https://www.codeproject.com/Articles/36836/Forms-Authentication-and-Role-based-Authorization

Problem Space

Sad, but true, “Forms authentication in ASP.NET does not directly support role based authorization”. If you have ended up implementing Forms authentication along with configuring authorization rules for “users” and “roles” in the web.config, you are going to see the access rules working fine for “users”, but, not working at all for “roles”. You might have thought, there must be some way to specify user roles in the famous FormsAuthentication.RedirectFromLoginPage(), or, any other method. But, there isn't!

Background

This is really surprising because, in real life, most applications (if not all) actually require authorization of system resources based upon user roles, not user names. So, if you are going to use Forms authentication in your upcoming ASP.NET application, and you need to implement role based authorization in your system, you have a problem.

Wait, this is not entirely true, because of two reasons:

Reason 1: Since ASP.NET 2.0, we have Membership. It includes Membership (User) service, Role service, and Profile (User properties) service. And, using Membership, you can easily implement Role based authorization in your ASP.NET application.

Reason 2: Even if you don't use Membership, you can write some code to implement Role based authorization in Forms authentication. Basically, you need to create the authentication ticket yourself and push the user roles in the “UserData” property after authenticating the user. Also, you need to retrieve user roles from the same “UserData” property in the authentication ticket and set it in the current User property in the subsequent requests. This trick works, and many have done this already.

So, What is this Article About?

Well, this article assumes that you did use Forms authentication directly instead of ASP.NET Membership in your application for some good reasons. Consequently, you implemented Role based authorization as suggested by lots of articles on the web (like this one). But I tell you, you probably ended up doing an incorrect and incomplete implementation, and you might have problems in the near future.

This article is going to address the problems with the suggested implementation approaches, and provide you a correct, smart, and quick way of implementing Role based authorization in case you are not using ASP.NET Membership in your system. All you'll need is 5 minutes to implement this!

Please take a look at this article before you proceed, in case you are new to ASP.NET and wondering about Forms Authentication.

Forms Authentication and Role based Authorization: A Quicker, Simpler, and Correct Approach的更多相关文章

  1. forms authentication原理

    细说ASP.NET Forms身份认证 asp.net 登陆验证 Form表单验证的3种方式 Understanding and Implementing ASP.NET Custom Forms A ...

  2. Forms Authentication in ASP.NET MVC 4

    原文:Forms Authentication in ASP.NET MVC 4 Contents: Introduction Implement a custom membership provid ...

  3. Azure ARM (16) 基于角色的访问控制 (Role Based Access Control, RBAC) - 使用默认的Role

    <Windows Azure Platform 系列文章目录> 今天上午刚刚和客户沟通过,趁热打铁写一篇Blog. 熟悉Microsoft Azure平台的读者都知道,在老的Classic ...

  4. An Overview of Forms Authentication (C#)

    https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/an-o ...

  5. SSRS 2016 Forms Authentication

    SSRS 2016 comes with completely new report manager web interface and implementing form authenticatio ...

  6. How does ASP.NET Forms Authentication really work?

    I've always wondered how exactly ASP.NET forms authentication works. Yes, I know how to configure Fo ...

  7. Nancy之Forms authentication的简单使用

    一.前言 想必大家或多或少都听过微软推出的ASP.NET Identity技术,可以简单的认为就是一种授权的实现 很巧的是,Nancy中也有与之相类似的技术Authentication,这两者之间都用 ...

  8. Nancy 学习-身份认证(Forms authentication) 继续跨平台

    开源 示例代码:https://github.com/linezero/NancyDemo 上篇讲解Nancy的Basic Authentication,现在来学习Nancy 的Forms身份认证. ...

  9. ASP.NET 4.0 forms authentication issues with IE11

    As I mentioned earlier, solutions that rely on User-Agent sniffing may break, when a new browser or ...

随机推荐

  1. [ English ] Ping sb.

    What does "Ping Me" mean?   Recently, when I asked a colleague to ping me, he responded wi ...

  2. 水题 O

    Bob 和 Alice 开始使用一种全新的编码系统.它是一种基于一组私有钥匙的.他们选择了n个不同的数a1 , . . .,an, 它们都大于0小于等于n. 机密过程如下:待加密的信息放置在这组加密钥 ...

  3. Message对象

    一)描述 1: 每一个Message对象都包含两个对象: (1)google::protobuf::Descriptor 描述对象,是Message所有Filed的一个集合,它又包含了FieldDes ...

  4. Python 字典(Dictionary) values()方法

    描述 Python 字典(Dictionary) values() 函数以列表返回字典中的所有值. 语法 values()方法语法: dict.values() 参数 NA. 返回值 返回字典中的所有 ...

  5. Python词云分析

    import jieba from matplotlib import pyplot as plt from wordcloud import WordCloud from PIL import Im ...

  6. xml.dom——文档对象模型API

    文档对象模型,或者“DOM”,是一个跨语言API的World Wide Web Consortium(W3C)来访问和修改XML文档.DOM的实现提供了一个XML文档树结构,或允许客户机代码从头开始建 ...

  7. 76 道 Oracle Goldengate 面试问题

    基础 12c新特性 性能 Troubleshoot 其它 1. Oracle Goldengate 支持部署到哪些拓扑? GoldenGate supports the following topol ...

  8. 每日linux命令学习-历史指令查询(history、fc、alias)

    linux历史机制对命令行中输入的命令进行编号并依此保存,以维护命令历史.登录会话期间输入的命令保存在shell内存中,若终止命令则添加至历史文件. 1. 箭头符号方向键 使用键盘上的箭头方向键可以从 ...

  9. 腾讯云 网站开启HTTPS

    下图是我站点的初始化样子,可以看到只是输出一个字符串,啥也没有,并且没有https. 这无所谓,因为我们的重点是https,而不是网站内容 接下来就是配置https的关键步骤了,其实只需要三步而已: ...

  10. Golang并发编程进程通信channel了解及简单使用

    概念及作用 channel是一个数据类型,用于实现同步,用于两个协程之间交换数据.goroutine奉行通过通信来共享内存,而不是共享内存来通信.引用类型channel是CSP模式的具体实现,用于多个 ...