• asp.net Forums 之安全


    在上一篇文章中,我们讨论了asp.net Forums 之HttpHandler和HttpModule,在这里放这个链接,是因为在本篇文件中需要用到上HttpModule相关的内容。

    首先在Web.Config中配制为匿名用户不允许查看相关贴子。

    <location path="EditPost.aspx">
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    </location>
    <location path="PostAttachmentManager.aspx">
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    </location>
    <location path="PrivateMessage.aspx">
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    </location>
    <location path="Download.aspx">
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    </location>
    <location path="License.aspx">
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    </location>


    用户登录时验证用户信息

    代码
    // *********************************************************************
    // LoginButton_Click
    //
    /// <summary>
    /// Event handler to handle the login button click event
    /// </summary>
    // ***********************************************************************/
    public void LoginButton_Click(Object sender, EventArgs e)
    {
    User userToLogin
    = new User();
    // 增加返回url by venjiang
    string redirectUrl = forumContext.ReturnUrl;

    if (!Page.IsValid)
    return;

    // [FRUM-183]增加验证码 by venjiang 2005/10/10
    if(Globals.GetSiteSettings().EnableAntiSpamTextGenerate
    && Globals.GetSiteSettings().EnableAntiSpamTextGenerateForLogin)
    {
    if(antiSpamText.Text != Globals.GetForumsAntiSpamText())
    throw new ForumException(ForumExceptionType.AntiSpamTextNotMatch);
    }

    userToLogin.Username
    = username.Text;
    userToLogin.Password
    = password.Text;
    userToLogin.IPLastLogin
    = Globals.IPAddress;
    // 用户代理信息增加 by venjiang 2005/01/21
    userToLogin.IPLocation = IPScanner.IPLocation(Globals.IPAddress);
    userToLogin.Platform
    = Users.GetUsersInfo(forumContext.Context.Request.UserAgent, 1);
    userToLogin.Browser
    = Users.GetUsersInfo(forumContext.Context.Request.UserAgent, 2);

    LoginUserStatus loginStatus
    = Users.ValidUser(userToLogin);

    if (loginStatus == LoginUserStatus.Success)
    {
    // 如果系统设置不允许登录
    if (!Globals.GetSiteSettings().AllowLogin)
    {
    bool allowed = false;

    int userid = Users.FindUserByUsername(userToLogin.Username).UserID;
    ArrayList roles
    = Roles.GetRoles(userid);
    // 如果是管理员,则设置允许登录
    foreach (Role role in roles)
    {
    if (role.Name == "Site Administrators" || role.Name == "Global Administrators")
    {
    allowed
    = true;
    break;
    }
    }

    // 处理用户登录处理
    if (!allowed)
    {
    throw new ForumException(ForumExceptionType.UserLoginDisabled);
    }
    }

    // FormsAuthentication.SetAuthCookie(userToLogin.Username, autoLogin.Checked);罗田040823


    // 根据cookies下拉列表选择项的值设置cookie
    SetLoginCookie(userToLogin.Username, autoLogin.SelectedValue);


    // 设置返回url
    if (redirectUrl != null && redirectUrl.Length > 0)
    {
    // 增加返回url判断 by venjiang 2005/01/20
    // redirectUrl = (redirectUrl.IndexOf("MessageID") == -1 ? redirectUrl : Globals.GetSiteUrls().Home);
    // 修订 by venjiang 2005/03/28
    if ((redirectUrl.IndexOf("MessageID") != -1)
    || (redirectUrl.IndexOf(Globals.GetSiteUrls().Logout) != -1)
    || (redirectUrl.IndexOf("ChangePassword") != -1)
    || (redirectUrl.IndexOf("EmailForgottenPassword") != -1))
    Page.Response.Redirect(Globals.GetSiteUrls().Home,
    true);
    else
    Page.Response.Redirect(redirectUrl,
    true);
    }
    else
    {
    //Page.Response.Redirect(Globals.ApplicationPath, true);
    // 修订 by venjiang 2005/01/20
    Page.Response.Redirect(Globals.GetSiteUrls().Home, true);
    }

    }
    else if (loginStatus == LoginUserStatus.InvalidCredentials)
    {
    // Invalid Credentials
    throw new ForumException(ForumExceptionType.UserInvalidCredentials, "UserName:" + userToLogin.Username);
    }
    else if (loginStatus == LoginUserStatus.AccountPending)
    {
    // Account not approved yet
    throw new ForumException(ForumExceptionType.UserAccountPending);
    }
    else if (loginStatus == LoginUserStatus.AccountBanned)
    {
    // Account banned
    throw new ForumException(ForumExceptionType.UserAccountBanned, userToLogin.Nickname + "(" + userToLogin.Username + ")");
    }
    else if (loginStatus == LoginUserStatus.AccountDisapproved)
    {
    // Account disapproved
    throw new ForumException(ForumExceptionType.UserAccountDisapproved, userToLogin.Nickname + "(" + userToLogin.Username + ")");
    }
    else if (loginStatus == LoginUserStatus.UnknownError)
    {
    // Unknown error because of miss-syncronization of internal data
    throw new ForumException(ForumExceptionType.UserUnknownLoginError);
    }
    }
    public static bool AuthenticateUser(User userToLogin)
    {
    LoginUserStatus loginStatus
    = Users.ValidUser(userToLogin);

    if (loginStatus == LoginUserStatus.Success)
    {
    // Are we allowing login?
    // TODO -- this could be better optimized
    if (!Globals.GetSiteSettings().AllowLogin)
    {
    bool allowed = false;

    int userid = Users.FindUserByUsername(userToLogin.Username).UserID;
    ArrayList roles
    = Roles.GetRoles(userid);

    foreach (Role role in roles)
    {
    if (role.Name == "Site Administrators" || role.Name == "Global Administrators")
    {
    allowed
    = true;
    break;
    }
    }

