The development of user rights in ASP system

Talking about the system control of ASP, to mention the basic idea of RBAC,RBAC, is English: role based Access control, translated, based on the role of access rights, in the design of e-commerce site is often used.

The e-commerce system has high requirements for security issues, the traditional access control method DAC (discretionary access control, autonomous access controller model), MAC (Mandatory access controls, Mandatory access control model is difficult to meet the needs of complex enterprise environments. As a result, NIST (national Institute of standards and technology, state standardization and Technology Commission) introduced a role-based access control approach in the early 90, enabling logical separation of user and access rights, more in line with enterprise users, Organization, data, and application characteristics. Asp. NET is a new generation of ASP (Active Server Pages) scripting language introduced by Microsoft in order to counter JSP, it draws on the advantages of JSP, and it has its own features.

This paper first introduces the basic situation of ASP and the basic idea of RBAC (Role Based access Control), on this basis, gives a concrete method of realizing user's rights control in e-commerce system.

Asp. NET Overview

asp

Asp. NET is the latest version of Microsoft's popular Dynamic Web programming technology Active Server Web page (ASP), but it is far from the traditional ASP simple upgrade. Asp. The biggest difference between net and ASP is the conversion of programming thinking, ASP. NET is a true object-oriented (object-oriented), not just a function enhancement.

In ASP. Web Forms pages consist of two parts: visual elements (HTML, server controls, and static text) and the programming logic of the page. Each of these sections is stored in a separate file. Visual elements are created in an. aspx file with an extension, and the code is in a separate class file called the code-behind class file extension. aspx.vb or. aspx.cs. In this way, the. aspx file holds all the elements in the Aspx.vb or. aspx.cs file that you want to display.

2. User Control (UserControl)

In order to enable the user to easily define the control, ASP. NET introduces the concept of Web forms user controls. In fact, as long as you modify the. aspx slightly, you can convert to a WEB user control that has a code-behind class file that has the same logic as the. Ascx,.ascx and. aspx files, with the extension. Ascx.vb or. Ascx.cs, except that it cannot be used as a standalone web The form page runs, and the user control can work only if it is included in the. aspx file.

Use the following two steps to set up a user control in a Web Forms page:

(1) Use the @ Register directive to register the user control in the. aspx file. To register the relative path in place ". /usercontrol/the header file under "Headinner.ascx" method is:

<%@ Register tagprefix= "Acme" tagname= "Head" src= ". /usercontrol/headinner.ascx "%>

(2) The user control element is declared between the opening and closing tags of the server control (

). For example, to declare the syntax of the control you imported above is:

That way, the control becomes part of the page and will be rendered when the page is processed. Also, the control's public properties, events, and methods are exposed to the Web Forms page and can be used programmatically. Based on this principle, the actions to be performed (such as login verification, role validation) are encapsulated in the user control when each page is initialized.

The basic idea of RBAC

The basic idea of RBAC (role access control) can be simply represented by the graph, that is, the whole access control process is divided into two steps: the access rights are related to the role, the role is associated with the user, and the logical separation between the user and access rights is realized.

Because RBAC realizes the logical separation between user and access, it greatly facilitates the management of rights. For example, if a user's position changes, as long as the user's current role is removed, to join the role that represents a new job or a new task, the change between roles/permissions is much slower than the change between role/user relationships, and delegating users to the role does not require a lot of technology, can be performed by administrative personnel, And the configuration of permissions to the role of the complex, the need for a certain technology, can be undertaken by specialized technical personnel, but do not give them the right to delegate users, which is consistent with the reality of the situation.

User rights are in the. The design and implementation in net

Use. NET user control to implement the basic idea of permission control is: According to the basic principle of Role access control (RBAC), assign a role to the user, each role corresponding to some permissions, You then use the user control (UserControl) in ASP. NET to determine whether the user's corresponding role has the right to access the page.

The design of database, the use of adding roles and user controls are three aspects to illustrate the specific implementation process.

1, the design of the table in the database

First, three tables, such as the functional module table, the function table, and the role table, are designed in a database.

(1) Function Module table

In order to manage the user's rights, we must first organize the modules of the system, and design a functional module table for this purpose.

Table below:

Each function module has sub-function called function, such as commodity Management module goods (belongs to the category of functional module) contains commodity information inquiry, product information Update, product information deletion, commodity pricing information query and commodity pricing information Update five functions, function table design see table 2.

The above example can be used as such a few records into the Function module table and function table.

the key to the design of a role table is the definition of a role value, which is a binary-like string consisting of 0 and 1. The FUNCNO (function number) field in the function table represents the position of the feature in the Rolevalue (role value) field of the role table, if the value of that location is 0, indicating that the role does not have this permission, and a value of 1 indicates that the role has this permission. If the role of ordinary members of the role value of 100100 ... 00 (a total of 100), as shown above, the product information query function number 0, the role value of 100100 ... 00 of the No. 0 place is 1, so the ordinary member role has the function of commodity information query; instead, the 1th digit of the role value is 0, and the function number 1 is updated for the product information, so the normal member role does not have permission to update the product information. Figure:

When inserting a new role ordinary member into the database, first set all bits of the role value to 0, and then use the Replace function in the. NET Framework class Library to change the value of the function number in the role value to 1.

For example, a new role named General member, it has the function of the Product information query (function number 0) and commodity pricing information query (function number 3) Two, the role value should be 1001000 ... 00 (100-bit), that is, the value of No. 0 and 3rd bits in the role value is 1 and the remainder is 0.

Three, using user controls to implement access rights

When you define a user control. ascx file (Head.ascx) and A. Ascx.cs (head.ascx,cs) file, you can then simply register and declare it in the. aspx file.

(1) Registration

<%@ Register tagprefix= "Acme" tagname= "Head" src= ". /usercontrol/headinner.ascx "%>

(2) statement

In practice, declaring an. ascx file in an. aspx file can be divided into several scenarios:

First case:

Second case:

Third case:

The field flag is a flag used to control how permissions are checked, and funcname refers to the functional English name in the function table. If flag is empty, the permission check is not performed (the first case), otherwise if flag== "0", then there is a selectgoods (commodity information query) and Updategoods (Product information Update) the user of both permissions has the right to view the page (the second case); otherwise, if flag== "1", it is considered to have selectgoods (commodity information query) or Updategoods (Product information Update) the user of either of these permissions has the right to view the page (the third case).

The procedure for permission checking above is all implemented by the user control, and all of its methods are encapsulated in the. ascx.cs file, the most important of which is to check whether a role has a certain permission Checkauth (string roleid,string Funcename) method. Figure:

Figure:The No. 0 digit of the rolevalue (role value), the function number of selectgoods, is 1, indicating that the role has permission to selectgoods (commodity information query). In this way, all the logic for permission checking is encapsulated in the user control, so for Web Forms page. aspx files, you only need to determine what permissions the user should have when you import the. ascx file, without any changes to the aspx.cs.

OK, here's the introduction.

The development of user rights in ASP system