使用 global.asax 事件允许/禁止应用程序访问
我有一个 ASP .NET Web 应用程序(仅在 Intranet 上运行),其中使用简单的用户授权模型。我有一个名为 tblApplicationAccess 的表,它有两个字段 - UserID 和 AccessLevel。
例如, 用户 ID:John.Smith,访问级别:2
(1 – 常规访问权限,2 – 数据输入访问权限,3 – 超级用户,4 – 开发人员访问权限)
我正在使用 global.asax 中的 Session_Start 事件来授权用户。这是代码,
protected void Session_Start(object sender, EventArgs e)
{
string strUserID = User.Identity.Name.Substring(5);
bool isAllowedToView = false;
// UtilityClass is a root level class with various methods that I use throughout the application.
// QUESTION: Could this be the problem? Since it is at root level (alongside all the pages), could it be the case that this resource isn't checked for user access?
UtilityClass.StrCurrentSessionID = this.Session.SessionID;
// Add a row to BLSC_tblSession
int nRowsReturned;
string strConnectionString = UtilityClass.GetConnectionString("My Application");
string strQueryStartSession = "INSERT INTO BLSC_tblSession " +
"(SessionID, UserID, SessionStatus, StartTime, EndTime) " +
"VALUES ('" + this.Session.SessionID + "', '" + User.Identity.Name.Substring(5) + "', 'Active', '" + DateTime.Now + "', '" + DateTime.Now.AddDays(1) + "')";
SqlConnection connStartSession = new SqlConnection(strConnectionString);
if (connStartSession != null)
{
try
{
connStartSession.Open();
SqlCommand sqlStartSession = new SqlCommand(strQueryStartSession, connStartSession);
nRowsReturned = sqlStartSession.ExecuteNonQuery();
if (nRowsReturned == 0)
throw new Exception("Session could not be started.");
else
{
// Authorize User
// Check if user has access to the application. If not, redirect to UnauthorizedAccess.aspx
// Check for access level 1.
// IMPORTANT: For Dev server change access level to 4.
isAllowedToView = UtilityClass.CheckUserAccess(strUserID, 1);
if (isAllowedToView == false)
{
UtilityClass.WriteToLog("Application Access Denied: UserID - " + strUserID, 1);
Response.Redirect("Some URL");
}
else
{
// Browser detection
string strBrowserName = Request.Browser.Browser;
if (strBrowserName != "IE")
{
UtilityClass.WriteToLog("Non-supported browser usage detected: UserID - " + strUserID + ", Browser - " + strBrowserName, 0);
Response.Redirect("Some other URL");
}
}
}
connStartSession.Close();
}
catch (SqlException SqlEx)
{
UtilityClass.HandleError("Global.asax", "Session_Start", SqlEx.Message);
}
catch (Exception Ex)
{
UtilityClass.HandleError("Global.asax", "Session_Start", Ex.Message);
}
finally
{
if (connStartSession != null)
connStartSession.Close();
}
}
}
UtilityClass.CheckUserAccess
public static bool CheckUserAccess(string UserID, int RequiredAccessLevel)
{
bool bReturn = false;
object TemporaryPlaceHolder;
int nUserAccessLevel = 0;
string strQueryCheckUserAccess = "SELECT AccessLevel " +
"FROM BLSC_tblApplicationAccess " +
"WHERE UserID = '" + UserID + "'";
string strConnectionString = GetConnectionString("My Application");
SqlConnection connCheckUserAccess = null;
try
{
if (strConnectionString != String.Empty)
{
connCheckUserAccess = new SqlConnection(strConnectionString);
connCheckUserAccess.Open();
if (connCheckUserAccess != null)
{
SqlCommand sqlCheckUserAccess = new SqlCommand(strQueryCheckUserAccess, connCheckUserAccess);
TemporaryPlaceHolder = sqlCheckUserAccess.ExecuteScalar();
if (TemporaryPlaceHolder != DBNull.Value && TemporaryPlaceHolder != null)
{
nUserAccessLevel = Convert.ToInt32(TemporaryPlaceHolder);
if (nUserAccessLevel >= RequiredAccessLevel)
bReturn = true;
else
bReturn = false;
}
else
bReturn = false;
}
connCheckUserAccess.Close();
}
}
catch (SqlException SqlEx)
{
HandleError("UtilityClass.cs", "CheckUserAccess", SqlEx.Message);
}
catch (Exception Ex)
{
HandleError("UtilityClass.cs", "CheckUserAccess", Ex.Message);
}
finally
{
if (connCheckUserAccess != null)
connCheckUserAccess.Close();
}
return bReturn;
}
问题: 我的应用程序无法在生产环境中加载。
该应用程序使用 Windows 身份验证运行。准确地说,我们有 DomnainName\ApplicationServer$ 访问 SQL Server,而不是单个用户。
我的问题:
如果我想使用当前模型和 global.asax 事件检查应用程序访问权限,最好将其放在哪里?我在这里做错了什么吗?我需要写入会话表来记录事件,并且无法使用 ASP .NET 提供的基于角色的身份验证。
I have an ASP .NET web application (runs only on the Intranet) where I am using a simple user authorization model. I have a table called tblApplicationAccess which has TWO fields – UserID and AccessLevel.
