Asp.Net基于forms的验证机制

  项目需要研究了下Asp.Net的基于forms的验证机制
  构建基于forms的验证机制过程如下:
  1,设置IIS为可匿名访问和asp.net web.config中设置为form验证
  2,检索数据存储验证用户,并检索角色(如果不是基于角色可不用)
  简单无role方式:
  使用FormsAuthenticationTicket创建一个Cookie并回发到客户端,并存储 角色到票中,如:
  FormsAuthentication.SetAuthCookie(Username,true | false)
  cookies保存时间:
  HttpContext.Current.Response.Cookies[FormsAuthentication.FormsCookieName].Expires=DateTime.Now.AddDays(1)
  如果需要存储角色方式:view plaincopy to clipboardprint?
  FormsAuthenticationTicket authTicket = new
  FormsAuthenticationTicket(
  1, // version
  txtUserName.Text, // user name
  DateTime.Now, // creation
  DateTime.Now.AddMinutes(20),// Expiration
  false, // Persistent
  roles ); // User data
  //roles是一个角色字符串数组
  string encryptedTicket = FormsAuthentication.Encrypt(authTicket); //加密
  FormsAuthenticationTicket authTicket = new
  FormsAuthenticationTicket(
  1, // version
  txtUserName.Text, // user name
  DateTime.Now, // creation
  DateTime.Now.AddMinutes(20),// Expiration
  false, // Persistent
  roles ); // User data
  //roles是一个角色字符串数组
  string encryptedTicket = FormsAuthentication.Encrypt(authTicket); //加密 存入Cookie view plaincopy to clipboardprint?
  HttpCookie authCookie =
  new HttpCookie(FormsAuthentication.FormsCookieName,
  encryptedTicket);
  
  Response.Cookies.Add(authCookie);
  HttpCookie authCookie =
  new HttpCookie(FormsAuthentication.FormsCookieName,
  encryptedTicket);
  Response.Cookies.Add(authCookie); 在Application_AuthenticateRequest事件中处理程序中(Global.asax)中,使用票创建IPrincipal对象并存在HttpContext.User中代码: view plaincopy to clipboardprint?
  protected void Application_AuthorizeRequest(object sender, System.EventArgs e)
  {
  HttpApplication App = (HttpApplication) sender;
  HttpContext Ctx = App.Context ; //获取本次Http请求相关的HttpContext对象
  if (Ctx.Request.IsAuthenticated == true) //验证过的用户才进行role的处理
  {
  FormsIdentity Id = (FormsIdentity)Ctx.User.Identity ;
  FormsAuthenticationTicket Ticket = Id.Ticket ; //取得身份验证票
  string[] Roles = Ticket.UserData.Split (',') ; //将身份验证票中的role数据转成字符串数组
  Ctx.User = new GenericPrincipal (Id, Roles) ; //将原有的Identity加上角色信息新建一个GenericPrincipal表示当前用户,这样当前用户就拥有了role信息
  }
  }
  protected void Application_AuthorizeRequest(object sender, System.EventArgs e)
  {
  HttpApplication App = (HttpApplication) sender;
  HttpContext Ctx = App.Context ; //获取本次Http请求相关的HttpContext对象
  if (Ctx.Request.IsAuthenticated == true) //验证过的用户才进行role的处理
  {
  FormsIdentity Id = (FormsIdentity)Ctx.User.Identity ;
  FormsAuthenticationTicket Ticket = Id.Ticket ; //取得身份验证票
  string[] Roles = Ticket.UserData.Split (',') ; //将身份验证票中的role数据转成字符串数组
  Ctx.User = new GenericPrincipal (Id, Roles) ; //将原有的Identity加上角色信息新建一个GenericPrincipal表示当前用户,这样当前用户就拥有了role信息
  }
  }需要对某些页面进行角色控制,有两种方法:
  1、web.config中加 view plaincopy to clipboardprint?
  <location path="EditPost.aspx">
  <system.web>
  <authorization>
  <allow roles="RoleName" />
  <deny users="?" />
  </authorization>
  </system.web>
  </location>
  <location path="EditPost.aspx">
  <system.web>
  <authorization>
  <allow roles="RoleName" />
  <deny users="?" />
  </authorization>
  </system.web>
  </location> 2、把只能是某种角色访问的文件放在同一目录下,在此目录下添加一个web.config view plaincopy to clipboardprint?
  <configuration>
  <system.web>
  <authorization>
  <allow roles="RoleName" />
  <deny users="*" />
  </authorization>
  </system.web>
  </configuration>
  <configuration>
  <system.web>
  <authorization>
  <allow roles="RoleName" />
  <deny users="*" />
  </authorization>
  </system.web>
  </configuration> 说明:子目录的web.config设置优先于父目录的web.config设置
  以上参考:http://www.cnblogs.com/kwklover/archive/2004/06/29/19455.aspx
http://www.donews.net/robinblood/archive/2005/04/30/358041.aspx