访客和管理员问题的表单登录
我有一个网络项目 GUI..
我首先只与管理员一起工作。
因此,当管理员使用他的用户名和密码登录时,我使用表单身份验证将他重定向到默认页面“Default.aspx”。
但现在我也必须与客人一起工作......并在登录时
检查角色是否是客人,然后将他重定向到客人页面而不是“Default.aspx”
具有只读权限...例如,即使有选项,他也不应该能够对数据库进行任何更改
具有只读权限...例如,即使有一个选项我正在使用此代码,
public partial class Login : System.Web.UI.Page
{
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;
WindowsImpersonationContext impersonationContext;
[DllImport("advapi32.dll")]
public static extern int LogonUserA(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int DuplicateToken(IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern bool CloseHandle(IntPtr handle);
}
protected void LoginButton_Click(object sender, EventArgs e)
{
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
if (LogonUserA(UserName.Text, Domain.Text, Password.Text, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0)
{
if (impersonateValidUser(UserName.Text, Domain.Text, Password.Text) == true)
{
Label1.Text = "impersonation";
}
else
{
Label2.Text = "not impersonating";
}
//impersonateValidUser(UserName.Text, Domain.Text, Password.Text);
System.Security.Principal.WindowsIdentity wi = System.Security.Principal.WindowsIdentity.GetCurrent();
System.Security.Principal.WindowsPrincipal wp = new System.Security.Principal.WindowsPrincipal(wi);
if (wp.IsInRole("Administrators"))
{
BadCredentials.Visible = false;
Session["userName"] = UserName.Text;
Session["password"] = Password.Text;
Session["domain"] = Domain.Text;
FormsAuthentication.RedirectFromLoginPage(UserName.Text, false);
}
else if(wp.IsInRole("Guest"))
{
?? I want to redirect it to the guestpage.aspx and not the default.aspx
}
}
else
{
BadCredentials.Visible = true;
Label4.Text = "not valid user";
}
}
private bool impersonateValidUser(String userName, String domain, String password)
{
WindowsIdentity tempWindowsIdentity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
if (RevertToSelf())
{
if (LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
if (impersonationContext != null)
{
CloseHandle(token);
CloseHandle(tokenDuplicate);
return true;
}
}
}
}
if (token != IntPtr.Zero)
CloseHandle(token);
if (tokenDuplicate != IntPtr.Zero)
CloseHandle(tokenDuplicate);
return false;
}
:这对我来说非常重要...任何建议将不胜感激..谢谢
SQL 或 IIS 中是否有一些针对 Guest 只读模式的设置???
我已经在我的 webconfig 中使用了它
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="~/Default.aspx" name="Cookie" timeout="120" path="/">
</forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
并且它有效..
I have a web project GUI..
I was first working with administrator only.
So when the administrator logs in with his username and password i use forms authentication to redirect him to the default page "Default.aspx".
But now i have to work with Guests also... and on login
check the role if it is of a guest then redirect him to a guest page not the "Default.aspx"
with read only privileges... eg he should not be able to make any changes in data base even if there is an option
i was using this code:
public partial class Login : System.Web.UI.Page
{
public const int LOGON32_LOGON_INTERACTIVE = 2;
public const int LOGON32_PROVIDER_DEFAULT = 0;
WindowsImpersonationContext impersonationContext;
[DllImport("advapi32.dll")]
public static extern int LogonUserA(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int DuplicateToken(IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern bool CloseHandle(IntPtr handle);
}
protected void LoginButton_Click(object sender, EventArgs e)
{
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
if (LogonUserA(UserName.Text, Domain.Text, Password.Text, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0)
{
if (impersonateValidUser(UserName.Text, Domain.Text, Password.Text) == true)
{
Label1.Text = "impersonation";
}
else
{
Label2.Text = "not impersonating";
}
//impersonateValidUser(UserName.Text, Domain.Text, Password.Text);
System.Security.Principal.WindowsIdentity wi = System.Security.Principal.WindowsIdentity.GetCurrent();
System.Security.Principal.WindowsPrincipal wp = new System.Security.Principal.WindowsPrincipal(wi);
if (wp.IsInRole("Administrators"))
{
BadCredentials.Visible = false;
Session["userName"] = UserName.Text;
Session["password"] = Password.Text;
Session["domain"] = Domain.Text;
FormsAuthentication.RedirectFromLoginPage(UserName.Text, false);
}
else if(wp.IsInRole("Guest"))
{
?? I want to redirect it to the guestpage.aspx and not the default.aspx
}
}
else
{
BadCredentials.Visible = true;
Label4.Text = "not valid user";
}
}
private bool impersonateValidUser(String userName, String domain, String password)
{
WindowsIdentity tempWindowsIdentity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
if (RevertToSelf())
{
if (LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref token) != 0)
{
if (DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
if (impersonationContext != null)
{
CloseHandle(token);
CloseHandle(tokenDuplicate);
return true;
}
}
}
}
if (token != IntPtr.Zero)
CloseHandle(token);
if (tokenDuplicate != IntPtr.Zero)
CloseHandle(tokenDuplicate);
return false;
}
This is very important to me... any suggestions will be appreciated.. thanks
is there some stiing in SQL or IIS for read only mode for Guest ????
i have used this in my webconfig
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="~/Default.aspx" name="Cookie" timeout="120" path="/">
</forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
and this works..
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您正在进行表单身份验证还是 Windows 身份验证?上面看起来像 Windows 身份验证(即主机正在对用户进行身份验证)。表单身份验证可以针对您想要的任何内容(例如数据库等)进行。
如果您想管理用户(例如在数据库中),您将需要设计这些机制。查看会员提供商< /a>.您还可以尝试将用户登录到 Windows 计算机(或域),如果失败,则退回到使用您自己的数据库等。
Are you doing forms authentication or Windows authentication? The above looks like windows authentication (i.e. the host machine is authenticating the user). Forms authentication can be done against anything you want (such as a DB, etc).
If you want to manage users (such as in a DB) you will need to design those mechanisms. Take a look at the Membership Provider. You could also attempt to log the user into the Windows machine (or Domain) and if that fails fall back to using your own DB etc.
要处理重定向问题,您只需自己创建表单身份验证票证,然后执行 Response.Redirect,而不是使用内置的 RedirectFromLoginPage 方法。
请查看此处的步骤 7 - 10:
http://msdn.microsoft.com/en-us/library/aa302399。 aspx
就安全授权问题而言,您应该使用 User.IsInRole 方法来启用/禁用应用程序中的功能,以防止用户执行不应该执行的操作。如果这还不够安全,那么您可以考虑为每个应用程序卷提供不同的 Sql 连接/Sql 用户/角色。然而,这可能有点矫枉过正了。
To handle the redirection issue, you simply need to create the forms authentication ticket yourself and then do a Response.Redirect instead of using the built in RedirectFromLoginPage method.
Look at steps 7 - 10 here:
http://msdn.microsoft.com/en-us/library/aa302399.aspx
As far as the security authorization issue goes, you should use the User.IsInRole method to enable / disable functionality in the app to keep users from doing something they shouldn't. If that isn't enough security, then you can consider giving different Sql connections / Sql Users/Roles to each application roll. This is probably overkill however.