Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
Bạn sẽ không gặp phải hành vi này nếu bạn thực hiện kiểm tra ủy quyền bằng cách gọi IsUserInRole trực tiếp vào nhà cung cấp, khi gọi phương pháp IsUserInRole của nhà cung cấp trực tiếp bạn có thể sử dụng cú pháp cho các nhóm máy tính địa phương. | Role Manager You won t encounter this behavior if you make authorization checks by calling IsUserInRole directly on the provider when calling the provider s IsUserInRole method directly you can use either syntax for local machine groups. However if you depend on RolePrincipal.IsInRole for authorization checks you may run into this behavior and it may cause some unexpected problems. For example using the TestLocalMachineGroup shown in the earlier results the following URL authorization check when using Role Manager will fail authorization allow roles DEMOTEST TestLocalMachineGroup deny users authorization This exact same check will succeed if you turn off Role Manager and just use Windows authentication instead. The WindowsPrincipal class never has to return roles as a string array so when WindowsPrincipal.IsInRole is called internally it can test local machine groups using alternative syntaxes. The reason that the preceding check fails when using Role Manager is that RolePrincipal internally caches the string array returned by WindowsTokenRoleProvider.GetRolesForUser. And this array has only a string entry of TestLocalMachineGroup so the string comparison against DEMOTEST TestLocalMachineGroup fails. The following configuration though will succeed authorization allow roles TestLocalMachineGroup deny users authorization Now that the machine name is no longer part of the role name the URL authorization check against RolePrincipal succeeds because there is a string match on just TestLocalMachineGroup. If you happen to be developing an application and authorization checks against local machine groups suddenly fail when you switch from using only Windows authentication to using Windows authentication and Role Manager with the WindowsTokenRoleProvider the likely culprits are the group names in your authorization configuration element. You can write some sample code that tries different ways of making role checks against the group names shown earlier that were returned .