Some summary of permission authentication for ASP.

Recently learning the permissions of ASP. NET MVC some of the things, search the internet for a while, found that the methods of the online most of the following categories:

One, Formsauthentication.setauthcookie (admin. Name, false) or FormsAuthenticationTicket

      Feeling: Feel Formsauthentication.setauthcookie This method is heavy in checking whether there are users logged in and so on, need to check permissions, to call the This.User.Identity.IsAuthenticated method to check whether authorization, etc., each time to check the permissions, To check the permissions, this kind of check for the ASP page is very applicable, but also very cumbersome, but also with the use of Web. config, I watch the video on the internet when it comes to this piece, I feel very troublesome, and then he said can use [authorize] features to replace the trouble of the wording, So I also try to do this, it is strange that I directly add [authorize] property, even if I log in, it is directly filtered out for me, and is back to the account/ Login.aspx page, this is the last place I start to understand, because I configured the Web. config file error should go back to the home/index.aspx page ah, then I think of MVC5 Microsoft to bring a set of their own landing page, and in App_  loginpath = new PathString ("/account/login") is specified in the Start.cs folder Startup.Auth.cs file, so I change it to my own page Loginpath = new PathString ("/home/index"), although the verification is still different, but can jump back to my own page, I would like to be the Startup.Auth.cs setting is higher than the settings in the Web. config file? I deliberately set the authentication permission in Web. config to be inconsistent with the jump address in the Startup.Auth.cs file, but running I found that when the permissions were not passed, the program was still configured in the Startup.Auth.cs file, and I looked at the Web. config file carefully. Discover

<system.webServer>
<modules>
<remove name= "FormsAuthentication"/>
<remove name= "applicationinsightswebtracking"/>
<add name= "applicationinsightswebtracking" type= " Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web "precondition=" Managedhandler " />
</modules>
<validation validateintegratedmodeconfiguration= "false"/>
</system.webServer>

So, does this mean that the form in the configuration file has been validated for deletion? I delete the words and then try again and discover that the program executed the jump information for the Web. config file configuration.

Verification does not pass when the jump problem solved, then I put it directly on the authority authentication [authorize] property run program, found that I have already landed, can execute the method, or give me jump back to the login page, I carefully looked at this [authorize] property, Discover that it is also checking cookie information and want it to have value before validating, use Formsauthentication.setauthcookie (admin. Name, false) or FormsAuthenticationTicket to save the cookie, and then watch the video source code to do this, and I have to add in the Web. config

<system.web>
<authentication mode= "Forms" >
<forms loginurl= "~/account/login" timeout= "1"/>
</authentication>
<authorization>
<allow users= "*"/>
</authorization>

</system.web>

As for why, I will study again later.

Online said FormsAuthenticationTicket can verify role permissions, I read a few posts, write more detailed, pumping opportunities to use.

Http://www.cnblogs.com/zhwl/archive/2011/02/23/1961924.html

Http://www.cnblogs.com/colder/p/4544031.html

Second, rewrite the onauthorization and Onauthorizecore methods that inherit from class Authorizeattribute

Third, rewrite the Onauthorizecore and its corresponding handleunauthorizedrequest method

Feeling: Before feeling directly in the Onauthorization to verify the permissions can ah, why do not have to Onauthorizecore authentication permissions, in the study after a sense of the two or there is a division of labor, the implementation of the Onauthorization method, the implementation of base. Onauthorization (Filtercontext) This sentence, will call Onauthorizecore, so probably understand, Onauthorizecore is used to verify role permissions, And Onauthorization is to deal with the authorization logic, such as through the validation of how, do not pass validation how to wait. But there is another way of saying that the Handleunauthorizedrequest method is to deal with the permissions in the Onauthorizecore does not pass the treatment method, ah, then exactly what is it, allow me to carefully study it again!

Http://www.cnblogs.com/wangjq/archive/2011/03/08/1977092.html

Http://www.cnblogs.com/jyan/archive/2012/07/24/2606646.html

Http://www.cnblogs.com/yushuo/p/4538031.html

PostScript: About the second and third method, make is also stumbled, find time to personally verify the verification, research and research, after all, the paper came to the end of shallow, notice this matter to preach Ah!

Some summary of permission authentication for ASP.