Is URL Authorization enough secure in ASP.NET?

2018-06-04 23:28:04

I have categorized my pages in different folders based on some roles and using URL authorization , For example I use the following code in web.config for limiting access to that administrative stuff :

<configuration>
  <system.web>
    <authorization>
      <allow roles="Admin" />
      <allow roles="SuperAdmin" />
      <deny roles="Member" />
      <deny users="?"/>
    </authorization>
  </system.web>
</configuration>

My question is : Is that enough secure ? Or I need to do some other things like : in every events which user want to do administrative stuff , I should check If they are in appropriate role ?

Edit: I use "Forms Authentication Provider" and "ASP.NET Membership Provider" for authenticating users and Membership , And as far as i know it's secure

This does only verify, no user is getting any page delivered, which she is not authorized for. Since you are doing a lot of business stuff in your business layer, you want to check the autorization there also.

Most the time you cant avoid having to check several time inside the page also, since the pages often deliver different content, depending if a low right user or a high right user requests them.

In general you will have to decide on your own for every single information you are giving away - is it ok or not? If it not in general a public information: think about, how could you restrict it effectively? The authorization scheme based on the ASP.NET membership classes is a good base to do so.

链接地址: http://www.djcxy.com/p/15962.html

上一篇: 基于C＃Cookie的授权

下一篇: URL授权在ASP.NET中足够安全吗？