允许使用 ASP-MVC 和表单身份验证访问特定页面
以下是我的视图目录布局的简单概述:
项目
- Page 1
- Page 2
- RSS
问题
- Page 1
- Page 2
- RSS
我正在使用表单身份验证来拒绝所有未经身份验证的用户的访问,效果很好。 但是,我希望能够向每个人授予对 RSS 视图的访问权限(以便他们可以通过 google reader 等订阅)
我知道您可以通过将以下页面添加到 web.config 来授予对页面的访问权限
<location path="TOURPAGE.aspx">
<system.web>
<authorization>
<allow users="*" />
<allow users="?" />
</authorization>
</system.web>
但是,如何我使用动态创建的 URL 来执行此操作,例如:
Issues/RSS/chrisj
- 该路径映射到名为 RSS 的问题中的控制器,该控制器采用用户名并吐出其问题的 RSS...
编辑
我认为的一些答案已修复它,但是:
看来,至少在我的情况下,您仍然需要身份验证 cookie 才能查看该页面。 只要您有 cookie,您就可以注销并查看它。
这对我来说没有好处,我需要该页面完全公开,因为它是 RSS 提要。
Here is a simple overview of my directory layout for my views:
Project
- Page 1
- Page 2
- RSS
Issues
- Page 1
- Page 2
- RSS
I am using forms authentication to deny access to all unauthenticated users, that works fine. However, I want to be able to grant access to the RSS views to everyone (so they can subscribe via google reader and stuff)
I understand that you can grant access to pages by adding the following page to your web.config
<location path="TOURPAGE.aspx">
<system.web>
<authorization>
<allow users="*" />
<allow users="?" />
</authorization>
</system.web>
However, how would I do this with my dynamically made URL's, such as:
Issues/RSS/chrisj
- That path maps to a controller in issues called RSS, which takes a username and spits out an RSS of thier issues...
EDIT
Some answers I thought had fixed it, but:
It seems that, in my case at least, you still need the authentication cookie in order to see the page. You can be logged out and view it, so long as you have the cookie.
That is no good to me, I need the page to be completely public, as it is an RSS feed.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
这实际上比我想象的要简单得多。 看来 .net 很聪明,我尝试了以下方法:
它起作用了:)
This was actually much simpler than I thought. Seems .net is quite clever, I tried the following:
And it worked :)
忘记> 东西...听起来您需要在操作中使用 [Authorize] 属性。
查看这些页面以获取更多信息:
http://www.asp.net/learn/mvc/tutorial- 17-cs.aspx
http://www.pnpguidance.net/post/ASPNETMVCFrameworkPreview4HandleErrorAuthorizeOutputCacheActionFilterAttributes.aspx
另外,属性也可以应用于控制器级别,因此您不必将其放在每个单独的操作上。
Forget about the <location><allow /><deny /> stuff... sounds like you need to use the [Authorize] attribute on your actions.
Check out these pages for more info:
http://www.asp.net/learn/mvc/tutorial-17-cs.aspx
http://www.pnpguidance.net/post/ASPNETMVCFrameworkPreview4HandleErrorAuthorizeOutputCacheActionFilterAttributes.aspx
Also, the attribute can be applied at the controller level as well, so you don't have to put it on each individual action.
编辑:顺便说一句,这是因为 .NET 假设 URL 指向一个目录,并且上面的位置标记表示“‘Issues/RSS’目录中的任何内容都是安全的:)
EDIT: The reason this works by the way, is because .NET is assuming that URL goes to a directory, and this location tag above says "anything in the 'Issues/RSS' directory is safe :)
这可能无法按预期工作。
看来,至少就我而言,您仍然需要身份验证 cookie 才能查看该页面。 只要您有 cookie,您就可以注销并查看它。
这对我来说没有好处,我需要该页面完全公开,因为它是 RSS 提要。
This might not be working as intended.
It seems that, in my case at least, you still need the authentication cookie in order to see the page. You can be logged out and view it, so long as you have the cookie.
That is no good to me, I need the page to be completely public, as it is an RSS feed.
我同意 Charlino 的观点,即 [Authorize] 标签可能会解决您的问题。
如果您对 RSS 和页面使用单个控制器操作(并且只是根据某些参数呈现不同的 ActionResult),您可以使用
HttpContext.Current.User.Identity.IsAuthenticated< 检查用户是否经过身份验证/code>,并在控制器操作中使用它来决定是否继续& 允许访问。I agree with Charlino that the [Authorize] tag will probably solve your problem.
If you are using a single controller action for both RSS and a page (and are just rendering a different ActionResult based on some parameter), you can check if the user is authenticated with
HttpContext.Current.User.Identity.IsAuthenticated, and use that within the controller action to decide whether or not to continue & allow access.