我正在为我的管理页面进行身份验证。我跟踪了各个网站的示例,但每次我尝试访问产品页面时,它总是会让我回到登录页面。
这是我的代码
login.aspx.cs
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
if (User.Identity.IsAuthenticated && Request.QueryString["ReturnUrl"] != "")
{
divError.Visible = true;
divError.InnerHtml = accessErrorMessage;
}
}
}
protected void btn_enter_Click(object sender, EventArgs e)
{
using (var db = new MainDB())
{
administrator=db.Administrators.Where(q => q.Name == txtUsername.Text && q.Password == txtPassword.Text).FirstOrDefault();
if(administrator!=null)
{
administrator.DateLastLogin = DateTime.Now;
roles = administrator.Role;
adminID = administrator.AdministratorId;
db.SaveChanges();
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // Ticket version
adminID.ToString(), // Username associated with ticket
DateTime.UtcNow, // Date/time issued
DateTime.UtcNow.AddMinutes(30), // Date/time to expire
true, // "true" for a persistent user cookie
**roles, // User-data, in this case the roles(data example: product,feedback,subscribes**
FormsAuthentication.FormsCookiePath); // Path cookie valid for
// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName, // Name of authentication cookie
hash); // Hashed ticket
// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;
// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);
// Redirect to requested URL, or homepage if no previous page
// requested
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null)
{
returnUrl = "~/admin/";
}
// Don't call FormsAuthentication.RedirectFromLoginPage since it
// could
// replace the authentication ticket (cookie) we just added
Response.Redirect(returnUrl);
}
else
{
divError.Visible = true;
divError.InnerHtml = loginErrorMessage;
}
//if (FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text))
//{
// FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, false);
//}
}
的global.asax
void Application_AuthenticateRequest(object sender, EventArgs e)
{
if(Request.IsAuthenticated)
{
FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
//Add the roles to the User Principal
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(HttpContext.Current.User.Identity, identity.Ticket.UserData.Split(new char[] { ',' }));
}
}
的web.config
<location path="admin/product">
<system.web>
<authorization>
<!--<allow users="admin"/>-->
<allow roles="product"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="admin/spotlight">
<system.web>
<authorization>
<!--<allow users="admin"/>-->
<allow roles="spotlight"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="admin/career">
<system.web>
<authorization>
<!--<allow users="admin"/>-->
<allow roles="career"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="admin/emailshare">
<system.web>
<authorization>
<!--<allow users="admin"/>-->
<allow roles="emailshare"/>
<deny users="*"/>
</authorization>
</system.web>
我在这里做错了吗?
答案 0 :(得分:1)
您首先允许角色,但随后拒绝所有用户。
规则按顺序执行,因此请尝试将最具体的规则指定为最后一个。
<deny users="*"/>
<allow roles="emailshare"/>
另一方面,在从DB验证用户身份后,您没有设置Principal。您需要在HttpContext中设置用户,并将标志设置为Authenticated。否则(Request.IsAuthenticated)将始终为假。
GenericIdentity userIdentity =
new GenericIdentity(ticket.Name);
GenericPrincipal userPrincipal =
new GenericPrincipal(userIdentity, roles);
Context.User = userPrincipal;
请注意,roles参数是逗号分隔的字符串。
另外,使用build-in provider model会更容易吗?这会阻止您自己编写所有身份验证代码。然后,您可以在需要时使用自己的数据访问逻辑创建custom Membership provider。