspxauth name is arbitrary. To control the permissions of users or user groups, we can use either of the following methods. the second is to create an independent web under the secret directory. config file. (The latter may be better .) For the former, the Web. config should contain the following content (or similar content ):

Program code
<Configuration>
<System. Web>
<Authentication mode = "forms">
<Forms name = "amuhouse. aspxauth"
Loginurl = "login. aspx"
Protection = "all"
Path = "/"/>
</Authentication>
<Authorization>
<Allow users = "*"/>
</Authorization>
</System. Web>
<Location Path = "./admin">
<System. Web>
<Authorization>
<! -- Note! The order and Case sensitivity of the following rows are very important! -->
<Allow roles = "Administrator"/>
<Deny users = "*"/>
</Authorization>
</System. Web>
</Location>
<Location Path = "./user">
<System. Web>
<Authorization>
<! -- Note! The order and Case sensitivity of the following rows are very important! -->
<Allow roles = "user"/>
<Deny users = "*"/>
</Authorization>
</System. Web>
</Location>
</Configuration>

To make the web application directories independent from each other, you can easily rename or move them. You can configure a separate web. config file under each security subdirectory. It only needs to configure the <authorization/> node as follows:

Program code
<Configuration>
<System. Web>
<Authorization>
<! -- Note! The order and Case sensitivity of the following rows are very important! -->
<Allow roles = "Administrator"/>
<Deny users = "*"/>
</Authorization>
</System. Web>
</Configuration>

Note that the role roles above is case-sensitive. For convenience, you can also change it:
<Allow roles = "Administrator, Administrator"/>
If you want to allow or prohibit multiple roles from accessing this directory, you can use commas to separate them, for example:
<Allow roles = "Administrator, Member, user"/>
<Deny users = "*"/>

Now, we have configured a role-based security authentication mechanism for the website. You can compile your program first, and then try to access a confidential directory, such as http: // localhost/rolebasedauth/admin. At this time, you will be directed to the user logon page. If you log on successfully and your role has access to this directory, you will return to this directory. There may be users (or intruders) attempting to enter the confidential directory. We can use a session to store the number of user logins. If the number of user logins exceeds a certain number, users are not allowed to log on, the system rejects your Logon Request! ".

Next, we will discuss how to display different content for Web controls based on user roles.

Sometimes it is better to display the content based on the user's role, because you may not want to create a lot of pages with many duplicate content for so many different roles (user groups. For such websites, various user accounts can coexist, and paid user accounts can access additional paid content. In another example, a page will display a "go to the background management" button link to the background management page if the current user is "Administrator" (Senior Administrator) role. Now we can implement this page.
The genericprincipal class we used above implements the ipincipal interface. This interface has a method name called isinrole (). Its parameter is a string, and this string is the user role to be verified. If you want to display the content to logged-on users whose role is "Administrator", you can add the following code in page_load:

Program code
If (user. isinrole ("Administrator "))
Adminlink. Visible = true;

The entire page code is as follows (for simplicity, the background code is also written on the ASPX page ):

Program code
<HTML>
<Head>
<Title> welcome! </Title>
<SCRIPT runat = "server">
Protected void page_load (Object sender, eventargs E)
{
If (user. isinrole ("Administrator "))
Adminlink. Visible = true;
Else
Adminlink. Visible = false;
}
</SCRIPT>
</Head>
<Body>
<H2> welcome! </H2>
<P> welcome to the AMU hut http://amuhouse.com/^ _ ^ </P>
<Asp: hyperlink id = "adminlink" runat = "server"
TEXT = "Management Homepage" navigateurl = "./admin"/>
</Body>
</Html>

In this way, the hyperlink control linked to the Admin directory will only be displayed to the user whose role is administrator. You can also provide a link to the logon page for Unlogged users, such:

Program code
Protected void page_load (Object sender, system. eventargs E)
{

If (user. isinrole ("Administrator "))
{
Adminlink. Text = "Administrator ";
Adminlink. navigateurl = "./admin ";
}
Else if (user. isinrole ("user "))
{
Adminlink. Text = "invite registered users ";
Adminlink. navigateurl = "./user ";

}
Else
{
Adminlink. Text = "Log on ";
Adminlink. navigateurl = "login. aspx? Returnurl = "+ request. path;
}

}

Here, we can set the querystring variable called returnurl so that the user can return to the current page after logging on successfully.

The following is a simple example:

Default. aspx:
<% @ Import namespace = "system. Web. Security" %>

<HTML>

<Script language = "C #" runat = Server>

Void page_load (Object SRC, eventargs e ){

Welcome. Text = "hello," + User. Identity. Name;
}

Void signout_click (Object sender, eventargs e ){

Formsauthentication. signout ();
Response. Redirect ("login. aspx ");
}

</SCRIPT>

<Body>

<H3> <font face = ""> use cookie authentication </font>

<Form runat = Server>

<H3> <ASP: Label id = "welcome" runat = server/>

<ASP: button text = "logout" onclick = "signout_click" runat = server/>

</Form>

</Body>

</Html>

Login. aspx:
<% @ Import namespace = "system. Web. Security" %>

<HTML>

<Script language = "C #" runat = Server>

Void login_click (Object sender, eventargs e ){
If (useremail. value = "jdoe@somewhere.com") & (userpass. value = "password") | (useremail. value = "mary@somewhere.com") & (userpass. value = "password "))){
Formsauthentication. redirectfromloginpage (useremail. Value, persistcookie. Checked );
}
Else {
MSG. Text = "invalid creden: Please try again ";
}
}

</SCRIPT>

<Body>

<Form runat = Server>

<H3> <font face = ""> logon page </font>

<Table>
<Tr>
<TD> Email: </TD>
<TD> <input id = "useremail" type = "text" runat = server/> </TD>
<TD> <ASP: requiredfieldvalidator controltovalidate = "useremail" display = "static" errormessage = "*" runat = server/> </TD>
</Tr>
<Tr>
<TD> password: </TD>
<TD> <input id = "userpass" type = PASSWORD runat = server/> </TD>
<TD> <ASP: requiredfieldvalidator controltovalidate = "userpass" display = "static" errormessage = "*" runat = server/> </TD>
</Tr>
<Tr>
<TD> persistent COOKIE: </TD>
<TD> <ASP: checkbox id = persistcookie runat = "server"/> </TD>
<TD> </TD>
</Tr>
</Table>

<ASP: button text = "login" onclick = "login_click" runat = server/>

<P>

<ASP: Label id = "MSG" forecolor = "red" font-name = "verdana" font-size = "10" runat = server/>

</Form>
</Body>

</Html>

  Web. config:
<Configuration>
<System. Web>
<Authentication mode = "forms">
<Forms name = ". aspxuserdemo" loginurl = "login. aspx" Protection = "all" timeout = "60"/>
</Authentication>
<Authorization>
<Deny users = "jdoe@somewhere.com"/>
<Deny users = "? "/>
</Authorization>
<Globalization requestencoding = "UTF-8" responseencoding = "UTF-8"/>
</System. Web>
</Configuration>