    // Check the user is in the administrator role
    if (!allowed)
    {
    throw new ForumException(ForumExceptionType.UserLoginDisabled);
    }
    }
    return true;
    }
    else
    {
    if (loginStatus == LoginUserStatus.InvalidCredentials)
    {
    // Invalid Credentials
    throw new ForumException(ForumExceptionType.UserInvalidCredentials, userToLogin.Username);
    }
    else if (loginStatus == LoginUserStatus.AccountPending)
    {
    // Account not approved yet
    throw new ForumException(ForumExceptionType.UserAccountPending);
    }
    else if (loginStatus == LoginUserStatus.AccountBanned)
    {
    // Account banned
    throw new ForumException(ForumExceptionType.UserAccountBanned, userToLogin.Username);
    }
    else if (loginStatus == LoginUserStatus.AccountDisapproved)
    {
    // Account disapproved
    throw new ForumException(ForumExceptionType.UserAccountDisapproved, userToLogin.Username);
    }
    else if (loginStatus == LoginUserStatus.UnknownError)
    {
    // Unknown error because of miss-syncronization of internal data
    throw new ForumException(ForumExceptionType.UserUnknownLoginError);
    }
    return false;
    }
    }
    // 用户验证
    /// <summary>
    /// 验证用户有效性
    /// </summary>
    /// <param name="user">
    /// 要验证的用户,用户名和密码属性是必须的.
    /// </param>
    /// <returns>返回当前用户登录状态</returns>
    public static LoginUserStatus ValidUser(User user)
    {
    return ValidUser(user, false);
    }

    /// <summary>
    /// 验证用户登录状态
    /// </summary>
    /// <param name="user">要验证的用户</param>
    /// <param name="isRequestFromWebService">是否来自Web服务请求</param>
    /// <returns>返回用户登录状态</returns>
    // 登录验证-1
    public static LoginUserStatus ValidUser(User user, bool isRequestFromWebService)
    {
    ForumsDataProvider dp
    = ForumsDataProvider.Instance();

    // Lookup account by provided username
    // 查找用户状态,以确保根据用户帐户状态进行操作.
    // 检查用户登录用户名密码是否统一,帐户是否禁止等.
    User userLookup = Users.FindUserByUsername(user.Username);
    if (userLookup == null)
    return LoginUserStatus.InvalidCredentials;

    // 检测帐号状态
    if (userLookup.IsBanned && DateTime.Now <= userLookup.BannedUntil)
    {
    // 帐号禁止
    return LoginUserStatus.AccountBanned;
    }
    // 帐号封禁
    else if (userLookup.IsBanned && DateTime.Now > userLookup.BannedUntil)
    {
    // Update to back to datastore
    userLookup.AccountStatus = UserAccountStatus.Approved;
    userLookup.BannedUntil
    = DateTime.Now;

    Users.UpdateUser(userLookup);
    }
    // 待批准
    if (userLookup.AccountStatus == UserAccountStatus.ApprovalPending)
    {
    return LoginUserStatus.AccountPending;
    }
    // 未批准
    if (userLookup.AccountStatus == UserAccountStatus.Disapproved)
    {
    return LoginUserStatus.AccountDisapproved;
    }

    // if (HttpContext.Current.User.Identity.AuthenticationType == "" )
    // 如果不是来自WS请求
    if (!isRequestFromWebService)
    {
    // 获取用户Salt和密码加密格式,密码
    user.Salt = userLookup.Salt;
    user.PasswordFormat
    = userLookup.PasswordFormat; // Lucian: I think it must be reused. Usefull when there are a wide range of passwd formats.
    // Set the Password
    user.Password = Users.Encrypt(user.PasswordFormat, user.Password, user.Salt);
    }
    // 通过数据库中验证用户.
    return (LoginUserStatus) dp.ValidateUser(user);
    }


    在ForumsHttpModule中,每次验证用户授权Application_AuthorizeRequest。

  • 相关阅读:
    oschina 终端/远程登录
    oschina文档/文本编辑
    oschinaIM/聊天/语音工具
    oschina浏览器开发
    oschina P2P/BT开源软件
    oschina图形和图像工具开源软件
    java之jvm学习笔记六-十二(实践写自己的安全管理器)(jar包的代码认证和签名) (实践对jar包的代码签名) (策略文件)(策略和保护域) (访问控制器) (访问控制器的栈校验机制) (jvm基本结构)
    java之jvm学习笔记三(Class文件检验器)
    手把手教popupWindow从下往上,以达到流行效果
    java实现代理domino web邮件下载
  • 原文地址:https://www.cnblogs.com/Jesong/p/1751642.html
Copyright © 2020-2023  润新知