我的是这样的,可以借鉴一下,相互学习。
根Web.config:
<authentication mode="Forms">
<forms name="ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="30" path="/">
</forms>
</authentication>
<authorization>
<allow users="*" /> <!-- 允许所有用户 -->
</authorization>
限制访问的目录web.config:
<authorization>
<deny users ="?" />
<allow roles ="Admin" />
<deny roles ="Person,Company" />
</authorization >
根Web.config:
<authentication mode="Forms">
<forms name="ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="30" path="/">
</forms>
</authentication>
<authorization>
<allow users="*" /> <!-- 允许所有用户 -->
</authorization>
限制访问的目录web.config:
<authorization>
<deny users ="?" />
<allow roles ="Admin" />
<deny roles ="Person,Company" />
</authorization >
请求的身份是否是Admin
我看的就是这篇文章.
http://www.csdn.net/develop/Read_Article.asp?Id=18958接分了.
Default.aspx
<%@ Import Namespace="System.Web.Security " %>
<HTML>
<script language="C#" runat="server">
void Page_Load(Object Src, EventArgs E )
{
Welcome.Text = "Hello, " + User.Identity.Name;
Response.Write(User.IsInRole("Admin"));
} void Signout_Click(Object sender, EventArgs E)
{
FormsAuthentication.SignOut();
Response.Redirect("../Member/Login.aspx");
}
</script>
<body>
<h3><font face="宋体">使用 Cookie 身份验证</font></h3>
<form runat="server" ID="Form1">
<h3><asp:label id="Welcome" runat="server" /><BR>
<BR>
<asp:Button id="Button1" OnClick="Signout_Click" runat="server" Text="SignOut"></asp:Button></h3>
</form>
</body>
</HTML>
_________________________________________________________________________________
Login.aspx
<%@ Import Namespace="System.Web.Security " %>
<%@ Import Namespace="System.Data.SqlClient" %>
<%@ Import Namespace="System.Security.Principal" %>
<HTML>
<script language="C#" runat="server">
string urole=""; private void Login_Click(object sender, System.EventArgs e)
{
string user = UserName.Value; //读取用户名
string password = UserPass.Value; //读取密码
if (ValidateUser(user,password))
{
FormsAuthenticationTicket Ticket = new FormsAuthenticationTicket (1,user,DateTime.Now,DateTime.Now.AddMinutes(30), false,urole,"/") ; //建立身份验证票对象
string HashTicket = FormsAuthentication.Encrypt(Ticket) ; //加密序列化验证票为字符串
HttpCookie UserCookie = new HttpCookie(FormsAuthentication.FormsCookieName, HashTicket) ;
//生成Cookie
Context.Response.Cookies.Add(UserCookie) ; //输出Cookie
//Response.Write("|"+Ticket.UserData+"|");
Context.Response.Redirect(Context.Request["ReturnUrl"]) ; // 重定向到用户申请的初始页面
}
else
{
Msg.Text = "凭据无效:请再试一次";
}
} private bool ValidateUser(string uid, string passwd)
{
SqlConnection cnn;
SqlCommand cmd;
SqlDataReader dr;
cnn = new SqlConnection("server=san;uid=NetGame;pwd=123456;database=NetGameCard");
cmd = new SqlCommand("Select * from users where uname='" + uid + "'",cnn);
cnn.Open();
dr = cmd.ExecuteReader();
while (dr.Read())
{
if (dr["Pwd"].ToString().Trim()==passwd)
{
urole=dr["userRole"].ToString().Trim();
cnn.Close();
return true;
}
}
cnn.Close();
return false;
}
</script>
<body>
<form id="Form1" runat="server">
<h3><font face="宋体">登录页</font></h3>
<table>
<tr>
<td>用户名:</td>
<td><input id="UserName" type="text" name="UserName" runat="server"></td>
<td><ASP:REQUIREDFIELDVALIDATOR id="Requiredfieldvalidator1" runat="server" ErrorMessage="*" Display="Static" ControlToValidate="UserName"></ASP:REQUIREDFIELDVALIDATOR></td>
</tr>
<tr>
<td>密码:</td>
<td><input id="UserPass" type="password" name="UserPass" runat="server"></td>
<td><ASP:REQUIREDFIELDVALIDATOR id="Requiredfieldvalidator2" runat="server" ErrorMessage="*" Display="Static" ControlToValidate="UserPass"></ASP:REQUIREDFIELDVALIDATOR></td>
</tr>
<tr>
<td>持久的 Cookie:</td>
<td><ASP:CHECKBOX id="PersistCookie" runat="server"></ASP:CHECKBOX></td>
<td></td>
</tr>
</table>
<FONT face="宋体">
<BR>
<asp:button id="Button1" OnClick="Login_Click" runat="server" Text="SignIn"></asp:button><BR>
<BR>
</FONT>
<p><asp:label id="Msg" runat="server" Font-Size="10" Font-Name="Verdana" ForeColor="red"></asp:label></p>
</form>
</body>
</HTML>
______________________________________________________________________________
web.config
<authentication mode="Forms">
<forms name="ASPXAUTH" loginUrl="Login.aspx" path="/" timeout="30" />
</authentication>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
<deny roles="Manager,User"/>
</authorization>除了这些还需要配置别的环境吗?
