ASP.MVC应用程序中的访问控制 [英] Access control in a ASP.MVC application

问题描述

我使用以下代码来控制ASP.MVC应用程序(这是一个控制器)中的访问:

I use the following code for controlling access in a ASP.MVC application (this a piece of a controller):

public ActionResult MakeEditable(int id) 
{
    // controlling part
    if (!User.Identity.IsAuthenticated)
    {
        return RedirectToAction("Login", "User", new {
            callback = Url.Action("MakeEditable", "Article", new { id = id })
        });
    }

    // action's body
}

为每个动作编写控制部分非常不方便，所以我正在寻找避免它的方法.如果是Nemerle，我可以使用属性级别的宏，但是对于C#，我认为，最好的方法是PostSharp.您可以建议其他哪些方法来提供此功能?

It is very inconvenient for writing the controlling part for each action, so I'm looking the way to avoid it. If it was Nemerle I could use a attribute level macros, but for C#, I think, the best approach is PostSharp. What are the other ways to provide this functionality you could advise?

推荐答案

ASP.NET MVC中有多个授权选项.您的做法确实很不方便，但是有更好的办法！您确实在C#中具有属性宏:)

There are several options for authorization in ASP.NET MVC. The way you are doing is indeed very inconvenient, but there is a better way! You DO have attribute macros in C# :)

[Authorize]
public ActionResult DoSomething(int someParam)
{
     //Do stuff here.
     Return View();
}

[Authorize] 标签可以直接放置在控制器上的任何动作之上，甚至可以放置在控制器类本身之上，以使整个控制器只能由经过身份验证的用户访问.

The [Authorize] tag can be placed directly above any action on a controller or even above the controller class itself to make the entire controller accessible only to authenticated users.

[Authorize]
public class HomeController : Controller
{
     //Actions and stuff
}

如果您使用成员资格和角色提供程序，甚至可以在属性中包括角色过滤器.

If you are using the membership and role provider you can even include a role filter in the attribute.

[Authorize(Roles="trader")]
public ActionResult SomeAction(int someParam)
{
     //stuff...
}

还可以将授权应用于整个URL路由.与在传统ASP.NET Web窗体中应用目录级别授权的方法类似.只需将这样的内容添加到您的web.config中即可:

It is also possible to apply authorization to entire URL routes. Similar to the way you would apply directory level authorization in traditional ASP.NET Web Forms. Just add something like this to your web.config:

<location path="Admin">
     <system.web>
          <authorization>
               <deny users="?"/>
               <allow roles="SiteAdmin"/>
               <deny users="*"/>
          </authorization>
     </system.web>
</location>

这告诉UrlAuthorizationModule(默认情况下已为所有ASP.NET应用程序注册)对于URL〜/Admin和与〜/Admin/*匹配的URL，它应该执行以下操作:

This tells UrlAuthorizationModule (which is registered for all ASP.NET applications by default) that for the URL ~/Admin and URLs matching ~/Admin/*, it should do the following:

•拒绝未经身份验证的访问者的访问()

• Deny access for unauthenticated visitors ()

•允许具有SiteAdmin角色()的经过身份验证的访问者访问

• Allow access for authenticated visitors in the SiteAdmin role ()

•拒绝所有其他访问者()

• Deny access to all other visitors ()

这篇关于ASP.MVC应用程序中的访问控制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！