I'm trying to setup a "private beta" for a site that I'm working on. The site uses open id. I don't want anyone to even browse the pages if they aren't part of the beta. What's the best way to implement this? Any suggestions?
我正在尝试为我正在处理的网站设置“私有测试版”。该网站使用开放ID。我不希望任何人甚至浏览页面,如果他们不是测试版的一部分。实现这个的最佳方法是什么?有什么建议?
For example:
When the site goes live, users will go to http://www.mydomain.com which will not require them to log in.
当网站上线时,用户将访问http://www.mydomain.com,这不需要他们登录。
For the beta I want to restrict access. Users that go to http://www.mydomain.com will be redirected to a login page. Anyone attempting to access ANY PART OF THE SITE who is not authenticated will be redirected back to the login page.
对于测试版,我想限制访问。转到http://www.mydomain.com的用户将被重定向到登录页面。任何试图访问未经过身份验证的网站任何部分的人都将被重定向回登录页面。
I could stick [Authorize] attributes all over my controller actions, but that seems stupid.
我可以在我的控制器操作中粘贴[Authorize]属性,但这看起来很愚蠢。
6 个解决方案
#1
If you're using ASP.NET MVC, it comes with authentication/authorization out of the box. You should be able to use that to setup authentication on your site.
如果您使用的是ASP.NET MVC,它会提供开箱即用的身份验证/授权。您应该可以使用它来设置您站点上的身份验证。
Alternatively you could setup app server settings - IIS lets you setup username/password on a specific site it's serving, regardless of what the actual application may do. If you have access to the app server this might be the best solution.
或者,您可以设置应用服务器设置 - IIS允许您在其服务的特定站点上设置用户名/密码,而不管实际应用程序可能执行的操作。如果您有权访问应用服务器,这可能是最佳解决方案。
If you're using IIS6, you can setup authorization easily. Right-click on your site > Properties > Directory Security Tab > Authentication and Access Control > Edit, and enter a username/pwd of your choice. Done.
如果您使用的是IIS6,则可以轻松设置授权。右键单击您的站点>“属性”>“目录安全性”选项卡>“身份验证和访问控制”>“编辑”,然后输入您选择的用户名/密码。完成。
#2
The real question is how are they being invited to the private beta?
真正的问题是他们如何被邀请参加私人测试?
You could setup a password which drops a cookie much like serverfault.com does.
你可以设置一个像serverfault.com那样丢弃cookie的密码。
OR
If you know who you are inviting: you could add them to the system before hand using the email/login information that you already know about them (assuming you are inviting them via email)
如果您知道自己邀请的人:您可以使用您已经了解的关于他们的电子邮件/登录信息将其添加到系统中(假设您通过电子邮件邀请他们)
#3
I have implemented a function in a web application a while ago where we go the possibility to block access to the full website unless the user was an administrator (which in our case meant that the user account was a member of a specific group in Active Directory).
我刚才在Web应用程序中实现了一个功能,除非用户是管理员(在我们的例子中是指用户帐户是Active Directory中特定组的成员),否则我们可以阻止对完整网站的访问)。
It was based on two things. First, all pages in the web application inherited not directly from the Page class, but from a custom page class in our web application. Second, we had a value like this in the appSettings section of web.config file:
它基于两件事。首先,Web应用程序中的所有页面不是直接从Page类继承,而是从Web应用程序中的自定义页面类继承。其次,我们在web.config文件的appSettings部分有一个这样的值:
<add key="adminaccessonly" value="0" />
The custom page class would check that value when loading. If it was not 0 it would redirect to a page (that did not inherit the same custom page class, though) informing the user that "the site is not available right now". If the value was 0 the page would load as usual.
自定义页面类将在加载时检查该值。如果它不是0,它将重定向到一个页面(虽然没有继承相同的自定义页面类),通知用户“该网站现在不可用”。如果值为0,则页面将照常加载。
In that application we used this to be able to take the site "offline" when we deployed a new version, giving us some time to verify that all was good before we let in the users again.
在该应用程序中,我们使用它可以在部署新版本时使网站“脱机”,让我们有时间在再次让用户进入之前验证一切正常。
#4
Best way are invitation system (based on invitation code) or manually confirmation access after create profile in your system. imho
最佳方式是邀请系统(基于邀请代码)或在系统中创建配置文件后手动确认访问。恕我直言
#5
Or you could host the site on a private server, and set up a VPN to use it. Depending on your resources and needs this may be the easiest and most secure way to do what you want without modifying your codebase.
或者您可以在专用服务器上托管该站点,并设置VPN以使用它。根据您的资源和需求,这可能是最简单,最安全的方式,无需修改代码库即可完成所需操作。
OR alternatively you could use Apache or IIS to force authentication on access to the website directory. Keeping the authentication info in .htaccess for a while.
或者,您可以使用Apache或IIS强制访问网站目录时进行身份验证。将身份验证信息保留在.htaccess中一段时间。
#6
Even though you use open id authentication, you may still need some form of authorization mechanism. The simplest form would be a user-roles system in your database that assigns different roles to users
即使您使用开放式身份验证,您仍可能需要某种形式的授权机制。最简单的形式是数据库中的用户角色系统,它为用户分配不同的角色
In your case, just assign the private_beta role to your private beta invitees and ensure you your authorization mechanism that all users have private_beta privilege before they may continue.
