FormsAuthentication 授权被拒绝消息
因此,我已经实现了 IPrincipal.IsInRole(...) 并使用 FormsAuthentication,如下所示:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name="someName" timeout="600"/>
</authentication>
然后我有一个页面要求您进行身份验证并且您拥有“roleA”。配置如下:
<location path="SomePage.aspx">
<system.web>
<authorization>
<allow roles="roleA" />
<deny users="*"/>
</authorization>
</system.web>
</location>
现在,我登录到我的 Web 应用程序,但使用的用户没有 roleA。当我访问 SomePage.aspx 时,我被重定向到 Login.aspx,即表单元素的 loginUrl 中指定的 url。所以,我的问题是我不应该能够指定授权被拒绝的消息或网址吗?如果用户已通过身份验证,但未授权,为什么我要重定向到登录页面。这让用户感到非常困惑。请告诉我我错过了一些简单的事情。
感谢您的阅读!
So, I've implemented my IPrincipal.IsInRole(...) and I'm using FormsAuthentication like so:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name="someName" timeout="600"/>
</authentication>
Then I have a page that requires you to be authenticated and that you have "roleA". This is configured like so:
<location path="SomePage.aspx">
<system.web>
<authorization>
<allow roles="roleA" />
<deny users="*"/>
</authorization>
</system.web>
</location>
Now, I login to my web application, but with a user that does NOT have roleA. When I visit SomePage.aspx I get redirected to Login.aspx, the url specified in loginUrl of the forms element. So, my question is shouldn't I be able be specify an authorization denied message or url? If the user is authenticated, but not authorized why would I want to redirect to the login page. It's confusing as hell to the user. Please tell me I am missing something simple.
Thanks for reading!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
Roles.IsUserInRole - 如果您只是将其用于此页面,请将其放入后面的代码中。如果您有很多页面,您可以考虑将其放入基类中并从每个页面的 web.config 或数据库中读取。我相信这会给你最大的控制权。
Roles.IsUserInRole - If you're just using it for this page, throw this in the code behind. If you have a lot of pages, you could consider putting this in a base class and reading either from the web.config or the database per page. I believe this will give you the most control.
是的,这有点烦人。也许有人有更简单的想法,但我们提出的解决方案(hack?)是在用户重定向到登录页面时查找 ASP.NET 附加到查询字符串的最初请求的 URL。
我们创建了一个新的 web.config 部分,用于存储一组将重定向 URL 片段与授权消息相匹配的键/值:
在 Login.aspx 页面的 Page_Load() 事件中,我们调用一个使用此 URL 的方法确定发生了哪个(取消)授权事件,然后将其重定向到显示相应文本的消息页面:
Yeah, this is a little annoying. Maybe someone has a simpler idea, but the solution (hack?) that we came up with was to look for the originally-requested URL that ASP.NET appends to the query string when the user is redirected to the login page.
We created a new web.config section that stores a set of keys/values that match a fragment of the redirect URL to an authorization message:
In the Page_Load() event of the Login.aspx page, we call a method that uses this URL to determine which (un)authorization event occurred then redirect them to a message page that displays the appropriate text:
我基本上同意@MattPeterson 的解决方案。但我建议进行两项改进。
在我看来,你只要告诉“根据你的角色,你不可以访问该页面”,就足够了。您无需告知需要哪些额外角色,这将暴露您网站的授权管理细节。
您可以从web.config(每个文件夹中)获取访问控制列表,无需再次编写
应该有类似的内容。
我相信您的 web.config 中
I basically agree to @MattPeterson 's solution. But I suggest two improvements.
In my view, you just tell that "according to the roles that you are, you are not allowed to visit that page", that is enough. You do not need to tell which extra roles are needed, which will expose the details of authorization management of your website.
You can get access control list from web.config (in each folder), and no need to write
<add key="MemberResources" value="MembershipRequired" />again.I believe you should have something similar to
in your web.config.