For example,
UserID: John.Smith, Access Level: 2
(1 – General Access, 2 – Data Entry Access, 3 – Super User, 4 – Developer Access)
I am using the Session_Start event in global.asax to authorize the user. Here is the code,
protected void Session_Start(object sender, EventArgs e)
{
string strUserID = User.Identity.Name.Substring(5);
bool isAllowedToView = false;
// UtilityClass is a root level class with various methods that I use throughout the application.
// QUESTION: Could this be the problem? Since it is at root level (alongside all the pages), could it be the case that this resource isn't checked for user access?
UtilityClass.StrCurrentSessionID = this.Session.SessionID;
// Add a row to BLSC_tblSession
int nRowsReturned;
string strConnectionString = UtilityClass.GetConnectionString("My Application");
string strQueryStartSession = "INSERT INTO BLSC_tblSession " +
"(SessionID, UserID, SessionStatus, StartTime, EndTime) " +
"VALUES ('" + this.Session.SessionID + "', '" + User.Identity.Name.Substring(5) + "', 'Active', '" + DateTime.Now + "', '" + DateTime.Now.AddDays(1) + "')";
SqlConnection connStartSession = new SqlConnection(strConnectionString);
if (connStartSession != null)
{
try
{
connStartSession.Open();
SqlCommand sqlStartSession = new SqlCommand(strQueryStartSession, connStartSession);
nRowsReturned = sqlStartSession.ExecuteNonQuery();
if (nRowsReturned == 0)
throw new Exception("Session could not be started.");
else
{
// Authorize User
// Check if user has access to the application. If not, redirect to UnauthorizedAccess.aspx
// Check for access level 1.
// IMPORTANT: For Dev server change access level to 4.
isAllowedToView = UtilityClass.CheckUserAccess(strUserID, 1);
if (isAllowedToView == false)
{
UtilityClass.WriteToLog("Application Access Denied: UserID - " + strUserID, 1);
Response.Redirect("Some URL");
}
else
{
// Browser detection
string strBrowserName = Request.Browser.Browser;
if (strBrowserName != "IE")
{
UtilityClass.WriteToLog("Non-supported browser usage detected: UserID - " + strUserID + ", Browser - " + strBrowserName, 0);
Response.Redirect("Some other URL");
}
}
}
connStartSession.Close();
}
catch (SqlException SqlEx)
{
UtilityClass.HandleError("Global.asax", "Session_Start", SqlEx.Message);
}
catch (Exception Ex)
{
UtilityClass.HandleError("Global.asax", "Session_Start", Ex.Message);
}
finally
{
if (connStartSession != null)
connStartSession.Close();
}
}
}
UtilityClass.CheckUserAccess
public static bool CheckUserAccess(string UserID, int RequiredAccessLevel)
{
bool bReturn = false;
object TemporaryPlaceHolder;
int nUserAccessLevel = 0;
string strQueryCheckUserAccess = "SELECT AccessLevel " +
"FROM BLSC_tblApplicationAccess " +
"WHERE UserID = '" + UserID + "'";
string strConnectionString = GetConnectionString("My Application");
SqlConnection connCheckUserAccess = null;
try
{
if (strConnectionString != String.Empty)
{
connCheckUserAccess = new SqlConnection(strConnectionString);
connCheckUserAccess.Open();
if (connCheckUserAccess != null)
{
SqlCommand sqlCheckUserAccess = new SqlCommand(strQueryCheckUserAccess, connCheckUserAccess);
TemporaryPlaceHolder = sqlCheckUserAccess.ExecuteScalar();
if (TemporaryPlaceHolder != DBNull.Value && TemporaryPlaceHolder != null)
{
nUserAccessLevel = Convert.ToInt32(TemporaryPlaceHolder);
if (nUserAccessLevel >= RequiredAccessLevel)
bReturn = true;
else
bReturn = false;
}
else
bReturn = false;
}
connCheckUserAccess.Close();
}
}
catch (SqlException SqlEx)
{
HandleError("UtilityClass.cs", "CheckUserAccess", SqlEx.Message);
}
catch (Exception Ex)
{
HandleError("UtilityClass.cs", "CheckUserAccess", Ex.Message);
}
finally
{
if (connCheckUserAccess != null)
connCheckUserAccess.Close();
}
return bReturn;
}
The Problem:
My application does not load in the production environment.
The application runs using Windows Authentication. To be precise, we have DomnainName\ApplicationServer$ accessing SQL Server and not individual users.
My Question:
If I want to check application access using my current model and the global.asax events, where is the best place to put it? Am I doing something grossly wrong here? I need to write to the session table for logging events and cannot use role-based authentication that ASP .NET provides.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
从我的角度来看,
SessionStart看起来是做这些事情的好地方。首先尝试找出为什么它没有在生产中加载,并查看是否发生任何未处理的异常
protected void Application_Error(Object sender, EventArgs e)中添加日志在
global.asax文件中From my perspectives
SessionStartlooks as a good place to do such things.At first try to figure out why it does not load in production and see whether any unhandled exceptions are occur
protected void Application_Error(Object sender, EventArgs e)in the
global.asaxfile