I know this is a strange question, basically we are trying to use the web.config file to restrict accesss to certain users. Unfortunately the site isn't using roles but rather accesses an sql database to figure out the user's role based on a stored value. Is it possible to somehow pull the SQL value to determine whether or not a user should be granted access, for example:
我知道这是一个奇怪的问题,基本上我们正在尝试使用web.config文件来限制对某些用户的访问。遗憾的是,该站点不使用角色,而是访问sql数据库以根据存储的值确定用户的角色。是否有可能以某种方式拉取SQL值来确定是否应授予用户访问权限,例如:
<location path="Restrictedpage.aspx">
<system.web>
<authorization>
<allow users="SQL Reference would go here, returning the usernames that fall under certain criteria, such as value admin = 1"/>
<deny users="*"/>
</authorization>
</system.web>
I know this is a weird question, I am pretty new to all this but I could really use some help, if someone has a better method I would appreciate ideas on that too.
我知道这是一个奇怪的问题,我对这一切都很陌生,但我真的可以使用一些帮助,如果有人有更好的方法,我也会很感激。
Thanks!
谢谢!
3 个解决方案
#1
3
No. The web.config is meant for declarative configuration. With that said, just because there aren't roles in the database, doesn't mean you can't use roles in the application. For example, if someone has IsAdmin = 1 in the database, you can put them in the Administrators role when they login. Then, you could easily use the <authorization> section in the web.config to only allow members of the Administrators role access to that location.
不.web.config用于声明性配置。话虽如此,仅仅因为数据库中没有角色,并不意味着你不能在应用程序中使用角色。例如,如果某人在数据库中具有IsAdmin = 1,则可以在登录时将其置于Administrators角色。然后,您可以轻松使用web.config中的
As an alternative to the web.config, you could use the Page_Load() of RestrictedPage.aspx to query the database and check if the user is an admin. If they are not, redirect the user someplace else. However, if you can re-compile the code and are going to go through all this trouble, you may as well just use a role-based approach.
作为web.config的替代方法,您可以使用RestrictedPage.aspx的Page_Load()来查询数据库并检查用户是否是管理员。如果不是,请将用户重定向到其他位置。但是,如果您可以重新编译代码并且要解决所有这些问题,那么您也可以使用基于角色的方法。
#2
0
If web.config file is changed, IIS automatically reloads the config. I am not saying that this is the recommended approach. But... You can write a code in your application to modify web.config file if the deny list is updated. Just make sure your application has access to modify Web.config.
如果更改了web.config文件,IIS将自动重新加载配置。我不是说这是推荐的方法。但是......如果更新了拒绝列表,您可以在应用程序中编写代码来修改web.config文件。只需确保您的应用程序有权修改Web.config。
#3
-1
You may also consider using membership provider that would allow you to keep your current database schema unchanged http://msdn.microsoft.com/en-us/library/f1kyba5e(v=vs.100).aspx.
您还可以考虑使用允许您保持当前数据库架构不变的成员资格提供程序http://msdn.microsoft.com/en-us/library/f1kyba5e(v=vs.100).aspx。
Tutorial on creating membership provider: http://www.asp.net/web-forms/videos/how-do-i/how-do-i-create-a-custom-membership-provider
创建会员提供者的教程:http://www.asp.net/web-forms/videos/how-do-i/how-do-i-create-a-custom-membership-provider
#1
3
No. The web.config is meant for declarative configuration. With that said, just because there aren't roles in the database, doesn't mean you can't use roles in the application. For example, if someone has IsAdmin = 1 in the database, you can put them in the Administrators role when they login. Then, you could easily use the <authorization> section in the web.config to only allow members of the Administrators role access to that location.
不.web.config用于声明性配置。话虽如此,仅仅因为数据库中没有角色,并不意味着你不能在应用程序中使用角色。例如,如果某人在数据库中具有IsAdmin = 1,则可以在登录时将其置于Administrators角色。然后,您可以轻松使用web.config中的
As an alternative to the web.config, you could use the Page_Load() of RestrictedPage.aspx to query the database and check if the user is an admin. If they are not, redirect the user someplace else. However, if you can re-compile the code and are going to go through all this trouble, you may as well just use a role-based approach.
作为web.config的替代方法,您可以使用RestrictedPage.aspx的Page_Load()来查询数据库并检查用户是否是管理员。如果不是,请将用户重定向到其他位置。但是,如果您可以重新编译代码并且要解决所有这些问题,那么您也可以使用基于角色的方法。
#2
0
If web.config file is changed, IIS automatically reloads the config. I am not saying that this is the recommended approach. But... You can write a code in your application to modify web.config file if the deny list is updated. Just make sure your application has access to modify Web.config.
如果更改了web.config文件,IIS将自动重新加载配置。我不是说这是推荐的方法。但是......如果更新了拒绝列表,您可以在应用程序中编写代码来修改web.config文件。只需确保您的应用程序有权修改Web.config。
#3
-1
You may also consider using membership provider that would allow you to keep your current database schema unchanged http://msdn.microsoft.com/en-us/library/f1kyba5e(v=vs.100).aspx.
您还可以考虑使用允许您保持当前数据库架构不变的成员资格提供程序http://msdn.microsoft.com/en-us/library/f1kyba5e(v=vs.100).aspx。
Tutorial on creating membership provider: http://www.asp.net/web-forms/videos/how-do-i/how-do-i-create-a-custom-membership-provider
创建会员提供者的教程:http://www.asp.net/web-forms/videos/how-do-i/how-do-i-create-a-custom-membership-provider