混合使用ASP.NET WebForms和MVC授权
[英]Mixing ASP.NET WebForms and MVC Authorization
问题描述
I'm trying to mix some MVC3 functionality into an existing WebForms application. 
我正在尝试将某些MVC3功能混合到现有的WebForms应用程序中。 I've followed a few guides, and got everything set up and working except for the authorization piece. 我遵循了一些指南,并设置了所有功能并可以正常工作,除了授权件。 The existing application has <deny users="*" /> sitting at the root web.config, and each subfolder has its own web.config that allows access to the pages within for specific roles. 现有应用程序的根目录web.config中有<deny users="*" /> ,每个子文件夹都有其自己的web.config,它允许访问特定角色的页面。
My new understanding is that this style of can't/shouldn't be used on Controllers, and I should be using Authorize attributes instead. 我的新理解是不能/不应在Controllers上使用这种样式,我应该改用Authorize属性。 I've decorated my test " HomeController " class with [Authorize(Roles="AdminRole")] , but I get an "Access Denied" page when I attempt to view the page. 我已经用[Authorize(Roles="AdminRole")]装饰了测试“ HomeController ”类,但是当我尝试查看该页面时,我得到了一个“访问被拒绝”页面。
If i change the root web.config to say <allow users="*" /> , the page works. 如果我将根web.config更改为<allow users="*" /> ,则该页面有效。 Does this mean that the attribute I added to the controller is working, but the root web.config setting is taking precedence over it? 这是否意味着我添加到控制器的属性正常工作,但根web.config设置优先于此属性? I don't want to mess with our existing authorization stuff since the site is well established and I'm just trying to add MVC in to play with. 我不想弄乱我们现有的授权内容,因为该站点已经建立好了,我只是想添加MVC来使用。 Am I missing something? 我想念什么吗? Thanks for any insight you can provide. 感谢您提供的任何见解。
1 个解决方案
解决方案1
1 已采纳 2012-05-22 15:10:04
Ah this is a bit tricky as you are trying to use MVC security in an app already using Web Forms. 嗯,这有点棘手,因为您试图在已经使用Web窗体的应用程序中使用MVC安全性。 If this was pure mvc the choice is simple. 如果这是纯mvc,则选择很简单。 If you can't pull the mvc features out into a separate app then this leaves you in a bit of a pickle. 如果您无法将mvc功能拉出到单独的应用程序中,那么您会有点烦。
My first recommendation would be to try to extract the code. 我的第一个建议是尝试提取代码。 If you are using MVC to only provide restful features maybe also check out MVC4 web api to provide an api for your app and share the components used between them which would require pulling them out of your web app into a Domain library or some other appropriately named library. 如果您使用MVC仅提供宁静的功能,则还可以查看MVC4 Web api为您的应用程序提供api并共享它们之间使用的组件,这将需要将它们从Web应用程序中拉出到Domain库或其他适当命名的文件中图书馆。
With that said, not 100% sure if the allow users="*" is working as expected, but I believe it is. 如此说来,不是100%确定allow users =“ *”是否按预期工作,但我相信是这样。 Its easy enough to test, simply change Roles="AdminRole" to Roles="placeholder" and try again. 它很容易测试,只需将Roles =“ AdminRole”更改为Roles =“ placeholder”,然后重试。
Setting this though kills the rest of your auth so one idea could be to put all mvc routes under a particular url, such as "/api/" and allow * in the web.config to that path and then use mvc's security on all of your controller methods. 设置该设置虽然会杀死其余的身份验证,所以一个想法可能是将所有mvc路由放在特定的URL下,例如“ / api /”,并在web.config中允许*到该路径,然后在所有URL上使用mvc的安全性您的控制器方法。 This would have low impact to your main web app. 这对您的主要Web应用程序影响很小。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.