问题
I'm working on a project that will use windows role providers and I want to limit functionality to certain AD groups.
With MVC, I could use an AuthorizeAttribute above my action methods and redirect accordingly. Is there something similar I can do for a standard web forms application (.NET 3.5) that doesn't use MVC?
回答1:
You can set this up in web.config with the authorization element.
<configuration>
<system.web>
<authorization>
<allow roles="domainname\Managers" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Basically domain groups are translated into roles when using <authentication mode="Windows" />.
You can read more about it on MSDN
回答2:
I know this is an old post but thought I'd share my experience as I just went through this. I did not want to use web.config. I was looking for a way to create an attribute for webforms similar to MVC's implementation. I found a post by Deran Schilling that I used as a basis for the attribute portion.
I created a custom IPrincipal
interface IMyPrincipal : IPrincipal
{
string MyId { get; }
string OrgCode { get; }
string Email { get; }
}
and Principal
public class MyPrincipal : IMyPrincipal
{
IIdentity identity;
private List<string> roles;
private string email;
private string myId;
private string orgCode;
public MyPrincipal(IIdentity identity, List<string> roles, string myId, string orgCode, string email)
{
this.identity = identity;
this.roles = roles;
this.myId = myId;
this.orgCode = orgCode;
this.email = email;
}
public IIdentity Identity
{
get { return identity; }
}
public bool IsInRole(string role)
{
return roles.Contains(role);
}
public string Email
{
get { return email; }
}
public string MyId
{
get { return myId; }
}
public string OrgCode
{
get { return orgCode; }
}
}
and created an Attribute for usage on the Page
[AttributeUsage(AttributeTargets.Class, AllowMultiple = false)]
public class AdminAuthorizationAttribute : Attribute
{
public AdminAuthorizationAttribute()
{
var user = (MyPrincipal)HttpContext.Current.User;
if (user.IsInRole("MyAdmin"))
return;
throw new AccessDeniedException();
}
}
and created some custom Exceptions
public class AccessDeniedException : BaseHttpException
{
public AccessDeniedException() : base((int)HttpStatusCode.Unauthorized, "User not authorized.") { }
}
public class BaseHttpException : HttpException
{
public BaseHttpException(int httpCode, string message) : base(httpCode, message) { }
}
and now I can apply the attribute for usage on a given page
[AdminAuthorization]
public partial class Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
}
来源:https://stackoverflow.com/questions/4217576/is-there-an-authorizeattribute-equivalent-to-just-standard-web-forms-not-mvc-f