Requiring Multiple Roles in Web.config Authorization

∥☆過路亽.° 提交于 2019-12-21 09:39:10

问题


Is it possible to specify that multiple roles are required inside the authorization element of the web.config file? I currently have this block in one web.config of my site for a specific directory:

<authorization>  
    <allow roles="Global, Region" />
    <deny users="*" />
</authorization>

I've just identified a special case where a person with two lower-level permissions than Global and Region should also have access to this directory. Roughly, I want something like this:

<authorization>  
    <allow roles="GlobalManager, RegionManager, SiteManager && FooSite" />
    <deny users="*" />
</authorization>

Any ideas? I realize I probably should have a new role for this scenario, but I'd like to avoid that. Thanks!


回答1:


I don't think you can do this via the current configs allowed in web.config. What you could do though is something like the following... as the very first line in your Page_Load event for the page in question, use the following code (VB):

If Not (User.IsInRole("Role1") AndAlso User.IsInRole("Role2")) Then _
    FormsAuthentication.RedirectToLoginPage()

This line of course is assuming you are using FormsAuthentication. If not, you would need to replace FormsAuthentication.RedirectToLoginPage() with the appropriate code depending on your authentication method.

I don't know your situation exactly, but based on your code, it looks like you could go one step further, and add a table with a mapping of users to sites, and do something like the following:

In a public module, add the following code:

<System.Runtime.CompilerServices.Extension()> _
Public Function ManagesSite(target As System.Security.Principal.IPrincipal, siteName As String) As Boolean
    Return [ code here to look up whether this user can access the site specified ]
End Function 

Then you can write the previous code as something more logical, such as:

If Not (User.IsInRole("SiteManager") AndAlso User.ManagesSite(Request.Url.Host)) Then _
    FormsAuthentication.RedirectToLoginPage()



回答2:


The method I usually use to solve this is when setting the user roles, create virtual roles. Therefore if the you wanted to only allow Student Administrators access to a page were a user has both Student and Administrator roles you could add a new StudentAdministrator role.



来源:https://stackoverflow.com/questions/2738394/requiring-multiple-roles-in-web-config-authorization

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!