asp.net Forums 之安全

在上一篇文章中,我们讨论了asp.net Forums 之HttpHandler和HttpModule,在这里放这个链接,是因为在本篇文件中需要用到上HttpModule相关的内容。

首先在Web.Config中配制为匿名用户不允许查看相关贴子。

 

  
    
< location path = " EditPost.aspx " >
< system.web >
< authorization >
< deny users = " ? " />
</ authorization >
</ system.web >
</ location >
< location path = " PostAttachmentManager.aspx " >
< system.web >
< authorization >
< deny users = " ? " />
</ authorization >
</ system.web >
</ location >
< location path = " PrivateMessage.aspx " >
< system.web >
< authorization >
< deny users = " ? " />
</ authorization >
</ system.web >
</ location >
< location path = " Download.aspx " >
< system.web >
< authorization >
< deny users = " ? " />
</ authorization >
</ system.web >
</ location >
< location path = " License.aspx " >
< system.web >
< authorization >
< deny users = " ? " />
</ authorization >
</ system.web >
</ location >

 

 


用户登录时验证用户信息

 

代码
   
     
// *********************************************************************
// LoginButton_Click
//
/// <summary>
/// Event handler to handle the login button click event
/// </summary>
// ***********************************************************************/
public void LoginButton_Click(Object sender, EventArgs e)
{
User userToLogin
= new User();
// 增加返回url by venjiang
string redirectUrl = forumContext.ReturnUrl;

if ( ! Page.IsValid)
return ;

// [FRUM-183]增加验证码 by venjiang 2005/10/10
if (Globals.GetSiteSettings().EnableAntiSpamTextGenerate
&& Globals.GetSiteSettings().EnableAntiSpamTextGenerateForLogin)
{
if (antiSpamText.Text != Globals.GetForumsAntiSpamText())
throw new ForumException(ForumExceptionType.AntiSpamTextNotMatch);
}

userToLogin.Username
= username.Text;
userToLogin.Password
= password.Text;
userToLogin.IPLastLogin
= Globals.IPAddress;
// 用户代理信息增加 by venjiang 2005/01/21
userToLogin.IPLocation = IPScanner.IPLocation(Globals.IPAddress);
userToLogin.Platform
= Users.GetUsersInfo(forumContext.Context.Request.UserAgent, 1 );
userToLogin.Browser
= Users.GetUsersInfo(forumContext.Context.Request.UserAgent, 2 );

LoginUserStatus loginStatus
= Users.ValidUser(userToLogin);

if (loginStatus == LoginUserStatus.Success)
{
// 如果系统设置不允许登录
if ( ! Globals.GetSiteSettings().AllowLogin)
{
bool allowed = false ;

int userid = Users.FindUserByUsername(userToLogin.Username).UserID;
ArrayList roles
= Roles.GetRoles(userid);
// 如果是管理员,则设置允许登录
foreach (Role role in roles)
{
if (role.Name == " Site Administrators " || role.Name == " Global Administrators " )
{
allowed
= true ;
break ;
}
}

// 处理用户登录处理
if ( ! allowed)
{
throw new ForumException(ForumExceptionType.UserLoginDisabled);
}
}

// FormsAuthentication.SetAuthCookie(userToLogin.Username, autoLogin.Checked);罗田040823


// 根据cookies下拉列表选择项的值设置cookie
SetLoginCookie(userToLogin.Username, autoLogin.SelectedValue);


// 设置返回url
if (redirectUrl != null && redirectUrl.Length > 0 )
{
// 增加返回url判断 by venjiang 2005/01/20
// redirectUrl = (redirectUrl.IndexOf("MessageID") == -1 ? redirectUrl : Globals.GetSiteUrls().Home);
// 修订 by venjiang 2005/03/28
if ((redirectUrl.IndexOf( " MessageID " ) != - 1 )
|| (redirectUrl.IndexOf(Globals.GetSiteUrls().Logout) != - 1 )
|| (redirectUrl.IndexOf( " ChangePassword " ) != - 1 )
|| (redirectUrl.IndexOf( " EmailForgottenPassword " ) != - 1 ))
Page.Response.Redirect(Globals.GetSiteUrls().Home,
true );
else
Page.Response.Redirect(redirectUrl,
true );
}
else
{
// Page.Response.Redirect(Globals.ApplicationPath, true);
// 修订 by venjiang 2005/01/20
Page.Response.Redirect(Globals.GetSiteUrls().Home, true );
}