在您的情况下,只需将private_beta角色分配给您的私人测试版受邀者,并确保您的授权机制,即所有用户在继续之前拥有private_beta特权。
If you don't want to provide authorization for the public site (where everyone can do everything, once authenticated), then, you may only need to do a quick-and-dirty post-processing (for private beta only) on your open_id authenticated users to check them off a short list (which you can store on a text file.
如果您不想为公共站点提供授权(每个人都可以执行所有操作,一旦通过身份验证),那么,您可能只需要在open_id上进行快速而肮脏的后处理(仅限私有测试版)经过身份验证的用户可以将它们从短列表中检出(您可以将其存储在文本文件中。
#1
If you're using ASP.NET MVC, it comes with authentication/authorization out of the box. You should be able to use that to setup authentication on your site.
如果您使用的是ASP.NET MVC,它会提供开箱即用的身份验证/授权。您应该可以使用它来设置您站点上的身份验证。
Alternatively you could setup app server settings - IIS lets you setup username/password on a specific site it's serving, regardless of what the actual application may do. If you have access to the app server this might be the best solution.
或者,您可以设置应用服务器设置 - IIS允许您在其服务的特定站点上设置用户名/密码,而不管实际应用程序可能执行的操作。如果您有权访问应用服务器,这可能是最佳解决方案。
If you're using IIS6, you can setup authorization easily. Right-click on your site > Properties > Directory Security Tab > Authentication and Access Control > Edit, and enter a username/pwd of your choice. Done.
如果您使用的是IIS6,则可以轻松设置授权。右键单击您的站点>“属性”>“目录安全性”选项卡>“身份验证和访问控制”>“编辑”,然后输入您选择的用户名/密码。完成。
#2
The real question is how are they being invited to the private beta?
真正的问题是他们如何被邀请参加私人测试?
You could setup a password which drops a cookie much like serverfault.com does.
你可以设置一个像serverfault.com那样丢弃cookie的密码。
OR
If you know who you are inviting: you could add them to the system before hand using the email/login information that you already know about them (assuming you are inviting them via email)
如果您知道自己邀请的人:您可以使用您已经了解的关于他们的电子邮件/登录信息将其添加到系统中(假设您通过电子邮件邀请他们)
#3
I have implemented a function in a web application a while ago where we go the possibility to block access to the full website unless the user was an administrator (which in our case meant that the user account was a member of a specific group in Active Directory).
我刚才在Web应用程序中实现了一个功能,除非用户是管理员(在我们的例子中是指用户帐户是Active Directory中特定组的成员),否则我们可以阻止对完整网站的访问)。
It was based on two things. First, all pages in the web application inherited not directly from the Page class, but from a custom page class in our web application. Second, we had a value like this in the appSettings section of web.config file:
它基于两件事。首先,Web应用程序中的所有页面不是直接从Page类继承,而是从Web应用程序中的自定义页面类继承。其次,我们在web.config文件的appSettings部分有一个这样的值:
<add key="adminaccessonly" value="0" />
The custom page class would check that value when loading. If it was not 0 it would redirect to a page (that did not inherit the same custom page class, though) informing the user that "the site is not available right now". If the value was 0 the page would load as usual.
自定义页面类将在加载时检查该值。如果它不是0,它将重定向到一个页面(虽然没有继承相同的自定义页面类),通知用户“该网站现在不可用”。如果值为0,则页面将照常加载。
In that application we used this to be able to take the site "offline" when we deployed a new version, giving us some time to verify that all was good before we let in the users again.
在该应用程序中,我们使用它可以在部署新版本时使网站“脱机”,让我们有时间在再次让用户进入之前验证一切正常。
#4
Best way are invitation system (based on invitation code) or manually confirmation access after create profile in your system. imho
最佳方式是邀请系统(基于邀请代码)或在系统中创建配置文件后手动确认访问。恕我直言
#5
Or you could host the site on a private server, and set up a VPN to use it. Depending on your resources and needs this may be the easiest and most secure way to do what you want without modifying your codebase.
或者您可以在专用服务器上托管该站点,并设置VPN以使用它。根据您的资源和需求,这可能是最简单,最安全的方式,无需修改代码库即可完成所需操作。
OR alternatively you could use Apache or IIS to force authentication on access to the website directory. Keeping the authentication info in .htaccess for a while.
或者,您可以使用Apache或IIS强制访问网站目录时进行身份验证。将身份验证信息保留在.htaccess中一段时间。
#6
Even though you use open id authentication, you may still need some form of authorization mechanism. The simplest form would be a user-roles system in your database that assigns different roles to users
即使您使用开放式身份验证,您仍可能需要某种形式的授权机制。最简单的形式是数据库中的用户角色系统,它为用户分配不同的角色
In your case, just assign the private_beta role to your private beta invitees and ensure you your authorization mechanism that all users have private_beta privilege before they may continue.
在您的情况下,只需将private_beta角色分配给您的私人测试版受邀者,并确保您的授权机制,即所有用户在继续之前拥有private_beta特权。
If you don't want to provide authorization for the public site (where everyone can do everything, once authenticated), then, you may only need to do a quick-and-dirty post-processing (for private beta only) on your open_id authenticated users to check them off a short list (which you can store on a text file.
如果您不想为公共站点提供授权(每个人都可以执行所有操作,一旦通过身份验证),那么,您可能只需要在open_id上进行快速而肮脏的后处理(仅限私有测试版)经过身份验证的用户可以将它们从短列表中检出(您可以将其存储在文本文件中。