is there an authorizeattribute equivalent to just standard web forms (not MVC) for .net

别来无恙 提交于 2019-12-17 14:50:35

问题


I'm working on a project that will use windows role providers and I want to limit functionality to certain AD groups.

With MVC, I could use an AuthorizeAttribute above my action methods and redirect accordingly. Is there something similar I can do for a standard web forms application (.NET 3.5) that doesn't use MVC?


回答1:


You can set this up in web.config with the authorization element.

<configuration>
  <system.web>
    <authorization>
      <allow roles="domainname\Managers" />
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>

Basically domain groups are translated into roles when using <authentication mode="Windows" />. You can read more about it on MSDN




回答2:


I know this is an old post but thought I'd share my experience as I just went through this. I did not want to use web.config. I was looking for a way to create an attribute for webforms similar to MVC's implementation. I found a post by Deran Schilling that I used as a basis for the attribute portion.

I created a custom IPrincipal

interface IMyPrincipal : IPrincipal
{
    string MyId { get; }
    string OrgCode { get; }
    string Email { get; }
}

and Principal

public class MyPrincipal : IMyPrincipal
{
    IIdentity identity;
    private List<string> roles;
    private string email;
    private string myId;
    private string orgCode;

    public MyPrincipal(IIdentity identity, List<string> roles, string myId, string orgCode, string email)
    {
        this.identity = identity;
        this.roles = roles;
        this.myId = myId;
        this.orgCode = orgCode;
        this.email = email;
    }

    public IIdentity Identity
    { 
        get { return identity; }
    }

    public bool IsInRole(string role)
    {
        return roles.Contains(role);
    }

    public string Email
    {
        get { return email; }
    }
    public string MyId
    {
        get { return myId; }
    }
    public string OrgCode
    {
        get { return orgCode; }
    }
}

and created an Attribute for usage on the Page

[AttributeUsage(AttributeTargets.Class, AllowMultiple = false)]
public class AdminAuthorizationAttribute : Attribute
{
    public AdminAuthorizationAttribute()
    {
        var user = (MyPrincipal)HttpContext.Current.User;

        if (user.IsInRole("MyAdmin"))
            return;

        throw new AccessDeniedException();
    }
}

and created some custom Exceptions

public class AccessDeniedException : BaseHttpException
{
    public AccessDeniedException() : base((int)HttpStatusCode.Unauthorized, "User not authorized.") { }
}

public class BaseHttpException : HttpException
{
    public BaseHttpException(int httpCode, string message) : base(httpCode, message) { }
}

and now I can apply the attribute for usage on a given page

[AdminAuthorization]
public partial class Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
    }
}


来源:https://stackoverflow.com/questions/4217576/is-there-an-authorizeattribute-equivalent-to-just-standard-web-forms-not-mvc-f

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!