Authorization in mixed web forms & mvc4 app
Question
I have a project that has been using ASP.NET Web Forms for a long time now, and the security scheme had us denying all users in the root web.config, and allowing users in specific areas of the site based on web.config's in certain folders like so:
<!-- Root Web.config -->
<authorization>
<deny users="*" />
</authorization>
<!-- ~/Admin Web.config -->
<authorization>
<allow roles="AdminRole" />
<deny users="*"/>
</authorization>
I'm adding MVC4 to this project, and my original understanding was that Authorization was controlled through attributes like so:
[Authorize(Roles="OtherSectionRole")]
public class OtherSectionController : Controller
{ ... }
This doesn't seem to work, even when I use Roles="*" . Only when I remove the root web.config deny * can I hit the controller actions. Am I missing something? I'd rather not remove the catch-all authorization at the root level to get the MVC stuff working. Thanks in advance!
1 answers
solution1
0 2012-09-22 23:22:05
We had to do something similar a while back, and we wound up turning it on its head. What I mean by that is we made the legacy asp.net site a sub app of the mvc app rather than the other way around. In the mvc app, we set the configuration of the login page (we were using membership with these sites) to the page in the legacy site, and then we left the legacy site's web.config as is.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.