[英]asp.net authorization - deny all before login except the register page
I'm using ASP.NET Authorization to deny users access to my site before logging in, but this is also blocking the Register.cshtml page. 我使用ASP.NET授权在登录之前拒绝用户访问我的网站,但这也阻止了Register.cshtml页。 How do I sort out my authorizations to allow this page through? 如何整理我的授权以允许该页面通过?
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Register.cshtml">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
IMHO, you should not use web.config to control the authentication of your application instead use Authorize
attribute. 恕我直言,您不应使用web.config来控制应用程序的身份验证,而应使用Authorize
属性。
Add this in your Global.asax
file under RegisterGlobalFilters
method 在RegisterGlobalFilters
方法下将其添加到您的Global.asax
文件中
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new AuthorizeAttribute());
}
or you can decorate also your controller with [Authorize]
或者您也可以使用[Authorize]
装饰控制器
[Authorize]
public class HomeController : Controller
{
...
}
For action which require Anonymous access use AllowAnonymous
attribute 对于需要匿名访问的操作,请使用AllowAnonymous
属性
[AllowAnonymous]
public ActionResult Register() {
// This action can be accessed by unauthorized users
return View("Register");
}
You cannot use routing or web.config files to secure your MVC application. 您不能使用路由或web.config文件保护MVC应用程序。 The only supported way to secure your MVC application is to apply the Authorize attribute to each controller and use the new AllowAnonymous attribute on the login and register actions. 保护MVC应用程序安全的唯一受支持方法是将Authorize属性应用于每个控制器,并在登录和注册操作上使用新的AllowAnonymous属性。 Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities. 根据当前区域做出安全决策是一件很糟糕的事情,这会使您的应用程序容易受到攻击。
This is happening because you are denying everyone from application by using 之所以发生这种情况,是因为您拒绝使用
<authorization>
<deny users="?" />
</authorization>
Above code will override all permission given to the folder 上面的代码将覆盖对文件夹的所有权限
Good idea would be Deny user folderwise and keep Register/Login/Help/Contact pages at root level. 最好是逐个文件夹拒绝用户,并在根级别保留“注册/登录/帮助/联系”页面。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.