允许/禁止使用global.asax事件访问应用程序

时间:2011-08-15 15:42:23

标签: .net asp.net c#-2.0 global-asax

我有一个ASP .NET Web应用程序(仅在Intranet上运行),我使用的是简单的用户授权模型。我有一个名为tblApplicationAccess的表,它有两个字段 - UserID和AccessLevel。

例如, UserID:John.Smith,访问级别:2

(1 - 一般访问,2 - 数据输入访问,3 - 超级用户,4 - 开发人员访问)

我正在使用global.asax中的 Session_Start 事件来授权用户。这是代码,

protected void Session_Start(object sender, EventArgs e)
    {
        string strUserID = User.Identity.Name.Substring(5);
        bool isAllowedToView = false;

        // UtilityClass is a root level class with various methods that I use throughout the application. 
        // QUESTION: Could this be the problem? Since it is at root level (alongside all the pages), could it be the case that this resource isn't checked for user access?  

        UtilityClass.StrCurrentSessionID = this.Session.SessionID;

        // Add a row to BLSC_tblSession
        int nRowsReturned;
        string strConnectionString = UtilityClass.GetConnectionString("My Application");
        string strQueryStartSession = "INSERT INTO BLSC_tblSession " +
                                      "(SessionID, UserID, SessionStatus, StartTime, EndTime) " +
                                      "VALUES ('" + this.Session.SessionID + "', '" + User.Identity.Name.Substring(5) + "', 'Active', '" + DateTime.Now + "', '" + DateTime.Now.AddDays(1) + "')";
        SqlConnection connStartSession = new SqlConnection(strConnectionString);

        if (connStartSession != null)
        {
            try
            {
                connStartSession.Open();
                SqlCommand sqlStartSession = new SqlCommand(strQueryStartSession, connStartSession);

                nRowsReturned = sqlStartSession.ExecuteNonQuery();
                if (nRowsReturned == 0)
                    throw new Exception("Session could not be started.");
                else
                {
                    // Authorize User
                    // Check if user has access to the application. If not, redirect to UnauthorizedAccess.aspx
                    // Check for access level 1.
                    // IMPORTANT: For Dev server change access level to 4.
                    isAllowedToView = UtilityClass.CheckUserAccess(strUserID, 1);
                    if (isAllowedToView == false)
                    {
                        UtilityClass.WriteToLog("Application Access Denied: UserID - " + strUserID, 1);
                        Response.Redirect("Some URL");
                    }
                    else
                    {
                        // Browser detection
                        string strBrowserName = Request.Browser.Browser;
                        if (strBrowserName != "IE")
                        {
                            UtilityClass.WriteToLog("Non-supported browser usage detected: UserID - " + strUserID + ", Browser - " + strBrowserName, 0);
                            Response.Redirect("Some other URL");
                        }
                    }
                }
                connStartSession.Close();

            }
            catch (SqlException SqlEx)
            {
                UtilityClass.HandleError("Global.asax", "Session_Start", SqlEx.Message);
            }
            catch (Exception Ex)
            {
                UtilityClass.HandleError("Global.asax", "Session_Start", Ex.Message);
            }
            finally
            {
                if (connStartSession != null)
                    connStartSession.Close();
            }
        }
    }

UtilityClass.CheckUserAccess 

public static bool CheckUserAccess(string UserID, int RequiredAccessLevel)
    {
        bool bReturn = false;
        object TemporaryPlaceHolder;
        int nUserAccessLevel = 0;
        string strQueryCheckUserAccess = "SELECT AccessLevel " + 
                                         "FROM BLSC_tblApplicationAccess " +
                                         "WHERE UserID = '" + UserID + "'";
        string strConnectionString = GetConnectionString("My Application");
        SqlConnection connCheckUserAccess = null;
        try
        {
            if (strConnectionString != String.Empty)
            {
                connCheckUserAccess = new SqlConnection(strConnectionString);
                connCheckUserAccess.Open();

                if (connCheckUserAccess != null)
                {
                    SqlCommand sqlCheckUserAccess = new SqlCommand(strQueryCheckUserAccess, connCheckUserAccess);

                    TemporaryPlaceHolder = sqlCheckUserAccess.ExecuteScalar();
                    if (TemporaryPlaceHolder != DBNull.Value && TemporaryPlaceHolder != null)
                    {
                        nUserAccessLevel = Convert.ToInt32(TemporaryPlaceHolder);
                        if (nUserAccessLevel >= RequiredAccessLevel)
                            bReturn = true;
                        else
                            bReturn = false;
                    }
                    else
                        bReturn = false;
                }
                connCheckUserAccess.Close();
            }
        }
        catch (SqlException SqlEx)
        {
            HandleError("UtilityClass.cs", "CheckUserAccess", SqlEx.Message);
        }
        catch (Exception Ex)
        {
            HandleError("UtilityClass.cs", "CheckUserAccess", Ex.Message);
        }
        finally
        {
            if (connCheckUserAccess != null)
                connCheckUserAccess.Close();
        }
        return bReturn;
    }

问题: 我的应用程序无法在生产环境中加载。

应用程序使用Windows身份验证运行。确切地说,我们 DomnainName \ ApplicationServer $ 访问SQL Server而非个人用户。

我的问题:

如果我想使用我当前的模型和global.asax事件来检查应用程序访问权限,那么放置它的最佳位置在哪里?我在这里做了一件非常错误的事吗?我需要写入会话表以记录事件,并且不能使用ASP .NET提供的基于角色的身份验证。

1 个答案:

答案 0 :(得分:1)

从我的观点来看,SessionStart看起来是做这些事情的好地方。 首先要弄清楚为什么它不会在生产中加载,看看是否发生了任何未处理的异常

  1. protected void Application_Error(Object sender, EventArgs e)中尝试添加日志 在global.asax文件
  2. 订阅HttpApplication.Error
  3. 请参阅Windows EventLog
相关问题
最新问题