[英]Role-based restriction not working for ASP.NET MVC Forms Authentication via AD
I've got a ASP.NET MVC page that I'd like to secure with a login and not only authenticate against an Active Directory using Forms Authentication , but also grant access only to specific roles. 我有一个ASP.NET MVC页面,我希望通过登录进行保护,不仅使用Forms Authentication对Active Directory进行身份验证 ,而且还仅授予对特定角色的访问权限。
web.config web.config
<system.web>
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/Home/Login" timeout=45 protection="All" />
</authentication>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
...
Controllers 控制器
[HttpGet]
public ActionResult Index() {
return View("~/ng-app/index_template.cshtml");
}
[HttpGet, AllowAnonymous]
public ActionResult Login() {
return View("~/ng-app/login_template.cshtml");
}
[HttpPost, AllowAnonymous]
public ActionResult Login(LoginDto dto) {
... // validate dto & stuff
FormsAuthentication.SetAuthCookie(loginModel.Username, loginModel.RememberMe);
}
Now, basic protection and general authentication works perfectly. 现在,基本保护和常规身份验证可以完美运行。 I can log in with my domain account and I don't have access to any other pages as anonymous users.
我可以使用我的域帐户登录,但我不能以匿名用户身份访问任何其他页面。 However, I'm somehow unable to restrict access only to a certain role.
但是,我无法以某种方式将访问权限限制为仅特定角色。 When I add
<allow roles="Admin" />
to the authorization
section, it does absolutely nothing. 当我在
authorization
部分添加<allow roles="Admin" />
,它绝对不会执行任何操作。 When I additionally add <deny users="*" />
, I lock myself out and even after successful login, the server always returns 302 Found
without doing any redirects or serving the actual file. 当我另外添加
<deny users="*" />
,我将自己锁定在外,即使成功登录后,服务器也始终返回302 Found
而不进行任何重定向或提供实际文件。
You should be doing the allowed roles on the controller declaration 您应该在控制器声明中做允许的角色
So above your actionresult declaration put this above 因此,在您的actionresult声明上方,将其置于上方
[HttpGet]
[Authorize(Roles="Admin")]
public ActionResult AuthorizedView() {
return View("~/ng-app/admin_template.cshtml");
}
This will then do a check to see if the user is in the role declared or not 然后,它将进行检查以查看用户是否处于声明的角色中
To declare the roles in the webconfig you could do something like below 要声明webconfig中的角色,您可以执行以下操作
<authorizationConfiguration>
<controllerAuthorizationMappings>
<add controller="Home" role="GeneralAccess">
<!-- Define allowed roles for actions under the Home Controller -->
<actionAuthorizationMappings>
<add action="MyTopSecretActionForSuperCoolPeopleOnly" roles="Developer,Manager,Fonzie" />
</actionAuthorizationMappings>
</add>
</controllerAuthorizationMappings>
</authorizationConfiguration>
And here is a link to the site 这是该网站的链接
http://www.ryanmwright.com/2010/04/25/dynamic-controlleraction-authorization-in-asp-net-mvc/ http://www.ryanmwright.com/2010/04/25/dynamic-controlleraction-authorization-in-asp-net-mvc/
There is far to much for me to bring it into this thread, I will turn it in to a wiki answer when I have 5 minutes 对我来说,将其带入此线程的功能远远不止于此,我将在5分钟内将其转换为Wiki答案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.