Webconfig permission Control

Today, I accidentally read an article about forms applications, and I wrote it to share it with you.

Speaking of website permissions, I remember that the previous practice was to make judgments on every page, and the webconfig was rarely used. Today, let's talk about webconfig's judgment on website permissions.

User folder (We tentatively set the user folder): this folder can be accessed only after users log on. Otherwise, the visitor can only access the logon page of the user folder (user_login.aspx)

Administrator folder (tentative admin folder): the Administrator Folder does not allow anyone to use services. After a user logs on, he can only access the Administrator Logon page (admin_login.aspx) before the administrator can access all the pages.

Root directory: the root directory can be accessed by anyone.

 

The directory structure is as follows:

 

 

 

 

 

Step 1:

Config code in the root directory:

<Authentication mode = "forms">

<Forms name = "usercookies" loginurl = "default. aspx"> </Forms>

</Authentication>

<Authorization>

<Allow users = "*"/>

</Authorization>

 

Part 2:

Global. asax

Add a header

<% @ Import namespace = "system. Security. Principal" %>

 

 

Void application_authenticaterequest (Object sender, eventargs E)

{

If (httpcontext. Current. User! = NULL)

{

// If the user passes the verification, this item is not null

If (httpcontext. Current. User. Identity. isauthenticated)

{

If (httpcontext. Current. User. Identity is formsidentity)

{

Formsidentity id = (formsidentity) httpcontext. Current. User. identity;

Formsauthenticationticket ticket = ID. ticket;

 

String userdata = ticket. userdata; // retrieves role data

String [] roles = userdata. Split (',');

Httpcontext. Current. User = new genericprincipal (ID, roles); // reassign a role

}

}

}

}

 

Part III:

Admin folder Config File

 

<? XML version = "1.0" encoding = "UTF-8"?>

<Configuration>

<Appsettings/>

<Connectionstrings/>

<Location Path = "admin_login.aspx">

<System. Web>

<Authorization>

<Allow roles = "user"/>

</Authorization>

</System. Web>

</Location>

<System. Web>

<Authorization>

<Allow roles = "admin"/>

<Deny users = "*"/>

</Authorization>

</System. Web>

</Configuration>

 

Admin_login.aspx

 

 

 

The CS code is as follows:

Protected void button#click (Object sender, eventargs E)

{

If (tbusername. Text = "xiaomiao ")

{

// Generate a verification ticket, including the user name, validity period, expiration time, permanent storage, and user data. Information about user roles is stored in user data.

Formsauthenticationticket ticket = new formsauthenticationticket (1, tbusername. Text, datetime. Now, datetime. Now. addminutes (30), true, "admin ");

String cookiestr = formsauthentication. Encrypt (ticket); // encrypt the ticket

Httpcookie cookie = new httpcookie (formsauthentication. formscookiename, cookiestr );

/* Save it to the cookie. The cookie name must be the same as the name value we wrote in the configuration file. Because, when the cookie is kept locally, the next time you check the user permissions, it will automatically find the cookie with the same name as forms and send it to the server for verification. If the cookie cannot be found locally, the verification will naturally fail. */

Cookie. expires = ticket. expiration;

Cookie. Path = formsauthentication. formscookiepath;

Response. Cookies. Add (cookie );

Response. Redirect ("default. aspx"); // jump to index. aspx after successful login

}

}

 

 

Step 4:

 

User folder config code

<? XML version = "1.0" encoding = "UTF-8"?>

<Configuration>

<Appsettings/>

<Connectionstrings/>

<Location Path = "user_login.aspx">

<System. Web>

<Authorization>

<Allow users = "*"/>

</Authorization>

</System. Web>

</Location>

<System. Web>

<Authorization>

<Allow roles = "user, admin"/>

<Deny users = "*"/>

</Authorization>

</System. Web>

</Configuration>

 

User_login.aspx

 

 

 

CS code:

Protected void page_load (Object sender, eventargs E)

{

// Determine whether the user has logged on and the role is user

If (user. Identity. isauthenticated & User. isinrole ("user "))

{// If the verification succeeds, the system will jump directly to index. aspx.

Response. Redirect ("default. aspx ");

}

}

Protected void button#click (Object sender, eventargs E)

{

If (tbusername. Text = "xiaomiao ")

{

// Generate a verification ticket, including the user name, validity period, expiration time, permanent storage, and user data. Information about user roles is stored in user data.

Formsauthenticationticket ticket = new formsauthenticationticket (1, tbusername. Text, datetime. Now, datetime. Now. addminutes (30), true, "user ");

String cookiestr = formsauthentication. Encrypt (ticket); // encrypt the ticket

Httpcookie cookie = new httpcookie (formsauthentication. formscookiename, cookiestr );

/* Save it to the cookie. The cookie name must be the same as the name value we wrote in the configuration file. Because, when the cookie is kept locally, the next time you check the user permissions, it will automatically find the cookie with the same name as forms and send it to the server for verification. If the cookie cannot be found locally, the verification will naturally fail. */

Cookie. expires = ticket. expiration;

Cookie. Path = formsauthentication. formscookiepath;

Response. Cookies. Add (cookie );

Response. Redirect ("default. aspx"); // jump to index. aspx after successful login

}

 

}