如何实现 ASP.NET MVC 站点的安全性以拒绝对特定组的访问?

发布于 2024-10-07 01:02:32 字数 454 浏览 4 评论 0原文

我有一个内部公司 ASP.NET MVC 网站。

要求(1):当任何人在网络上时,除了一个 AD 组(例如:AD_Sales 组)之外,他们都可以访问此站点。

要求(2):例如,如果具有访问权限的人传递一个网址(例如:http://mysite/Home/Index/Product/Letter)对于销售组人员来说,他仍然不应该访问并且需要显示一条自定义消息:“您无权查看此页面”。

如果情况是向一个 AD 组授予访问权限并拒绝所有其他组的访问,这是公平的。可以从 IIS 完成。我想知道如何做到这一点。

有人已经实现了这种情况的安全性吗?

感谢您的宝贵时间和回复。

谢谢

I have an internal corporate ASP.NET MVC website.

Requirement(1): When any person is on the network, they can access this site EXCEPT one AD Group (Example: AD_Sales group).

Requirement(2): Also like for example if a person that has the access passes a url (Ex: http://mysite/Home/Index/Product/Letter) to a sales group person, he still should NOT access and need to display a custom message saying "You are not authorised to view this page".

If the scenario is like to issue the access to one AD Group and deny access for all others, it is fairly is. It can done from IIS. I am Wondering how to do this.

Anybody has implemeted the security for this scenario?

I appreciate your time and responses.

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

滥情空心 2024-10-14 01:02:32

我相信这对你有用...

2 步骤...
您需要做的第一件事是在您的 Global.asax.cs 中尝试将此

protected void Application_AcquireRequestState(Object sender, EventArgs e)
    {
        //Context.Handler in this state, we can access Session.
        if (Context.Handler is IRequiresSessionState || Context.Handler is IReadOnlySessionState)
        {
            //Is it a session created in this request?
            if (Session.IsNewSession)
            {
                //Am I already authenticated?
                if (User.Identity.IsAuthenticated)
                {
                    //if already authenticated, check if it is logon, if not, we just logout,
                    //else, we can continue the logon and reset the user identity.
                    string url = Request.Url.ToString();
                    if (url.IndexOf("Account/LogOn") < 0)
                    {
                        FormsAuthentication.SignOut();
                        Response.Redirect(Request.RawUrl);
                    }
                }
            }
            else
            {
                //Am I already authenticated?
                if (User.Identity.IsAuthenticated)
                {
                    try
                    {
                        /// Here we try to get the current role of the user logged in from the session 
                        SessionUser myRole = CurrentUser.GetRole();
                        string[] strRole;
                        switch (myRole)
                        {
                            case Role.ADSales:
                                {
                                    string[] Roles = { "ADSales" };
                                    strRole = Roles;
                                }
                                break;
                            case Role.DeptHead:
                                {
                                    string[] Roles = { "DeptHead" };
                                    strRole = Roles;
                                }
                                break;
                            case Role.ProductionCrew:
                                {
                                    string[] Roles = { "ProductionCrew" };
                                    strRole = Roles;
                                }
                                break;
                            case Role.Admin:
                                {
                                    string[] Roles = { "Admin" };
                                    strRole = Roles;
                                }
                                break;
                            default:
                                throw new AuthenticationException(ErrorEnum.Impossible);
                            //break;
                        }
                        Context.User = new System.Security.Principal.GenericPrincipal(Context.User.Identity, strRole); 

                    }
                    catch (Exception)
                    {
                        string url = Request.Url.ToString();
                        if (url.IndexOf("Account/LogOn") < 0)
                        {
                            FormsAuthentication.SignOut();
                            Response.Redirect(Request.RawUrl);
                        }
                    }


                }
            }
        }
    }

Next 在您的控制器中添加属性

[Authorize(Roles = "ProductionCrew,DeptHead,Admin")]   
public ActionResult Letter()
{
   Return View();
}

请注意,我没有在角色中包含 ADSales,这意味着具有所述角色的用户无法访问页面信。

希望这有帮助。如果它对您有帮助,请投票,如果它解决了您的问题,请不要忘记将其标记为答案。谢谢!

I am sure this will work for you...

2 Steps...
First thing you need to do is in your Global.asax.cs try to put this

protected void Application_AcquireRequestState(Object sender, EventArgs e)
    {
        //Context.Handler in this state, we can access Session.
        if (Context.Handler is IRequiresSessionState || Context.Handler is IReadOnlySessionState)
        {
            //Is it a session created in this request?
            if (Session.IsNewSession)
            {
                //Am I already authenticated?
                if (User.Identity.IsAuthenticated)
                {
                    //if already authenticated, check if it is logon, if not, we just logout,
                    //else, we can continue the logon and reset the user identity.
                    string url = Request.Url.ToString();
                    if (url.IndexOf("Account/LogOn") < 0)
                    {
                        FormsAuthentication.SignOut();
                        Response.Redirect(Request.RawUrl);
                    }
                }
            }
            else
            {
                //Am I already authenticated?
                if (User.Identity.IsAuthenticated)
                {
                    try
                    {
                        /// Here we try to get the current role of the user logged in from the session 
                        SessionUser myRole = CurrentUser.GetRole();
                        string[] strRole;
                        switch (myRole)
                        {
                            case Role.ADSales:
                                {
                                    string[] Roles = { "ADSales" };
                                    strRole = Roles;
                                }
                                break;
                            case Role.DeptHead:
                                {
                                    string[] Roles = { "DeptHead" };
                                    strRole = Roles;
                                }
                                break;
                            case Role.ProductionCrew:
                                {
                                    string[] Roles = { "ProductionCrew" };
                                    strRole = Roles;
                                }
                                break;
                            case Role.Admin:
                                {
                                    string[] Roles = { "Admin" };
                                    strRole = Roles;
                                }
                                break;
                            default:
                                throw new AuthenticationException(ErrorEnum.Impossible);
                            //break;
                        }
                        Context.User = new System.Security.Principal.GenericPrincipal(Context.User.Identity, strRole); 

                    }
                    catch (Exception)
                    {
                        string url = Request.Url.ToString();
                        if (url.IndexOf("Account/LogOn") < 0)
                        {
                            FormsAuthentication.SignOut();
                            Response.Redirect(Request.RawUrl);
                        }
                    }


                }
            }
        }
    }

Next in your controller add the attribute

[Authorize(Roles = "ProductionCrew,DeptHead,Admin")]   
public ActionResult Letter()
{
   Return View();
}

Take note that I did not include the ADSales in the Roles, this means that the user that has the said role cannot access the page Letter.

Hope this helps. Please vote if it helped you and don't forget to mark it as the answer if it solves your problem. Thanks!

凝望流年 2024-10-14 01:02:32

您需要在应用程序的目录上启用 Windows 身份验证。然后更改所涉及的文件/目录的 ACL 以拒绝对特定组的访问。最后,将 IIS 403 错误映射到您的拒绝访问方法。

You'll need to enable Windows Authentication on the directory of your application. Then change the ACL of the files/directory involved to deny access to the particular group. Finally, map the IIS 403 error to your access denied method.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文