2

我正在为我的管理页面进行身份验证。我遵循了来自各种网站的示例,但每次我尝试访问产品页面时,它总是将我踢回登录页面。

这是我的代码

登录.aspx.cs

protected void Page_Load(object sender, EventArgs e)
{
    if (!IsPostBack)
    {
        if (User.Identity.IsAuthenticated && Request.QueryString["ReturnUrl"] != "")
        {
            divError.Visible = true;
            divError.InnerHtml = accessErrorMessage;
        }
    }
}

protected void btn_enter_Click(object sender, EventArgs e)
{
    using (var db = new MainDB()) 
    {
        administrator=db.Administrators.Where(q => q.Name == txtUsername.Text && q.Password == txtPassword.Text).FirstOrDefault();

        if(administrator!=null)
        {
            administrator.DateLastLogin = DateTime.Now;
            roles = administrator.Role;
            adminID = administrator.AdministratorId;
            db.SaveChanges();

            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
                1, // Ticket version
                adminID.ToString(),                     // Username associated with ticket
                DateTime.UtcNow,                        // Date/time issued
                DateTime.UtcNow.AddMinutes(30),         // Date/time to expire
                true,                                   // "true" for a persistent user cookie              
                **roles,        // User-data, in this case the roles(data example: product,feedback,subscribes** 
                FormsAuthentication.FormsCookiePath);   // Path cookie valid for

            // Encrypt the cookie using the machine key for secure transport
            string hash = FormsAuthentication.Encrypt(ticket);
            HttpCookie cookie = new HttpCookie(
               FormsAuthentication.FormsCookieName, // Name of authentication cookie
               hash); // Hashed ticket

            // Set the cookie's expiration time to the tickets expiration time
            if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;

            // Add the cookie to the list for outgoing response
            Response.Cookies.Add(cookie);

            // Redirect to requested URL, or homepage if no previous page
            // requested
            string returnUrl = Request.QueryString["ReturnUrl"];
            if (returnUrl == null)
            {
                returnUrl = "~/admin/";
            }
            // Don't call FormsAuthentication.RedirectFromLoginPage since it
            // could 
            // replace the authentication ticket (cookie) we just added
            Response.Redirect(returnUrl);
        }
        else
        {
            divError.Visible = true;
            divError.InnerHtml = loginErrorMessage;
        }
      //if (FormsAuthentication.Authenticate(txtUsername.Text, txtPassword.Text))
            //{
            //    FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, false);
            //}     
     }

全球.asax

void Application_AuthenticateRequest(object sender, EventArgs e)
{
    if(Request.IsAuthenticated)
    {
        FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;

        //Add the roles to the User Principal
        HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(HttpContext.Current.User.Identity, identity.Ticket.UserData.Split(new char[] { ',' }));
    }
}

网络配置

<location path="admin/product">
<system.web>
  <authorization>
    <!--<allow users="admin"/>-->
    <allow roles="product"/>
    <deny users="*"/>
  </authorization>
</system.web>


<location path="admin/spotlight">
<system.web>
  <authorization>
    <!--<allow users="admin"/>-->
    <allow roles="spotlight"/>
    <deny users="*"/>
  </authorization>
</system.web>


<location path="admin/career">
<system.web>
  <authorization>
    <!--<allow users="admin"/>-->
    <allow roles="career"/>
    <deny users="*"/>
  </authorization>
</system.web>


<location path="admin/emailshare">
<system.web>
  <authorization>
    <!--<allow users="admin"/>-->
    <allow roles="emailshare"/>
    <deny users="*"/>
  </authorization>
</system.web>

我在这里做错了吗?

4

1 回答 1

1

您首先允许一个角色,然后拒绝所有用户。

规则按顺序执行,因此请尝试将最具体的规则指定为最后一个。

<deny users="*"/>
<allow roles="emailshare"/>

另一件事是,在从数据库验证用户之后,您没有设置委托人。您需要在 HttpContext 中设置用户,并且标志为 Authenticated。否则 if(Request.IsAuthenticated)将永远为假。

GenericIdentity userIdentity = 
    new GenericIdentity(ticket.Name);   
GenericPrincipal userPrincipal = 
    new GenericPrincipal(userIdentity, roles);   
Context.User = userPrincipal;

请注意,角色参数是逗号分隔的字符串。

另外,使用内置提供程序模型不是更容易吗?这会阻止您自己编写所有身份验证代码。然后,您可以在需要时使用您自己的数据访问逻辑创建自定义成员资格提供程序。

于 2013-07-29T05:16:46.747 回答