堆栈内存溢出
  简体   繁体   English

asp.net授权-登录前除注册页面外全部拒绝

[英]asp.net authorization - deny all before login except the register page

 原文  2013-07-10 10:08:34       asp.net-mvc/ authorization

问题描述

I'm using ASP.NET Authorization to deny users access to my site before logging in, but this is also blocking the Register.cshtml page. 我使用ASP.NET授权在登录之前拒绝用户访问我的网站,但这也阻止了Register.cshtml页。 How do I sort out my authorizations to allow this page through? 如何整理我的授权以允许该页面通过? 

<system.web>
<authorization>
      <deny users="?" />
    </authorization>
  </system.web>

  <location path="Content">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

  <location path="Register.cshtml">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

2 个解决方案

解决方案1
 6 已采纳  2013-07-10 10:57:53

IMHO, you should not use web.config to control the authentication of your application instead use Authorize attribute. 恕我直言,您不应使用web.config来控制应用程序的身份验证,而应使用Authorize属性。

Add this in your Global.asax file under RegisterGlobalFilters method RegisterGlobalFilters方法下将其添加到您的Global.asax文件中 

    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new AuthorizeAttribute());
    }

or you can decorate also your controller with [Authorize] 或者您也可以使用[Authorize]装饰控制器 

[Authorize]
public class HomeController : Controller
{
    ...
}

For action which require Anonymous access use AllowAnonymous attribute 对于需要匿名访问的操作,请使用AllowAnonymous属性 

   [AllowAnonymous]
   public ActionResult Register() {
      // This action can be accessed by unauthorized users
      return View("Register");   
   }

As per Reference , 根据参考资料

You cannot use routing or web.config files to secure your MVC application. 您不能使用路由或web.config文件保护MVC应用程序。 The only supported way to secure your MVC application is to apply the Authorize attribute to each controller and use the new AllowAnonymous attribute on the login and register actions. 保护MVC应用程序安全的唯一受支持方法是将Authorize属性应用于每个控制器,并在登录和注册操作上使用新的AllowAnonymous属性。 Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities. 根据当前区域做出安全决策是一件很糟糕的事情,这会使您的应用程序容易受到攻击。

解决方案2
 0  2013-07-10 10:24:01

This is happening because you are denying everyone from application by using 之所以发生这种情况,是因为您拒绝使用 

<authorization>
      <deny users="?" />
    </authorization>

Above code will override all permission given to the folder 上面的代码将覆盖对文件夹的所有权限

Good idea would be Deny user folderwise and keep Register/Login/Help/Contact pages at root level. 最好是逐个文件夹拒绝用户,并在根级别保留“注册/登录/帮助/联系”页面。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 注册页面重定向到登录页面asp.net mvc - Register page redirects to login page asp.net mvc ASP.NET MVC:授权后登录页面的自定义参数 - ASP.NET MVC: Custom parameters to login page after authorization 登录并在同一页面上注册ASP.NET MVC - Login and register on the same page ASP.NET MVC ASP.Net Core 3.1 脚手架的身份页面并未全部使用(即登录页面正常,注册页面不正常)......为什么? - ASP.Net Core 3.1 scaffolded Identity pages not all used (ie. Login page OK, Register page NOK)…why? 在asp.net mvc中注册成功后用户名自动填写登录页面(重定向到登录) - Username auto fill in Login Page after Register success (Redirect to Login) in asp.net mvc 在asp.net网站上登录并注册phpbb用户 - Login and register phpbb users within an asp.net website 无法登录,但可以在 ASP.NET MVC 5 应用程序中注册 - Can't login, but can register in ASP.NET MVC 5 app ASP.NET mvc RenderAction登录和注册视图 - ASP.NET mvc RenderAction Login And Register Views 在ASP.NET MVC Internet应用程序中更改登录/注册模型 - Changing login/register model in asp.net mvc internet application 在 Asp.net Core Identity 中通过电话号码注册和登录 - Register and Login by Phone Number in Asp.net Core Identity
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM