ASP.NET MVC Forms身份验证 - 它如何工作并保持身份验证?
[英]ASP.NET MVC Forms authentication - How it works and persists authentication?
问题描述
I'm working on a site that uses Forms Authentication. 
我正在使用表单身份验证的网站上工作。 I was interested in how the authentication system was working, since when I initially open any page in the site, it redirects me to a login, and none of the controllers/actions have any authorization logic placed in them . 我对身份验证系统的运行方式感兴趣,因为当我最初在网站中打开任何页面时,它会将我重定向到登录, 并且没有任何控制器/操作在其中放置任何授权逻辑 。
- Via the configuration below, does MVC or ASP.NET automatically determine if you're authenticated? 通过下面的配置,MVC或ASP.NET是否自动确定您是否经过身份验证? (Like I said, there is no code in the controllers to "redirect" or make sure that the user is authorized. (就像我说的,控制器中没有代码可以“重定向”或确保用户已获得授权。
- If ASP.NET handles this, in what situations do you need to authorize your actions/controllers? 如果ASP.NET处理此问题,您需要在什么情况下授权您的操作/控制器? (ie [Authorize] attribute) (即[授权]属性)
- How does forms authentication work? 表单身份验证如何工作? I'm especially interested in how the "authorization" is persisted? 我对“授权”如何持久感兴趣? (ie cookies??) (即饼干??)
Websites web.config Technology: MVC 3, Entity Framework 4.1 (Code first), ASP.NET 4 网站web.config技术:MVC 3,实体框架4.1(代码优先),ASP.NET 4
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Index" timeout="2880" />
</authentication>
<membership defaultProvider="CodeFirstMembershipProvider">
<providers>c
<clear />
<add name="CodeFirstMembershipProvider" type="Vanguard.AssetManager.Services.Security.MembershipService" applicationName="/" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="CodeFirstRoleProvider">
<providers>
<clear />
<add name="CodeFirstRoleProvider" type="Vanguard.AssetManager.Services.Security.RoleService" applicationName="/" />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
</system.web>
<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Content/packages">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Home">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="CheckIn">
<system.web>
<authorization>
<allow roles="CheckIn, Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Assignment">
<system.web>
<authorization>
<allow roles="Assignment, Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<configuration>
The site uses MVC areas, which I assume is what the section refers to. 该站点使用MVC区域,我认为这是该部分所指的。
1 个解决方案
解决方案1
9 已采纳 2012-08-25 22:36:31
Via the configuration below, does MVC or ASP.NET automatically determine if you're authenticated?
Yes, it uses the <location> section in your web.config to allow only users that have the Admin role to access the /Admin/* path. 是的,它使用web.config中的<location>部分仅允许具有Admin角色的用户访问/Admin/*路径。
If ASP.NET handles this, in what situations do you need to authorize your actions/controllers?
In ASP.NET MVC using the [Authorize] attribute is the prefered method to control which actions need authorization instead of using the <location> tag in your web.config as you did. 在ASP.NET MVC中,使用[Authorize]属性是控制哪些操作需要授权的首选方法,而不是像您一样使用web.config中的<location>标记。 The reason for this is that ASP.NET MVC uses routing and you shouldn't be hardcoding paths in your web.config which is what happens with the <location> section. 这样做的原因是ASP.NET MVC使用路由,你不应该在web.config中硬编码路径,这就是<location>部分所发生的情况。 So always use the [Authorize] attribute to decorate controllers/actions that require authentication. 因此,请始终使用[Authorize]属性来装饰需要身份验证的控制器/操作。
How does forms authentication work?
Cookies, yes. 饼干,是的。 You might also checkout the following article on MSDN which explains how Forms Authentication works. 您还可以查看MSDN上的以下文章 ,其中解释了表单身份验证的工作原理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.