混合Web表单和MVC4应用中的授权
[英]Authorization in mixed web forms & mvc4 app
问题描述
I have a project that has been using ASP.NET Web Forms for a long time now, and the security scheme had us denying all users in the root web.config, and allowing users in specific areas of the site based on web.config's in certain folders like so: 
我有一个长期使用ASP.NET Web窗体的项目,该安全方案要求我们拒绝根web.config中的所有用户,并允许基于web.config的站点中特定区域的用户访问。某些文件夹如下:
<!-- Root Web.config -->
<authorization>
<deny users="*" />
</authorization>
<!-- ~/Admin Web.config -->
<authorization>
<allow roles="AdminRole" />
<deny users="*"/>
</authorization>
I'm adding MVC4 to this project, and my original understanding was that Authorization was controlled through attributes like so: 我将MVC4添加到该项目中,而我最初的理解是通过以下属性来控制授权:
[Authorize(Roles="OtherSectionRole")]
public class OtherSectionController : Controller
{ ... }
This doesn't seem to work, even when I use Roles="*" . 即使我使用Roles="*" ,这似乎也不起作用。 Only when I remove the root web.config deny * can I hit the controller actions. 只有删除根web.config deny * ,我才能执行控制器操作。 Am I missing something? 我想念什么吗? I'd rather not remove the catch-all authorization at the root level to get the MVC stuff working. 我宁愿不删除根级别的全面授权以使MVC正常工作。 Thanks in advance! 提前致谢!
1 个解决方案
解决方案1
0 2012-09-22 23:22:05
We had to do something similar a while back, and we wound up turning it on its head. 前段时间我们不得不做类似的事情,然后我们将其翻转过来。 What I mean by that is we made the legacy asp.net site a sub app of the mvc app rather than the other way around. 我的意思是,我们将传统的asp.net网站设为mvc应用程序的子应用程序,而不是相反。 In the mvc app, we set the configuration of the login page (we were using membership with these sites) to the page in the legacy site, and then we left the legacy site's web.config as is. 在mvc应用程序中,我们将登录页面的配置(我们使用这些站点的成员身份)设置为旧站点中的页面,然后将旧站点的web.config保持不变。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.