ASP.NET MVC 3中的自定义授权
[英]Custom authorization in ASP.NET MVC 3
问题描述
I am migrating an application from ASP.NET Web Forms to ASP.NET MVC 3. One of the central and critical pieces is currently locked away in its own directory. 
我正在将一个应用程序从ASP.NET Web Forms迁移到ASP.NET MVC 3.其中一个核心和关键部分目前已锁定在自己的目录中。 I have restricted unauthorized user from accessing this directory by using the following in my web.config file: 我通过在web.config文件中使用以下内容来限制未经授权的用户访问此目录:
<location path="home" allowOverride="false">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
My question is, how do I implement this same type of security in ASP.NET MVC 3? 我的问题是,如何在ASP.NET MVC 3中实现这种相同类型的安全性? I have a hunch that it involves setting attributes on my Controller classes. 我有一种预感,它涉及在我的Controller类上设置属性。 However, the AuthorizeAttribute looks like it only accepts a list of user names and not an auth status (please correct me if I'm wrong). 但是,AuthorizeAttribute看起来只接受用户名列表而不是auth状态(如果我错了,请纠正我)。 I looked at the sample ASP.NET internet application and I didn't see anything special being configured in it. 我查看了示例ASP.NET Internet应用程序,但没有看到任何特殊的配置。
Can someone please point me in the correct direction on this? 有人可以指点我正确的方向吗?
Thanks! 谢谢!
3 个解决方案
解决方案1
5 已采纳
That's correct, you'll utilize the AuthorizeAttribute , like so: 这是正确的,您将使用AuthorizeAttribute ,如下所示:
[Authorize]
public ActionResult AuthenticatedUsers()
{
return View();
}
[Authorize(Roles = "Role1, Role2")]
public ActionResult SomeRoles()
{
return View();
}
[Authorize(Users = "User1, User2")]
public ActionResult SomeUsers()
{
return View();
}
As for "auth status", I'm not sure I know what you mean. 至于“身份证身份”,我不确定我知道你的意思。 It sounds like Roles would handle that authentication requirement. 听起来Roles会处理该身份验证要求。
解决方案2
0 2012-02-09 16:03:00
You can still do the authorization in the web.config if you want to. 如果需要,您仍然可以在web.config中执行授权。 Most people will move their authorize permissions to the Actions or to the entire controller (or base controller) using the [Authorize] filter. 大多数人会使用[授权]过滤器将其授权权限移动到操作或整个控制器(或基本控制器)。
The Authorize filter supports Roles or Users the same that the web.config does (Use of * and ? for "Authenticated" and "anonymous") Authorize过滤器支持与web.config相同的角色或用户(使用*和?表示“Authenticated”和“anonymous”)
If users and roles won't do it for you check out this article on creating a custom authorize attribute: 如果用户和角色不会为您执行此操作,请查看有关创建自定义授权属性的文章:
解决方案3
0 2012-02-09 16:13:10
You will use the authorize attribute to say which users or roles will have permission to access a controller (if you put in a controller, these permissions will be setted for all actions in this controller) or a action. 您将使用authorize属性来说明哪些用户或角色有权访问控制器(如果您放入控制器,将为此控制器中的所有操作设置这些权限)或操作。 Look: http://build.mt.gov/2011/10/27/aspnet-mvc3-and-the-authorize-attribute.aspx . 看: http : //build.mt.gov/2011/10/27/aspnet-mvc3-and-the-authorize-attribute.aspx 。 Rembember who will provide your roles (from a specific user) will be a RoleProvider, like you use with asp.net webforms. 将提供您的角色(来自特定用户)的Rembember将是一个RoleProvider,就像您使用asp.net webforms一样。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.