C# 如何允许匿名用户访问 MVC 中的某个给定页面?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9727509/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to allow an anonymous user access to some given page in MVC?
提问by Johnson Duru
I have enabled form authentication in my ASP.NET MVC web application. I want to allow anonymous users access only to some specific pages, including Register.cshtml for instance. I was able to allow access to my CSS-file from my root web.config by doing this.
我在我的 ASP.NET MVC Web 应用程序中启用了表单身份验证。我想只允许匿名用户访问某些特定页面,例如包括 Register.cshtml。通过这样做,我能够允许从我的根 web.config 访问我的 CSS 文件。
<location path="Content/Site.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Now I want to allow anonymous access to other pages, like Home and Register. Do any body know how to achieve this?
现在我想允许匿名访问其他页面,如主页和注册。有没有人知道如何实现这一目标?
采纳答案by Christofer Eliasson
In MVC you normally use the [Authorize]attribute to manage authorization. Controllers or individual actions that are dressed with that attribute will require that the user is authorized in order to access them - all other actions will be available to anonymous users.
在 MVC 中,您通常使用该[Authorize]属性来管理授权。具有该属性的控制器或单个操作将要求用户获得授权才能访问它们 - 所有其他操作都将可供匿名用户使用。
In other words, a black-list approach, where actions that require authorization are black-listed for anonymous users using [Authorize]- all actions (not dressed with the attribute) will be available.
换句话说,一种黑名单方法,其中需要授权的操作被列入黑名单供匿名用户使用[Authorize]- 所有操作(未使用该属性)都将可用。
Update:
更新:
With MVC4 a new attribute has been introduced, namely the [AllowAnonymous]attribute. Together with the [Authorize]attribute, you can now take a white-list approach instead. The white-list approach is accomplished by dressing the entire controller with the [Authorize]attribute, to force authorization for all actions within that controller. You can then dress specific actions, that shouldn't require authorization, with the [AllowAnonymous]attribute, and thereby white-listing only those actions. With this approach, you can be confident that you don't, by accident, forget to dress an action with the [Authorize], leaving it available to anyone, even though it shouldn't.
MVC4 引入了一个新属性,即[AllowAnonymous]属性。连同该[Authorize]属性,您现在可以改为采用白名单方法。白名单方法是通过用[Authorize]属性修饰整个控制器来实现的,以强制对该控制器内的所有操作进行授权。然后,您可以使用[AllowAnonymous]属性来修饰不需要授权的特定操作,从而仅将这些操作列入白名单。使用这种方法,您可以确信您不会意外忘记使用 来修饰动作[Authorize],让任何人都可以使用它,即使它不应该这样做。
Your code could then be something like this:
你的代码可能是这样的:
[Authorize]
public class UserController : Controller {
[AllowAnonymous]
public ActionResult LogIn () {
// This action can be accessed by unauthorized users
}
public ActionResult UserDetails () {
// This action can NOT be accessed by unauthorized users
}
}
回答by Josue Morales
In the Web.config i had the below authorization
在 Web.config 我有以下授权
<authorization>
<deny users ="?"/>
</authorization>
this causes the
这导致
[AllowAnonymous]
not work correctly, i had to remove that authorization of my Web.config, and in all the controllers put the line
无法正常工作,我不得不删除我的 Web.config 的授权,并在所有控制器中放置该行
[Authorize]
before the declaration of the class, to work correctly.
在类的声明之前,才能正常工作。