}
else if (loginStatus == LoginUserStatus.InvalidCredentials)
{
// Invalid Credentials
throw new ForumException(ForumExceptionType.UserInvalidCredentials, " UserName: " + userToLogin.Username);
}
else if (loginStatus == LoginUserStatus.AccountPending)
{
// Account not approved yet
throw new ForumException(ForumExceptionType.UserAccountPending);
}
else if (loginStatus == LoginUserStatus.AccountBanned)
{
// Account banned
throw new ForumException(ForumExceptionType.UserAccountBanned, userToLogin.Nickname + " ( " + userToLogin.Username + " ) " );
}
else if (loginStatus == LoginUserStatus.AccountDisapproved)
{
// Account disapproved
throw new ForumException(ForumExceptionType.UserAccountDisapproved, userToLogin.Nickname + " ( " + userToLogin.Username + " ) " );
}
else if (loginStatus == LoginUserStatus.UnknownError)
{
// Unknown error because of miss-syncronization of internal data
throw new ForumException(ForumExceptionType.UserUnknownLoginError);
}
}

 

 

 

  
    
public static bool AuthenticateUser(User userToLogin)
{
LoginUserStatus loginStatus
= Users.ValidUser(userToLogin);

if (loginStatus == LoginUserStatus.Success)
{
// Are we allowing login?
// TODO -- this could be better optimized
if ( ! Globals.GetSiteSettings().AllowLogin)
{
bool allowed = false ;

int userid = Users.FindUserByUsername(userToLogin.Username).UserID;
ArrayList roles
= Roles.GetRoles(userid);

foreach (Role role in roles)
{
if (role.Name == " Site Administrators " || role.Name == " Global Administrators " )
{
allowed
= true ;
break ;
}
}

// Check the user is in the administrator role
if ( ! allowed)
{
throw new ForumException(ForumExceptionType.UserLoginDisabled);
}
}
return true ;
}
else
{
if (loginStatus == LoginUserStatus.InvalidCredentials)
{
// Invalid Credentials
throw new ForumException(ForumExceptionType.UserInvalidCredentials, userToLogin.Username);
}
else if (loginStatus == LoginUserStatus.AccountPending)
{
// Account not approved yet
throw new ForumException(ForumExceptionType.UserAccountPending);
}
else if (loginStatus == LoginUserStatus.AccountBanned)
{
// Account banned
throw new ForumException(ForumExceptionType.UserAccountBanned, userToLogin.Username);
}
else if (loginStatus == LoginUserStatus.AccountDisapproved)
{
// Account disapproved
throw new ForumException(ForumExceptionType.UserAccountDisapproved, userToLogin.Username);
}
else if (loginStatus == LoginUserStatus.UnknownError)
{
// Unknown error because of miss-syncronization of internal data
throw new ForumException(ForumExceptionType.UserUnknownLoginError);
}
return false ;
}
}

 

 

 

  
    
// 用户验证
/// <summary>
/// 验证用户有效性
/// </summary>
/// <param name="user">
/// 要验证的用户,用户名和密码属性是必须的.
/// </param>
/// <returns> 返回当前用户登录状态 </returns>
public static LoginUserStatus ValidUser(User user)
{
return ValidUser(user, false );
}

/// <summary>
/// 验证用户登录状态
/// </summary>
/// <param name="user"> 要验证的用户 </param>
/// <param name="isRequestFromWebService"> 是否来自Web服务请求 </param>
/// <returns> 返回用户登录状态 </returns>
// 登录验证-1
public static LoginUserStatus ValidUser(User user, bool isRequestFromWebService)
{
ForumsDataProvider dp
= ForumsDataProvider.Instance();

// Lookup account by provided username
// 查找用户状态,以确保根据用户帐户状态进行操作.
// 检查用户登录用户名密码是否统一,帐户是否禁止等.
User userLookup = Users.FindUserByUsername(user.Username);
if (userLookup == null )
return LoginUserStatus.InvalidCredentials;

// 检测帐号状态
if (userLookup.IsBanned && DateTime.Now <= userLookup.BannedUntil)
{
// 帐号禁止
return LoginUserStatus.AccountBanned;
}
// 帐号封禁
else if (userLookup.IsBanned && DateTime.Now > userLookup.BannedUntil)
{
// Update to back to datastore
userLookup.AccountStatus = UserAccountStatus.Approved;
userLookup.BannedUntil
= DateTime.Now;

Users.UpdateUser(userLookup);
}
// 待批准
if (userLookup.AccountStatus == UserAccountStatus.ApprovalPending)
{
return LoginUserStatus.AccountPending;
}
// 未批准
if (userLookup.AccountStatus == UserAccountStatus.Disapproved)
{
return LoginUserStatus.AccountDisapproved;
}

// if (HttpContext.Current.User.Identity.AuthenticationType == "" )
// 如果不是来自WS请求
if ( ! isRequestFromWebService)
{
// 获取用户Salt和密码加密格式,密码
user.Salt = userLookup.Salt;
user.PasswordFormat
= userLookup.PasswordFormat; // Lucian: I think it must be reused. Usefull when there are a wide range of passwd formats.
// Set the Password
user.Password = Users.Encrypt(user.PasswordFormat, user.Password, user.Salt);
}
// 通过数据库中验证用户.
return (LoginUserStatus) dp.ValidateUser(user);
}

 

 


在ForumsHttpModule中,每次验证用户授权Application_AuthorizeRequest。

你可能感兴趣的:(asp.net)