zoukankan      html  css  js  c++  java
  • asp.net 认证与授权

    1.下面的例子在web.config文件中配置网站使用asp.net forms 身份认证方式:

    <configuration> 
        <system.web> 
            <authentication mode="Forms"> 
                <forms name="MyAppCookie" 
                       loginUrl="~/Login.aspx" 
                       protection="All" 
                       timeout="30" path="/" /> 
            </authentication> 
            ... 
        </system.web> 
    </configuration>

    Forms 认证设置:

    属性 描述
    name
    The name of the HTTP cookie to use fo r authentication (defaults to .ASPXAUTH). If multiple applications are running on the same web server, you should give each application’s security cookie a unique name.
    loginUrl Your custom login page, where the user is redirected if no valid authentication cookie is found. The default value is Login.aspx.
    protection The type of encryption and validation used for the security cookie (can be All, None, Encryption, or Validation). Validation ensures the cookie isn’t changed during transit,and encryption (typically Triple-DES) is used to encode its contents. The default value is All.
    timeout The number of idle minutes before the c ookie expires. ASP.NET will refresh the cookie every time it receives a request. The default value is 30.
    path The path for cookies issued by the app lication. The default value (/) is recommended, because case mismatches can prevent the c ookie from being sent with a request.

    2.Authorization Rules(授权规则)

    <authorization> 
        <allow users="*" /> 
        <deny users="?" /> 
    </authorization>

    When evaluating rules, ASP.NET scans through the list from top to bottom and then continues with the settings in any .config file inherited from a parent directory, ending with the settings in the base machine.config file. As soon as it finds an applicable rule, it stops it s search. Thus, in the previous case, it will determine that the rule <allow  users="*"> applies to the current request and will not evaluate the second line. This means these rules will allow all users, including anonymous users.

    <authorization> 
        <deny users="?" /> 
        <allow users="*" /> 
    </authorization>

    Now these rules will deny anonymous users (by matching the first rule) and allow all other users (by matching the second rule).

    3.The Login Page(登录页)

    ASP.NET provides a special FormsAuthentication class in the System.Web.Security namespace, which provides static methods that help manage the process.

    public partial class Login : System.Web.UI.Page 
    { 
        protected void cmdLogin_Click(Object sender, EventArgs e) 
        { 
            if (txtPassword.Text.ToLower() == "secret") 
            { 
                FormsAuthentication.RedirectFromLoginPage( 
                  txtName.Text, false); 
            } 
            else 
            { 
                lblStatus.Text = "Try again."; 
            } 
        } 
    }

    The RedirectFromLoginPage() method requires two parameters. The first sets the name of the user. The second is a Boolean variable that specifies whether you want to create a persistent cookie (one that stays on the user’s hard drive for a longer period of time).

    4.Retrieving the User’s Identity

    Once the user is logged in, you can retrieve the identity through the built-in User property, as shown here:

    protected void Page_Load(Object sender, EventArgs e) 
    { 
        lblMessage.Text = "You have reached the secured page, "; 
        lblMessage.Text += User.Identity.Name + "."; 
    }

    5.Signing Out

    private void cmdSignOut_Click(Object sender, EventArgs e) 
    { 
        FormsAuthentication.SignOut(); 
        Response.Redirect("~/Login.aspx"); 
    }

    6.Persistent Cookies(持久cookie)

    A persistent authentication cookie remains on the user’s hard drive and keeps the user signed in for hours, days, or weeks—even if the user closes and reopens the browser.

    Creating a persistent cookie requires a bit more code than creating a standard forms authentication cookie. Instead of using the RedirectFromLoginPage() method, you need to manually create the authentication ticket, set its expiration time, encrypt it , attach it to the request, and then redirect the user to the requested page. All of these tasks are easy, but it’s important to perform them all in the correct order.

    The following code examines a check box named chkPersist. If it’s selected, the code creates a persistent cookie that lasts for 20 days:

    // Perform the authentication. 
    if (txtPassword.Text.ToLower() == "secret") 
    { 
        if (chkPersist.Checked) 
        { 
            // Use a persistent cookie that lasts 20 days. 
            // The timeout must be specified as a number of minutes. 
            int timeout = (int)TimeSpan.FromDays(20).TotalMinutes; 
     
            // Create an authentication ticket. 
            FormsAuthenticationTicket ticket = new 
              FormsAuthenticationTicket(txtName.Text, true, cookietimeout); 
     
            // Encrypt the ticket (so people can't steal it as it travels over 
            // the Internet). 
            string encryptedTicket = FormsAuthentication.Encrypt(ticket); 
     
            // Create the cookie for the ticket, and put the ticket inside. 
            HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, 
              encryptedTicket); 
            // Give the cookie and the authentication ticket the same expiration. 
            cookie.Expires = ticket.Expiration;  
     
            // Attach the cookie to the current response. It will now travel back to 
            // the client, and then back to the web server with every new request. 
            HttpContext.Current.Response.Cookies.Set(cookie); 
     
            // Send the user to the originally requested page. 
            string requestedPage = FormsAuthentication.GetRedirectUrl(txtName.text, 
              false); 
            Response.Redirect(requestedPage, true); 
        }
        else 
        { 
            // Use the standard authentication method. 
            FormsAuthentication.RedirectFromLoginPage( 
              txtName.Text, false); 
        } 
    }

    It’s worth noting that the FormsAuthentication.SignOut() method will always remove the forms authentication cookie, regardless of whether it is a normal cookie or a persistent cookie.

  • 相关阅读:
    Tomcat下HTTPS双向认证配置以及客户端调用案例
    Java本地运行中文正常,部署到Weblogic中文乱码
    gson 忽略掉某些字段不进行转换
    JavaScript中定义对象的四种方式
    使用CSS3实现超炫的Loading(加载)动画效果
    不要再使用JS框架了
    HTML5, CSS3, ES5新的web标准和浏览器支持一览 转
    js常用的事件对象
    jQuery用面向对象的思想来编写验证表单的插件
    五个值得尝试的前端开发工具
  • 原文地址:https://www.cnblogs.com/weekend001/p/3661766.html
Copyright © 2011-2022 走看看