gpt4 book ai didi

c# - 如何为 ASP.NET MVC 2 创建自定义成员资格提供程序?

转载 作者:IT王子 更新时间:2023-10-29 03:45:58 25 4
gpt4 key购买 nike

如何基于 ASP.NET 成员资格提供程序为 ASP.NET MVC 2 创建自定义成员资格?

最佳答案

我创建了一个包含自定义成员资格提供程序的新项目,并覆盖了 MembershipProvider 抽象类中的 ValidateUser 方法:

public class MyMembershipProvider : MembershipProvider
{
public override bool ValidateUser(string username, string password)
{
// this is where you should validate your user credentials against your database.
// I've made an extra class so i can send more parameters
// (in this case it's the CurrentTerritoryID parameter which I used as
// one of the MyMembershipProvider class properties).

var oUserProvider = new MyUserProvider();
return oUserProvider.ValidateUser(username,password,CurrentTerritoryID);
}
}

然后我通过添加引用并从我的 web.config 指出它,将该提供程序连接到我的 ASP.NET MVC 2 项目:

<membership defaultProvider="MyMembershipProvider">
<providers>
<clear />
<add name="MyMembershipProvider"
applicationName="MyApp"
Description="My Membership Provider"
passwordFormat="Clear"
connectionStringName="MyMembershipConnection"
type="MyApp.MyMembershipProvider" />
</providers>
</membership>

我确实需要创建一个继承 RoleProvider 抽象类并覆盖 GetRolesForUser 方法的自定义类。ASP.NET MVC 授权使用该方法找出哪些角色分配给了当前登录的用户,并确保允许用户访问 Controller 操作。

以下是我们需要采取的步骤:

1)创建自定义类,继承RoleProvider抽象类,重写GetRolesForUser方法:

public override string[] GetRolesForUser(string username)
{
SpHelper db = new SpHelper();
DataTable roleNames = null;
try
{
// get roles for this user from DB...

roleNames = db.ExecuteDataset(ConnectionManager.ConStr,
"sp_GetUserRoles",
new MySqlParameter("_userName", username)).Tables[0];
}
catch (Exception ex)
{
throw ex;
}
string[] roles = new string[roleNames.Rows.Count];
int counter = 0;
foreach (DataRow row in roleNames.Rows)
{
roles[counter] = row["Role_Name"].ToString();
counter++;
}
return roles;
}

2) 通过我们的 web.config 将角色提供者与 ASP.NET MVC 2 应用程序连接起来:

<system.web>
...

<roleManager enabled="true" defaultProvider="MyRoleProvider">
<providers>
<clear />
<add name="MyRoleProvider"
applicationName="MyApp"
type="MyApp.MyRoleProvider"
connectionStringName="MyMembershipConnection" />
</providers>
</roleManager>

...
</system.web>

3) 将 Authorize(Roles="xxx,yyy") 设置在想要的 Controller/Action 之上:

[Authorization(Roles = "Customer Manager,Content Editor")]
public class MyController : Controller
{
......
}

就是这样!现在可以了!

4) 可选:设置自定义 Authorize 属性,以便我们可以将不需要的角色重定向到 AccessDenied 页面:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
public class MyAuthorizationAttribute : AuthorizeAttribute
{
/// <summary>
/// The name of the master page or view to use when rendering the view on authorization failure. Default
/// is null, indicating to use the master page of the specified view.
/// </summary>
public virtual string MasterName { get; set; }

/// <summary>
/// The name of the view to render on authorization failure. Default is "Error".
/// </summary>
public virtual string ViewName { get; set; }

public MyAuthorizationAttribute ()
: base()
{
this.ViewName = "Error";
}

protected void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus)
{
validationStatus = OnCacheAuthorization(new HttpContextWrapper(context));
}

public override void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
{
throw new ArgumentNullException("filterContext");
}

if (AuthorizeCore(filterContext.HttpContext))
{
SetCachePolicy(filterContext);
}
else if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
// auth failed, redirect to login page
filterContext.Result = new HttpUnauthorizedResult();
}
else if (filterContext.HttpContext.User.IsInRole("SuperUser"))
{
// is authenticated and is in the SuperUser role
SetCachePolicy(filterContext);
}
else
{
ViewDataDictionary viewData = new ViewDataDictionary();
viewData.Add("Message", "You do not have sufficient privileges for this operation.");
filterContext.Result = new ViewResult { MasterName = this.MasterName, ViewName = this.ViewName, ViewData = viewData };
}
}

protected void SetCachePolicy(AuthorizationContext filterContext)
{
// ** IMPORTANT **
// Since we're performing authorization at the action level, the authorization code runs
// after the output caching module. In the worst case this could allow an authorized user
// to cause the page to be cached, then an unauthorized user would later be served the
// cached page. We work around this by telling proxies not to cache the sensitive page,
// then we hook our custom authorization code into the caching mechanism so that we have
// the final say on whether a page should be served from the cache.
HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
cachePolicy.SetProxyMaxAge(new TimeSpan(0));
cachePolicy.AddValidationCallback(CacheValidateHandler, null /* data */);
}
}

现在我们可以使用我们自己制作的属性来重定向我们的用户以访问被拒绝的 View :

[MyAuthorization(Roles = "Portal Manager,Content Editor", ViewName = "AccessDenied")]
public class DropboxController : Controller
{
.......
}

就是这样! super 骗子!

以下是我用来获取所有这些信息的一些链接:

自定义角色提供者: http://davidhayden.com/blog/dave/archive/2007/10/17/CreateCustomRoleProviderASPNETRolePermissionsSecurity.aspx

希望这些信息对您有所帮助!

关于c# - 如何为 ASP.NET MVC 2 创建自定义成员资格提供程序?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/2771094/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com