Requiring Multiple Roles in Web.config Authorizati

2020-07-09 03:52发布

问题:

Is it possible to specify that multiple roles are required inside the authorization element of the web.config file? I currently have this block in one web.config of my site for a specific directory:

<authorization>  
    <allow roles="Global, Region" />
    <deny users="*" />
</authorization>

I've just identified a special case where a person with two lower-level permissions than Global and Region should also have access to this directory. Roughly, I want something like this:

<authorization>  
    <allow roles="GlobalManager, RegionManager, SiteManager && FooSite" />
    <deny users="*" />
</authorization>

Any ideas? I realize I probably should have a new role for this scenario, but I'd like to avoid that. Thanks!

回答1:

I don't think you can do this via the current configs allowed in web.config. What you could do though is something like the following... as the very first line in your Page_Load event for the page in question, use the following code (VB):

If Not (User.IsInRole("Role1") AndAlso User.IsInRole("Role2")) Then _
    FormsAuthentication.RedirectToLoginPage()

This line of course is assuming you are using FormsAuthentication. If not, you would need to replace FormsAuthentication.RedirectToLoginPage() with the appropriate code depending on your authentication method.

I don't know your situation exactly, but based on your code, it looks like you could go one step further, and add a table with a mapping of users to sites, and do something like the following:

In a public module, add the following code:

<System.Runtime.CompilerServices.Extension()> _
Public Function ManagesSite(target As System.Security.Principal.IPrincipal, siteName As String) As Boolean
    Return [ code here to look up whether this user can access the site specified ]
End Function 

Then you can write the previous code as something more logical, such as:

If Not (User.IsInRole("SiteManager") AndAlso User.ManagesSite(Request.Url.Host)) Then _
    FormsAuthentication.RedirectToLoginPage()


回答2:

The method I usually use to solve this is when setting the user roles, create virtual roles. Therefore if the you wanted to only allow Student Administrators access to a page were a user has both Student and Administrator roles you could add a new StudentAdministrator role.