将活动目录组与Windows身份验证aspnet mvc 3集成
[英]integrating active directory group with windows authentication aspnet mvc 3
问题描述
I'm using windows authentication in a mvc 3 app, and I want to only some groups of my active directory to access this app. 
我在mvc 3应用程序中使用Windows身份验证,我只希望我的某些活动目录组访问此应用程序。 I'm not using [Authorize] attribute in my controllers, just my web.config configuration. 我没有在我的控制器中使用[Authorize]属性,只是我的web.config配置。
This is how I setup my web.config: 这是我设置web.config的方式:
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="EUsers" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authorization>
<add accessType="Allow" roles="EUsers" />
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
I also enabled Windows Authentication and ASP.NET Impersation on my IIS Authorize section. 我还在IIS授权部分启用了Windows身份验证和ASP.NET Impersation。 I'm trying to access the app with my user (and I'm a member of EUsers), but it's always prompting for my user and password. 我正在尝试与我的用户访问该应用程序(我是EUsers的成员),但它总是提示我的用户和密码。 Did I forget something? 我忘记了什么吗? Am I doing something wrong? 难道我做错了什么?
2 个解决方案
解决方案1
3 2012-09-24 13:00:34
I'm not using [Authorize] attribute in my controllers, just my web.config configuration.
That simply is wrong. 那简直是错的。 In ASp.NET MVC application you should not use web.config to control authorization. 在ASp.NET MVC应用程序中,您不应使用web.config来控制授权。 You should use the [Authorize] attribute. 您应该使用[Authorize]属性。 So: 所以:
[Authorize(Roles = "EUsers")]
解决方案2
1 2013-09-30 18:27:23
I see in the comment section that it is still not working. 我在评论部分看到它仍然无法正常工作。 I believe this may be a result of the "Deny" being explicitly assigned to users = "*" and the permission precedence rules 我相信这可能是因为“拒绝”被明确分配给users =“*”和权限优先规则
Here are some rules for resolving permissions conflicts: 以下是解决权限冲突的一些规则:
"Deny" permissions generally take precedence over "allow" permissions. “拒绝”权限通常优先于“允许”权限。 Permissions applied directly to an object (explicit permissions) take precedence over permissions inherited from a parent (for example from a group). 直接应用于对象的权限(显式权限)优先于从父级继承的权限(例如,从组中)。 Permissions inherited from near relatives take precedence over permissions inherited from distant predecessors. 从近亲属继承的权限优先于从远程前辈继承的权限。 So permissions inherited from the object's parent folder take precedence over permissions inherited from the object's "grandparent" folder, and so on. 因此,从对象的父文件夹继承的权限优先于从对象的“祖父”文件夹继承的权限,依此类推。 Permissions from different user groups that are at the same level (in terms of being directly-set or inherited, and in terms of being "deny" or "allow") are cumulative. 来自同一级别的不同用户组(直接设置或继承,以及“拒绝”或“允许”)的权限是累积的。 So if a user is a member of two groups, one of which has an "allow" permission of "Read" and the other has an "allow" of "Write", the user will have both read and write permission--depending on the other rules above, of course. 因此,如果用户是两个组的成员,其中一个组具有“允许”权限“读取”而另一个组具有“允许”“写入”,则用户将具有读写权限 - 取决于当然,上面的其他规则。 Although Deny permissions generally take precedence over allow permissions, this is not always the case. 虽然拒绝权限通常优先于允许权限,但情况并非总是如此。 An explicit "allow" permission can take precedence over an inherited "deny" permission. 显式“允许”权限可以优先于继承的“拒绝”权限。
The hierarchy of precedence for the permissions can be summarized as follows, with the higher precedence permissions listed at the top of the list: 权限的优先级层次结构可以总结如下,列表顶部列出了较高的优先权:
- Explicit Deny 明确拒绝
- Explicit Allow 明确允许
- Inherited Deny 继承拒绝
- Inherited Allow 继承允许
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.