Design and Implementation of ASP. NET System User Permissions)

Source: Internet
Author: User


E-commerce systems have high security requirements. The traditional access control method DAC (discretionary access control, autonomous access control model), MAC (mandatory access control, Mandatory Access Control Model) it is difficult to meet complex enterprise environmental requirements. Therefore, NIST (National Institute of Standards and Technology, national standardization and Technology Commission) proposed a Role-Based Access Control Method in Early 1990s to achieve logical separation of users and access permissions, more in line with the enterprise's user, organization, data and application features. ASP. NET is a new generation of ASP (Active Server Pages) scripting language launched by Microsoft to compete with JSP. It draws on the advantages of JSP and has some new features.

This article first introduces the basic situation of ASP. NET and the basic idea of RBAC (Role Based Access Control). On this basis, it provides a specific method for implementing user permission control in e-commerce systems.

ASP. NET Overview


ASP. NET is the latest version of Microsoft's popular dynamic web programming technology activity Server web page (ASP), but it is far from a traditional simple ASP upgrade. The biggest difference between ASP. NET and ASP lies in the transformation of programming thinking. ASP. NET is the real object-oriented (object-oriented), not just the enhancement of functions.

In ASP. NET, a web form page consists of two parts: visual elements (HTML, server controls, and static text) and programming logic of the page. Each part is stored in a separate file. The visible element has. created in the aspx file, and the code is located in a separate class file. This file is called a code hiding class file with the extension. aspx. VB or. aspx. CS. In this way, the. aspx file stores all the elements to be displayed, and the storage logic in the Aspx. VB or. aspx. CS file.

2. User Control)

To allow users to easily define controls as needed, ASP. NET introduces the concept of web forms user controls. In fact, you only need. aspx can be converted to a Web user control with the extension. ascx ,. ascx and. the aspx file also has a code hiding class file that stores logic. The extension is. ascx. VB or. ascx. CS, but it cannot be run as an independent web form page, only when included in. in the aspx file, the user control can work.

Follow these two steps to set a user control on the web forms page:

(1) Use the @ register command to register the user control in the. aspx file. To register the header file headinner. ascx in the relative path "../usercontrol/", use the following method:

<% @ Register tagprefix = "Acme" tagname = "head" src = "../usercontrol/headinner. ascx" %>

(2) Declare the user control element between the start mark and end mark (<form runat = Server> </form>) of the server control. For example, to declare the preceding imported control Syntax:

<Acme: Head runat = "server"/>

In this way, the control becomes a part of the page and will be displayed when processing the page. In addition, the Public attributes, events, and methods of the control will be made public to the web forms page and can be used programmatically. Based on this principle, You can encapsulate the operations (such as logon verification and role verification) to be performed during page initialization in the user control.
RBAC Basic Ideas

The basic idea of RBAC (role Access Control) can be simply expressed in Figure 1, that is, the entire access control process is divided into two steps: access permissions are associated with roles, and roles are associated with users, this logically separates users from access permissions.

RBAC achieves logical separation between users and access permissions, which greatly facilitates permission management. For example, if a user's position changes, you only need to remove the current role of the user and add the role representing the new position or new task, changes Between roles and permissions are much slower than changes between roles and user relationships. Assigning a user to a role does not require many techniques and can be performed by administrative staff, however, configuring permissions to roles is complicated and requires some technical skills, which can be undertaken by dedicated technical personnel, but users are not assigned permissions, this is exactly the same as in reality.

Design and Implementation of user permissions in. net

Exploitation. net: according to the basic principle of role access control (RBAC), assign a role to the user, each role corresponds to some permissions, and then use ASP. to determine whether the role of the user has the right to access the page.

The following describes the specific implementation process from three aspects: database design, adding roles and using user controls.

1. Design of tables in the database

First, design three tables in the database, including function module table, function table, and role table.

(1) functional module table

In order to manage user permissions, we must first organize the system modules and design a function module table. See table 1.

(2) menu

Each function module has sub-functions, such as the product management module goods) five functions are available, including product information query, product information update, product information deletion, product pricing information query, and product pricing information update. The table 2 is designed for the menu.

