asp.net-mvc 仅针对一项操作覆盖控制器 AuthorizeAttribute
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2071235/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Overriding controller AuthorizeAttribute for just one action
提问by David Glenn
I have a controller decorated with an AuthorizeAttribute. The controller contains several actions that all require authentication apart from one action that requires some custom authentication provided by CustomAuthorizeAttribute.
我有一个用 AuthorizeAttribute 装饰的控制器。除了一个需要 CustomAuthorizeAttribute 提供的自定义身份验证的操作之外,控制器包含几个都需要身份验证的操作。
My question is once I've added [Authorize] at the controller level can I override it (or remove it) with [CustomAuthorize] on just one action? Or do I have to remove [Authorize] from the controller level and add it individually to every other action?
我的问题是,一旦我在控制器级别添加了 [Authorize],我是否可以在一个操作中使用 [CustomAuthorize] 覆盖(或删除)它?或者我是否必须从控制器级别删除 [Authorize] 并将其单独添加到所有其他操作?
I'm asking purely for convenience because I'm lazy and don't want to decorate every action with the AuthorizeAttribute.
我纯粹是为了方便,因为我很懒,不想用 AuthorizeAttribute 装饰每个动作。
[Authorize]
public class MyController : Controller {
//requires authentication
public ViewResult Admin() {
return View();
}
//... a lot more actions requiring authentication
//requires custom authentication
[CustomAuthorize] //never invoked as already failed at controller level
public ViewResult Home() {
return View();
}
}
采纳答案by tvanfosson
You can change the Order in which the attributes run (using the Order property), but I believe that in this case they will still both run unless one generates a result with immediate effect. The key is to have the least restrictive attribute applied at the highest level (class) and get more restrictive for the methods. If you wanted the Homeaction to be publicly available, for instance, you would need to remove the Authorize attribute from the class, and apply it to each of the other methods.
您可以更改属性运行的顺序(使用 Order 属性),但我相信在这种情况下它们仍然会运行,除非生成立即生效的结果。关键是在最高级别(类)应用限制最少的属性,并为方法设置更多限制。例如,如果您希望Home操作公开可用,则需要从类中删除 Authorize 属性,并将其应用于其他每个方法。
If the action has the same level of permissiveness, but has a different result, changing the order may be sufficient. For example, you would normally redirect to the Logonaction, but for Homeyou want to redirect to the Aboutaction. In this, case give the class attribute Order=2and the Homeaction attribute Order=1.
如果操作具有相同的许可级别,但具有不同的结果,则更改顺序可能就足够了。例如,您通常会重定向到Logon操作,但是Home您想重定向到About操作。在这种情况下, case 给出 class 属性Order=2和Homeaction 属性Order=1。
回答by Francisco Goldenstein
In MVC 5you can override the authorization for any action using the new attribute OverrideAuthorization. Basically, you add it to an action that has a different authorization configuration than the one defined in the controller.
在 MVC 5 中,您可以使用新属性 OverrideAuthorization 覆盖任何操作的授权。基本上,您将它添加到具有与控制器中定义的授权配置不同的授权配置的操作中。
You do it like this:
你这样做:
[OverrideAuthorization]
[Authorize(Roles = "Employee")]
public ActionResult List() { ... }
More information at http://www.c-sharpcorner.com/UploadFile/ff2f08/filter-overrides-in-Asp-Net-mvc-5/
更多信息请访问http://www.c-sharpcorner.com/UploadFile/ff2f08/filter-overrides-in-Asp-Net-mvc-5/
In ASP.NET Core 2.1there's no OverrideAuthorization attribute and the only thing you can do is make an action anonymous, even if the controller is not. More information at https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-2.1
在 ASP.NET Core 2.1中没有 OverrideAuthorization 属性,您唯一可以做的就是匿名操作,即使控制器不是。更多信息请访问https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-2.1
One option is to do it this way:
一种选择是这样做:
[Authorize(Roles = "Admin,Employee")] // admin or employee
public class XController : Controller
{
[Authorize(Roles = "Admin")] // only admin
public ActionResult ActionX() { ... }
[AllowAnonymous] // anyone
public ActionResult ActionX() { ... }
}
回答by bmavity
After way too much time, I came up with a solution. You need to decorate your controller with a custom AuthorizeAttribute.
经过太多时间,我想出了一个解决方案。您需要使用自定义 AuthorizeAttribute 装饰您的控制器。
public class OverridableAuthorize : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
var action = filterContext.ActionDescriptor;
if(action.IsDefined(typeof(IgnoreAuthorization), true)) return;
var controller = action.ControllerDescriptor;
if(controller.IsDefined(typeof(IgnoreAuthorization), true)) return;
base.OnAuthorization(filterContext);
}
}
Which can be paired with AllowAnonymouson an Action
可以与AllowAnonymousAction配对
[AllowAnonymous]
回答by MemeDeveloper
All you need to overridethe [Authorize]from the controller, for a specific actionis to add
所有你需要重写的[授权]从控制器,用于特定的行动是添加
[AllowAnonymous]
to the action you want to not be authorized (then add your custom attribute as required).
到您不想被授权的操作(然后根据需要添加您的自定义属性)。
See the comments / intellisense :
查看评论/智能感知:
Represents an attribute that marks controllers and actions to skip the System.Web.Mvc.AuthorizeAttribute during authorization.
表示一个属性,该属性将控制器和操作标记为在授权期间跳过 System.Web.Mvc.AuthorizeAttribute。
