页面请求过程:
根据这个流程,网上一般的权限验证在:Http.Module.AuthorizeRequestHttp.Module.PreRequestHandlerExecute 例如使用前者: using System; using System.Web; using System.Security.Principal; namespace MyModules { public class CustomModule : IHttpModule { public CustomModule() { } public void Dispose() { } public void Init(HttpApplication app) { // 建立安全模块 app.AuthenticateRequest += new EventHandler( this .AuthenticateRequest); } private void AuthenticateRequest( object o, EventArgs e) { HttpApplication app = (HttpApplication)o; HttpContext content = (HttpContext)app.Context; if ((app.Request[ " userid " ] == null ) || (app.Request[ " password " ] == null )) { content.Response.Write( " 未提供必需的参数!! " ); content.Response.End(); } string userid = app.Request[ " userid " ].ToString(); string password = app.Request[ " password " ].ToString(); string [] strRoles = AuthenticateAndGetRoles(userid, password); if ((strRoles == null ) || (strRoles.GetLength( 0 ) == 0 )) { content.Response.Write( " 未找到相配的角色!! " ); app.CompleteRequest(); } GenericIdentity objIdentity = new GenericIdentity(userid, " CustomAuthentication " ); content.User = new GenericPrincipal(objIdentity, strRoles); } private string [] AuthenticateAndGetRoles( string r_strUserID, string r_strPassword) { string [] strRoles = null ; if ((r_strUserID.Equals( " Steve " )) && (r_strPassword.Equals( " 15seconds " ))) { strRoles = new String[ 1 ]; strRoles[ 0 ] = " Administrator " ; } else if ((r_strUserID.Equals( " Mansoor " )) && (r_strPassword.Equals( " mas " ))) { strRoles = new string [ 1 ]; strRoles[ 0 ] = " User " ; } return strRoles; } } }
编辑Web.config文件: < system .web > < httpModules > < add name ="Custom" type ="MyModules.CustomModule,Custom" /> </ httpModules > </ system.web >
Custom.aspx页面内容: < script language ="c#" runat ="server" > public void page_load(Object obj,EventArgs e) { lblMessage.Text = " <H1>Hi, " + User.Identity.Name + " </H1> " ; if (User.IsInRole( " Administrator " )) lblRole.Text = " <H1>You are an Administrator</H1> " ; else if (User.IsInRole( " User " )) lblRole.Text = " <H1>You are a normal user</H1> " ; } </ script > < form runat ="server" > < asp:Label id ="lblMessage" forecolor ="red" font-size ="10pt" runat ="server" /> < asp:Label id ="lblRole" forecolor ="red" font-size ="10pt" runat ="server" /> </ form >
或者使用后者:
using System; using System.Web; namespace MyModule { public class MyModule : IHttpModule { public void Init(HttpApplication application) { application.AcquireRequestState += ( new EventHandler( this .Application_AcquireRequestState)); } private void Application_AcquireRequestState(Object source, EventArgs e) { HttpApplication Application = (HttpApplication)source; User user = Application.Context.Sesseion[ " User " ]; // 获取User string url = Application.Context.Request.Path; // 获取客户访问的页面 Module module = xx; // 根据url得到所在的模块 if ( ! RightChecker.HasRight(user, module)) Application.Context.Server.Transfer( " ErrorPage.aspx " ); // 如果没有权限,引导到错误处理的页面 } public void Dispose() { } } }