Asp. NET General Permission component idea Design

Opening

Do any system can not be separated from and around the control of the authority, especially the B/s system working principle of the particularity makes the permissions more cumbersome to control, so you want to be able to use the work of IIS, in the IIS processing a client request for a portal or exit by judging the URL to achieve control permissions, This reduces the permission validation code that is typically added to each page or button.

Common Permissions Validation mode

The general permission validation will be controlled to the menu (page) can be satisfied, a bit more complex will be required to control the button (function point), this need to do a few things:

1. Create a menu by permission, which is what all systems do;

2. Add login and permission validation at the beginning of each page, and call the public authentication method, where the numbering of pages is often confused;

3. Hide (or this directly does not generate) a button on the page that does not have permission;

4. In the function of the response Point Add Authorization Code, add, modify, delete and other functions of the background processing entrance plus judgment.

The four steps of 2, 3, 4 are more cumbersome, very easy to mistake the page or function number (usually copied over to forget to modify), B/s system to do a good job to verify the rights to eliminate the vulnerability of the four points of control are very important, of course, do not need to control the third step of the button can be omitted, There are times when you ignore validation of the fourth step, such as when you call the. ashx (Generic handler) page to process the operation request, there is no permission (or login) validation in the code in the. ASHX background, so there is a security risk.

New Permission Validation mode design

The purpose of the new permission verification mode is to remove the cumbersome permission validation calls above, 2, 3, and 4, in which the total entry or exit of the request is processed by IIS to determine whether there is permission through the requested URL, and the request is processed differently (terminating, jumping, prompting, or normal processing) based on the result of the decision.

Through the access to Internet data discovery can be achieved through the httpmodules, the detailed introduction of httpmodules please click to open the link

httpmodules Introduction Blog Address: http://www.cnblogs.com/chenlulouis/archive/2009/12/18/1626918.html

Common Permissions Validation component design:

1. Select the PreRequestHandlerExecute event in the httpmodules as the authorization control point, the other events in front of this event session has not yet taken effect cannot fetch the user information, the more subsequent event processing completed requests more, Permission authentication must be as early as possible, so this event is chosen.

2. Through the configuration file Control permission authentication, the point that needs to be configured is mainly:

2.1 Basic configuration: Database connection string, url interception rule, login page (jump for login), prompt information (when no permission), login authentication session flag;

2.2 Verify the configuration of Url:url stitching parameters (some of the pages should be joined as a whole to determine the parameters);

2.3 need to verify the page: Limit the scope of validation, pictures, JS files These are certainly not need to verify, the need to verify the usual situation is also predictable, can be configured by suffix name or path;

2.4 Ignore Verification page: In the configuration that needs to be verified, some pages do not need to be verified, such as login page, main frame page, change password, etc., can be configured by suffix name or path;

2.5 Permission query statement: According to the URL to determine whether the login user has permission to the SQL statement and statement parameters;

2.6 Word function query statement: Query the SQL statement and statement parameters of the child functions that have permissions, the permissions need to be controlled to the button.

3. Implement parameter Import and resolution to implement authorization control according to the requirement of configuration.

End

This simple ASP. NET Common Permissions validation component is designed, followed by code implementation, I plan to use C # code to implement this design, mainly to the development of this component to deepen the understanding and understanding of IIS working principle, improve the ability to develop common functions.