http://blog.csdn.net/andyhooo/archive/2007/04/29/1591890.aspx
http://topic.csdn.net/t/20050417/19/3944040.html
http://www.cnblogs.com/fanrsh/archive/2006/05/24/408136.html
页面请求过程:
根据这个流程,网上一般的权限验证在:
Http.Module.AuthorizeRequest
Http.Module.PreRequestHandlerExecute
例如使用前者:
using
System;
using System.Web;
using System.Security.Principal;
namespace MyModules
{
public class CustomModule : IHttpModule
{
public CustomModule() { }
public void Dispose() { }
public void Init(HttpApplication app)
{
// 建立安全模块
app.AuthenticateRequest += new EventHandler( this .AuthenticateRequest);
}
private void AuthenticateRequest( object o, EventArgs e)
{
HttpApplication app = (HttpApplication)o;
HttpContext content = (HttpContext)app.Context;
if ((app.Request[ " userid " ] == null ) || (app.Request[ " password " ] == null ))
{
content.Response.Write( " 未提供必需的参数!! " );
content.Response.End();
}
string userid = app.Request[ " userid " ].ToString();
string password = app.Request[ " password " ].ToString();
string [] strRoles = AuthenticateAndGetRoles(userid, password);
if ((strRoles == null ) || (strRoles.GetLength( 0 ) == 0 ))
{
content.Response.Write( " 未找到相配的角色!! " );
app.CompleteRequest();
}
GenericIdentity objIdentity = new GenericIdentity(userid, " CustomAuthentication " );
content.User = new GenericPrincipal(objIdentity, strRoles);
}
private string [] AuthenticateAndGetRoles( string r_strUserID, string r_strPassword)
{
string [] strRoles = null ;
if ((r_strUserID.Equals( " Steve " )) && (r_strPassword.Equals( " 15seconds " )))
{
strRoles = new String[ 1 ];
strRoles[ 0 ] = " Administrator " ;
}
else if ((r_strUserID.Equals( " Mansoor " )) && (r_strPassword.Equals( " mas " )))
{
strRoles = new string [ 1 ];
strRoles[ 0 ] = " User " ;
}
return strRoles;
}
}
}
using System.Web;
using System.Security.Principal;
namespace MyModules
{
public class CustomModule : IHttpModule
{
public CustomModule() { }
public void Dispose() { }
public void Init(HttpApplication app)
{
// 建立安全模块
app.AuthenticateRequest += new EventHandler( this .AuthenticateRequest);
}
private void AuthenticateRequest( object o, EventArgs e)
{
HttpApplication app = (HttpApplication)o;
HttpContext content = (HttpContext)app.Context;
if ((app.Request[ " userid " ] == null ) || (app.Request[ " password " ] == null ))
{
content.Response.Write( " 未提供必需的参数!! " );
content.Response.End();
}
string userid = app.Request[ " userid " ].ToString();
string password = app.Request[ " password " ].ToString();
string [] strRoles = AuthenticateAndGetRoles(userid, password);
if ((strRoles == null ) || (strRoles.GetLength( 0 ) == 0 ))
{
content.Response.Write( " 未找到相配的角色!! " );
app.CompleteRequest();
}
GenericIdentity objIdentity = new GenericIdentity(userid, " CustomAuthentication " );
content.User = new GenericPrincipal(objIdentity, strRoles);
}
private string [] AuthenticateAndGetRoles( string r_strUserID, string r_strPassword)
{
string [] strRoles = null ;
if ((r_strUserID.Equals( " Steve " )) && (r_strPassword.Equals( " 15seconds " )))
{
strRoles = new String[ 1 ];
strRoles[ 0 ] = " Administrator " ;
}
else if ((r_strUserID.Equals( " Mansoor " )) && (r_strPassword.Equals( " mas " )))
{
strRoles = new string [ 1 ];
strRoles[ 0 ] = " User " ;
}
return strRoles;
}
}
}
编辑Web.config文件:
< system .web >
< httpModules >
< add name ="Custom" type ="MyModules.CustomModule,Custom" />
</ httpModules >
</ system.web >
< system .web >
< httpModules >
< add name ="Custom" type ="MyModules.CustomModule,Custom" />
</ httpModules >
</ system.web >
Custom.aspx页面内容:
< script language ="c#" runat ="server" >
public void page_load(Object obj,EventArgs e)
{
lblMessage.Text = " <H1>Hi, " + User.Identity.Name + " </H1> " ;
if (User.IsInRole( " Administrator " ))
lblRole.Text = " <H1>You are an Administrator</H1> " ;
else if (User.IsInRole( " User " ))
lblRole.Text = " <H1>You are a normal user</H1> " ;
}
</ script >
< form runat ="server" >
< asp:Label id ="lblMessage" forecolor ="red" font-size ="10pt" runat ="server" />
< asp:Label id ="lblRole" forecolor ="red" font-size ="10pt" runat ="server" />
</ form >
< script language ="c#" runat ="server" >
public void page_load(Object obj,EventArgs e)
{
lblMessage.Text = " <H1>Hi, " + User.Identity.Name + " </H1> " ;
if (User.IsInRole( " Administrator " ))
lblRole.Text = " <H1>You are an Administrator</H1> " ;
else if (User.IsInRole( " User " ))
lblRole.Text = " <H1>You are a normal user</H1> " ;
}
</ script >
< form runat ="server" >
< asp:Label id ="lblMessage" forecolor ="red" font-size ="10pt" runat ="server" />
< asp:Label id ="lblRole" forecolor ="red" font-size ="10pt" runat ="server" />
</ form >
或者使用后者:
using
System;
using System.Web;
namespace MyModule
{
public class MyModule : IHttpModule
{
public void Init(HttpApplication application)
{
application.AcquireRequestState += ( new
EventHandler( this .Application_AcquireRequestState));
}
private void Application_AcquireRequestState(Object source, EventArgs e)
{
HttpApplication Application = (HttpApplication)source;
User user = Application.Context.Sesseion[ " User " ]; // 获取User
string url = Application.Context.Request.Path;
// 获取客户访问的页面
Module module = xx; // 根据url得到所在的模块
if ( ! RightChecker.HasRight(user, module))
Application.Context.Server.Transfer( " ErrorPage.aspx " );
// 如果没有权限,引导到错误处理的页面
}
public void Dispose()
{
}
}
}
using System.Web;
namespace MyModule
{
public class MyModule : IHttpModule
{
public void Init(HttpApplication application)
{
application.AcquireRequestState += ( new
EventHandler( this .Application_AcquireRequestState));
}
private void Application_AcquireRequestState(Object source, EventArgs e)
{
HttpApplication Application = (HttpApplication)source;
User user = Application.Context.Sesseion[ " User " ]; // 获取User
string url = Application.Context.Request.Path;
// 获取客户访问的页面
Module module = xx; // 根据url得到所在的模块
if ( ! RightChecker.HasRight(user, module))
Application.Context.Server.Transfer( " ErrorPage.aspx " );
// 如果没有权限,引导到错误处理的页面
}
public void Dispose()
{
}
}
}