C# MVC 4 表单身份验证不适用于 [授权]
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16665660/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
MVC 4 Forms Authentication not working with [Authorize]
提问by Carlos Landeras
I'm learning MVC4 right now, and I am following the Pro ASP NET MVC4 4th edition book to create a Sports Store project.
我现在正在学习 MVC4,我正在按照 Pro ASP NET MVC4 第 4 版书籍创建一个 Sports Store 项目。
I have always developed in webforms, and I am trying to figure out how the forms authentication is working in MVC4.
我一直在 webforms 中开发,我试图弄清楚表单身份验证在 MVC4 中是如何工作的。
Here is what I have achieved:
这是我所取得的成就:
Web.Config
网页配置
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880"/> </authentication>
AccountController login Action:
AccountController 登录操作:
[HttpPost]
public ActionResult Login(LoginViewModel model, string returnUrl)
{
if (ModelState.IsValid)
{
if (authProvider.Authenticate(model.UserName, model.Password))
{
return Redirect(returnUrl ?? Url.Action("Index", "Admin"));
}
else
{
ModelState.AddModelError("", "Incorrect username or password");
return View();
}
}
else
{
return View();
}
}
Auth Provider:
身份验证提供者:
public bool Authenticate(string username, string password) {
bool result = FormsAuthentication.Authenticate(username, password);
if (result)
{
FormsAuthentication.SetAuthCookie(username, false);
}
return result;
}
I am setting the AuthCookie and now I would like to know, how to protect other controllers and actions out of the AccountController
我正在设置 AuthCookie,现在我想知道,如何保护 AccountController 之外的其他控制器和操作
The application has a controller called AdminController, where you can edit products and the
product list in under the following {controller/action}
该应用程序有一个名为 AdminController 的控制器,您可以在其中编辑产品和
以下 {controller/action} 下的产品列表
Admin/Index
管理员/索引
So, If I am not missunderstanding the theory, if the user is not logging in the AccountController they should not be able to call actions with [Authorize] tag on declaration:
所以,如果我没有误解这个理论,如果用户没有登录 AccountController,他们应该无法在声明时使用 [Authorize] 标签调用操作:
public class AdminController : Controller
{
private IProductRepository repository;
public AdminController(IProductRepository repo)
{
repository = repo;
}
[Authorize]
public ActionResult Index()
{
return View(repository.Products);
}
}
The thing is I can call the Index action of the Admin Controller without any problem and without introducing the login.
问题是我可以毫无问题地调用 Admin Controller 的 Index 操作并且不引入登录。
I need some guidance to understand how this works. I have done some research and could not find anything, and the book is not covering this topic.
我需要一些指导来理解这是如何工作的。我做了一些研究,但找不到任何东西,这本书也没有涉及这个话题。
Thanks in advance.
提前致谢。
EDIT: I closed Chrome Browser and worked without changing anything. I was working with tabs and I guess the cookie was active even stopping and starting debugging.
编辑:我关闭了 Chrome 浏览器并在没有更改任何内容的情况下工作。我正在使用选项卡,我猜即使停止和开始调试,cookie 也处于活动状态。
采纳答案by Darin Dimitrov
If a controller action is decorated with the [Authorize]attribute (as is your Admin/Indexaction) you cannot invoke this action if you do not have a valid forms authentication cookie in the request.
如果控制器操作使用[Authorize]属性修饰(就像您的Admin/Index操作一样),如果请求中没有有效的表单身份验证 cookie,则无法调用此操作。
Also in your Loginaction, upon successful authentication you should not return a view but you should redirect away, so that the cookie is properly set and available on subsequent requests.
同样在您的Login操作中,成功身份验证后,您不应返回视图,而应重定向,以便正确设置 cookie 并在后续请求中可用。
Here's what should happen when a non-authenticated user attempts to access the protected Admin/Indexaction. The [Authorize]attribute will throw a 401 exception, which as you know from the classic WebForms will be intercepted by the Forms Authentication module and you will be redirected to the loginUrlconfigured in your web.config passing a ReturnUrl query string parameter the initially requested protected resource.
以下是未经身份验证的用户尝试访问受保护Admin/Index操作时应该发生的情况。该[Authorize]属性将抛出 401 异常,正如您从经典 WebForms 中所知,Forms 身份验证模块将拦截该异常,您将被重定向到loginUrlweb.config 中配置的,并传递初始请求的受保护资源的 ReturnUrl 查询字符串参数。
So you must have a Loginaction on the account controller that is not decorated with the [HttpPost]attribute and which should serve the view containing the sign-in view. The request will look like this:
因此,您必须对Login未使用该[HttpPost]属性修饰的帐户控制器进行操作,该操作应为包含登录视图的视图提供服务。请求将如下所示:
/Account/Login?ReturnUrl=%2Fadmin%2Findex
