Windows 身份验证和MVC:排除单个文件/路由的正确方法
我有一个通过 Windows 身份验证保护的 MVC 3 站点。但是,站点根目录下有一个物理文件,以及一个控制器操作方法(通过自定义路由),无需经过身份验证即可使用。执行此操作的正确方法是什么?我希望整个站点受到保护,而不需要在控制器顶部(或在基本控制器类中)。在 IIS 7 上,我在站点根目录启用了匿名身份验证和 Windows 身份验证。
目前,我的 Web.config 中有以下(适用)部分:
<authentication mode="Windows" />
<location path="public.js"> <!-- physical file -->
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="public.gif"> <!-- custom route to action method -->
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
如果我没有将 [Authorize] 放在控制器顶部,则永远不会提示我输入凭据。我是否只需要在某个地方
谢谢!
I have an MVC 3 site which is protected via Windows Authentication. However, there is a physical file at the root of the site, along with a controller action method (via a custom route), which need to be available without authenticating. What is the proper way to do this? I want the entire site protected without needing [Authorize] at the top of my controllers (or in a base controller class). On IIS 7, I have both Anonymous and Windows Authentication enabled at the site root.
Currently I have the following (applicable) sections in my Web.config:
<authentication mode="Windows" />
<location path="public.js"> <!-- physical file -->
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="public.gif"> <!-- custom route to action method -->
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
If I don't put [Authorize] at the top of my controllers, I am never prompted for credentials. Do I just need a <deny users="?"/> somewhere, or is there a better way to approach this from the start?
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
控制器操作的身份验证必须由 [Authorize] 属性处理。 web.config 设置仅适用于物理文件。
如果您不想在每个控制器上放置 [Authorize] 属性,您可以创建一个包含 [Authorize] 属性的基本控制器类。所有继承自该控制器基类的控制器都将自动需要身份验证。
就我个人而言,我认为手动向每个控制器添加 [Authorize] 属性并不困难,并且更喜欢更精细的控制级别。
Authentication for controller actions must be handled by the [Authorize] attribute. The web.config settings only apply to physical files.
If you don't want to put the [Authorize] attribute on each controller, you could make a base controller class that includes the [Authorize] attribute. All controllers that inherit from this base controller class would automatically require authentication.
Personally, I don't find it that difficult to add the [Authorize] attribute manually to each controller and prefer the finer level of control.