举例说明,要保护admin/admin.aspx页面只能被具有Admin角色的用户访问
一、web.config的配置
1、authentication节的配置
<authentication mode="Forms">
<forms name="cookieName" loginUrl="login.aspx" protection="All" timeout="20" path="/">
</forms>
</authentication>
2、location节的配置
<location path="User/Admin.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
注意:lcation节的定义要在system.web的定义之外
二、login.aspx
假设页面上有一个按钮ButtonLogin,则相应的事件处理程序为:
using System.Web.Security;
.............
private void ButtonLogin_Click(object sender, System.EventArgs e)
{
bool isLoggedIn = (自定义的函数,查询数据库,判断用户名、密码是否正确);
if (isLoggedIn == true)
{
string roles = (自定义的函数,从数据库中检索用户角色列表,以"|"分隔);
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // 版本号
"用户名称",
DateTime.Now,
DateTime.Now.AddMinutes(20), // cookie的过期时间
false, // cookie是否永久
roles);
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
Response.Cookies.Add(cookie);
Response.Redirect(FormsAuthentication.GetRedirectUrl("用户名称", false));
}
}
三、global.asax
using System.Security.Principal;
.......
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie cookie = Context.Request.Cookies[cookieName];
if (cookie == null)
{
return;
}
FormsAuthenticationTicket ticket = null;
try
{
ticket = FormsAuthentication.Decrypt(cookie.Value);
}
catch
{
return;
}
if (ticket == null)
{
return;
}
string[] roles = ticket.UserData.Split(new char[]{'|'});
FormsIdentity id = new FormsIdentity(ticket);
GenericPrincipal principal = new GenericPrincipal(id, roles);
Context.User = principal;
}
四、本方法的缺陷和不足
1、如果用户没有权限,则停留在登陆页面要求用户再次输入用户名和密码;
2、客户端浏览器必须启用cookie,否则本方法不起作用;