The example above can be used to insert functional module tables and menus as such records respectively.


Insert into tmodule values (0,/'item management module/',/'goods/', 5 );
Insert into tfunction values (0,/'item info query/',/'selectgoods/', 0 );
Insert into tfunction values (1,/'item info update/',/'updategoods/', 0 );
Insert into tfunction values (2,/'delete commodity information',/'deleteegoods/', 0 );
Insert into tfunction values (3,/'item pricing info query/',/'selectgoodsprice/', 0 );
Insert into tfunction values (4,/'item pricing info update/',/'updategoodsprice/', 0 );

(3) role table

The key to designing a role table is the definition of the role value. It is a string consisting of 0 and 1 similar to binary numbers. The funcno field in the table indicates the position of the function in the rolevalue field of the role table. If the value corresponding to this position is 0, the role does not have this permission. If the value is 1, the role has this permission. For example, the role of a common member is 100100... 00 (100 bits in total). As shown above, the product information query function number is 0, and the role value is 100100... The 0th bits of 00 are 1, so the ordinary member role has the function of querying commodity information. On the contrary, the 1st bits of this role value are 0, the function numbered 1 is used to update product information. Therefore, this common member role does not have the permission to update product information. Their relationships can be expressed in Figure 2.

2. Add a role

With the above tables, the functional modules of the role page and their corresponding functions can be read from the functional module tables and functions, as shown in 3.


When you insert a common member of a new role into the database, set all the bits of the role value to 0, and then use it. the replace function in the. NET Framework class library changes the value of the function number bits corresponding to the checked role value to 1.

For example, a new role named "common member" has two functions: item Information Query (function no. 0) and item pricing information query (function no. 3, the role value is 1001000 ...... 00 (100 bits), that is, the values of 0th bits and 3rd bits in the role value are 1, and the remaining values are 0.

3. Use user controls for access

After defining the user control. ascx file (head. ascx) and. ascx. CS (head. for files in. register and declare it in the aspx file.

(1) Registration

<% @ Register tagprefix = "Acme" tagname = "head" src = "../usercontrol/headinner. ascx" %>

(2) Statement

After practice, the. ascx file declared in the. aspx file can be divided into several situations:

First case: <Acme: Head runat = "server"/>

Case 2: <Acme: Head runat = "server" flag = 0 funcname1 = selectgoods funcname2 = updategoods/>

Case 3: <Acme: Head runat = "server" flag = 1 funcname1 = selectgoods funcname2 = updategoods/>

The field flag is used to control how to perform permission checks. funcname indicates the functional English name in the function list. If the flag is empty, no permission check is executed (in the first case); otherwise, if the flag = "0", the selectgoods (item information query) is also available) and updategoods (item Information Update). The user corresponding to the role of the two permissions has the right to view this page (the second case); otherwise, if flag = "1 ", users with either of the two permissions, selectgoods or updategoods, have the right to view the page (in the third case ).

The above permission check process is all implemented by the user control, and all the methods are encapsulated in. ascx. in the CS file, the primary method is to check whether a role has a checkauth (string roleid, string funcename) method with certain permissions. The idea of this method is 4.

In Figure 4, the value of rolevalue 0th (selectgoods function number) is 1, indicating that the role has the selectgoods permission. In this way, all the logic for permission check is encapsulated in the user control. Therefore, for the web form page. for the aspx file, you only need to import the file. when the ascx file is used, determine the permissions that the user should have when accessing the page, without the need for Aspx. CS makes any changes.

From the above, we can clearly see that as long as the user permission is controlled in the user control, it is included in. in the aspx file (this was originally done by the author), you do not have to worry about complicated permissions during programming.


In the practice of developing an e-commerce system, this article finds that the company attaches great importance to the permission control of system users. Therefore, designing a simple, convenient and effective permission control mechanism is essential for e-commerce systems. The Design and Implementation of user permissions for ASP. Net-based e-commerce systems have been verified in actual work. It is very convenient to modify the operation of the specified permission group.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.