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
HttpApplication App = (HttpApplication) sender;
HttpContext Ctx = App.Context ; //获取本次Http请求相关的HttpContext对象
if (Ctx.Request.IsAuthenticated == true) //验证过的用户才进行role的处理
{
System.Web.Security.FormsIdentity Id = (System.Web.Security.FormsIdentity)Ctx.User.Identity ;
System.Web.Security.FormsAuthenticationTicket Ticket = Id.Ticket ; //取得身份验证票
string[] Roles = Ticket.UserData.Split (',') ; //将身份验证票中的role数据转成字符串数组
Ctx.User = new System.Security.Principal.GenericPrincipal(Id, Roles) ; //将原有的Identity加上角色信息新建一个GenericPrincipal表示当前用户,这样当前用户就拥有了role信息
}
}Default.aspx://判断登录和取得角色
//判断是否登录
if(HttpContext.Current.Request.IsAuthenticated==true)
{
System.Web.Security.FormsIdentity Id = (System.Web.Security.FormsIdentity)HttpContext.Current.User.Identity;
System.Web.Security.FormsAuthenticationTicket Ticket = Id.Ticket ; //取得身份验证票
string[] Roles = Ticket.UserData.Split (',') ; //将身份验证票中的role数据转成字符串数组
string LoginName=HttpContext.Current.User.Identity.Name.ToString();
string RoleName="";
if(Roles[0]=="mCompany")
{
RoleName="公司会员";
}
if(Roles[0]=="Person")
{
RoleName="个人会员";
}
//已经登录
lblAboutLogin.Text="欢迎您,<b>"+LoginName+"</b>,"+RoleName; }
<authentication mode="Forms">
<forms name="ASPXAUTH" loginUrl="Login.aspx" path="/" timeout="30" />
</authentication>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
<deny roles="Manager,User"/>
</authorization>
我用不是Admin角色的用户登陆也可以返回到Default.aspx,并且在Default里面用HttpContext.Current.User.IsInRole("Admin"),返回false,说明role信息没有追加到当前用户中,并且将Global.asax中的代码去掉效果还是一样.
HttpContext Ctx = App.Context ; //获取本次Http请求相关的HttpContext对象
if (Ctx.Request.IsAuthenticated == true) //验证过的用户才进行role的处理
{
System.Web.Security.FormsIdentity Id = (System.Web.Security.FormsIdentity)Ctx.User.Identity ;
System.Web.Security.FormsAuthenticationTicket Ticket = Id.Ticket ; //取得身份验证票
string[] Roles = Ticket.UserData.Split (',') ; //将身份验证票中的role数据转成字符串数组
Ctx.User = new System.Security.Principal.GenericPrincipal(Id, Roles) ; //将原有的Identity加上角色信息新建一个GenericPrincipal表示当前用户,这样当前用户就拥有了role信息
}
在Default.aspx里用HttpContext.Current.User.IsInRole("Admin"),还是返回false我的目录结构是这样的:
root\(Global.asax)
root\Business(Default.aspx.Login.aspx,web.config)
可以把你的代码发给我看看吗?发到我邮箱里,不甚感激
另外我不明白,你的登录界面login.aspx放在只有admin可以访问的目录里,那别人怎么登录?
应该是web.config的配置问题,将其写为:
<authentication mode="Forms">
<forms name="ASPXAUTH" loginUrl="../Member/Login.aspx" path="/" timeout="30" />
</authentication>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
<deny roles="User,Manager"/>
</authorization>
HttpContext.Current.Request.IsAuthenticated返回false,但可以返回Default.aspx将其写为:
<authentication mode="Forms">
<forms name="ASPXAUTH" loginUrl="../Member/Login.aspx" path="/" timeout="30" />
</authentication>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
<deny roles="User,Manager"/>
</authorization>
HttpContext.Current.Request.IsAuthenticated返回true,但不能返回Default.aspx
HttpContext.Current.User.IsInRole("Admin")返回true
但为什么还是不能返回Default.aspx?