C# 表单身份验证和授权 MVC 4
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16382950/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Forms Authentication & authorization MVC 4
提问by Shahar
I'm trying to create an anonymous controller in order to acheive form authentication. I configured my IIS 7 with anonymous and form authentication enabledand set my web.config to denyanonymous users. On the login controller I put the [AllowAnonymous] decoration on my controller (and my actions).
我正在尝试创建一个匿名控制器以实现表单身份验证。我配置了我的 IIS 7启用了匿名和表单身份验证,并将我的 web.config 设置为拒绝匿名用户。在登录控制器上,我将 [AllowAnonymous] 装饰放在我的控制器(和我的操作)上。
The only action I can get on this set of configuration is the login action (which returns the "login" view), and I'm guessing that the MVC allows me to get this action because I set it as the login URL on my web.config.
我可以在这组配置上获得的唯一操作是登录操作(它返回“登录”视图),我猜 MVC 允许我获得此操作,因为我将其设置为我的网络上的登录 URL .config。
Here is my web config configuration:
这是我的网络配置配置:
<authentication mode="Forms">
<forms loginUrl="~/Login/Login" timeout="2880" />
</authentication>
All the other actions are redirected to the login action. On this set of configuration I can't achieve other important actions like restore password, register, etc.
所有其他操作都重定向到登录操作。在这组配置上我无法实现其他重要的操作,例如恢复密码,注册等。
What am I doing wrong?
我究竟做错了什么?
采纳答案by hVostt
Use global authentification filter with custom behaviour instead of authorization configuration in web.config (best for MVC)
使用具有自定义行为的全局身份验证过滤器而不是 web.config 中的授权配置(最适合 MVC)
add global filter
添加全局过滤器
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new AuthorizeAttribute());
}
}
Then, [AllowAnonymous] will works, and all other controllers and actions requires Authorization.
然后,[AllowAnonymous] 将起作用,所有其他控制器和操作都需要授权。
回答by Saravanan
Did you try to allow the anonymous authorization for the URL's like in the sample below
您是否尝试允许对以下示例中的 URL 进行匿名授权
<location path="Login/Login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Similar to this you should be setting for the ResetPassword / Restore password / Register etc...
与此类似,您应该设置重置密码/恢复密码/注册等...
回答by Wiktor Zychla
There are two possible approaches.
有两种可能的方法。
First - you can deny anonymous requests globally with the Authorize attribute and mark these few which do not need authorization with AllowAnonymous attribute (which is new to MVC4).
首先 - 您可以使用 Authorize 属性全局拒绝匿名请求,并使用 AllowAnonymous 属性(这是 MVC4 的新特性)标记这些不需要授权的少数请求。
Second - do not deny globally but rather secure your selected controllers/actions with Authorize attribute.
其次 - 不要全局拒绝,而是使用 Authorize 属性保护您选择的控制器/操作。
回答by Kamyar
You can also register Authorizefilter in RegisterGlobalFiltersmethod:
您还可以Authorize在RegisterGlobalFilters方法中注册过滤器:
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new AuthorizeAttribute());
}
And then use the AllowAnonymousattribute on action methods that require anonymous access:
然后AllowAnonymous在需要匿名访问的操作方法上使用该属性:
[Authorize]
public class AccountController : Controller
{
[AllowAnonymous]
public ActionResult RecoverPassword()
{
...
}
}
回答by Arulraj
I removed the following portion from web.config then it is started working for me.
我从 web.config 中删除了以下部分,然后它开始为我工作。
<!--<authorization>
<deny users="?" />
</authorization>-->
