配置在混合MVC / WebForms的网络应用授权 [英] Configuring Authorization in a mixed MVC / WebForms Web app

问题描述

我目前正在迁移的WebForms / MVP应用到MVC的一些组件。到目前为止，一切正常，除了授权。无论什么时候，当我浏览到登录页面的MVC版本，我重定向到在的Web.config设置aspx页面：

I'm currently migrating some components of a WebForms / MVP application into MVC. So far, everything is working except for authorization. No matter what, when I navigate to the MVC version of the Login page, I get redirected to the aspx page that is set in the Web.config:

    <authentication mode="Forms">
      <forms name=".MyWebSite" enableCrossAppRedirects="true" loginUrl="Login.aspx" timeout="60" path="/" defaultUrl="~/Pages/Landing.aspx"></forms>
    </authentication>

我试过使用使用AllowAnonymous ，但现在看来，web表单配置正在precedence。这里是我的登录控制器：

I've tried using AllowAnonymous but it appears that the webforms config are taking precedence. Here's my Login controller:

[RouteArea("User", AreaPrefix = "")]
public class AuthenticationController : Controller {
    [Route("Login")]
    [AllowAnonymous]
    public ActionResult Login() {
        return View();
    }
}

和我的目录结构是这样的：

And my Directory structure looks like this:

> Web Project
   > Areas
      > User 
          > Controllers
              > AuthController
          > Views
              > Login.cshtml

在我的web.config，我看到以下内容以允许对错误页面的匿名访问：

In my web.config, I see the following to allow anonymous access to the Error pages:

  <location path="Error">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

不过这个重复的领域路径是行不通的（presumably因为CSHTML文件不实际位于那里的aspx页面？）。

However duplicating this for the Areas path isn't working (presumably because the cshtml files are not actually located there as aspx pages are?).

现在，如果我在我登录（通过登录的ASPX版）和我的用户进行身份验证，我可以访问MVC实现就好了。路由和渲染的奇妙工作。它只是允许未经认证的用户访问该网页的MVC（不重定向到ASPX实现），这似乎是一个挑战。我究竟做错了什么？

Now, if I am logged in (via the aspx version of login) and my user is authenticated, I can access the MVC implementation just fine. Routing and rendering are working wonderfully. It's just allowing unauthenticated users to access the MVC page (without redirecting to the aspx implementation) that seems to be a challenge. What am I doing wrong?

修改
一个真正哈克部分解决方案，我发现（基于<一个href=\"http://stackoverflow.com/questions/4616524/turning-off-asp-net-webforms-authentication-for-one-sub-directory\">Turning关闭一个子目录 ASP.Net WebForms的验证）如下：

EDIT A really hacky partial solution I've found (based on Turning off ASP.Net WebForms authentication for one sub-directory) is the following:

    protected void Application_BeginRequest(object sender, EventArgs e) {
        // lots of existing web.config controls for which webforms folders can be accessed
        // read the config and skip checks for pages that authorise anon users by having
        // <allow users="?" /> as the top rule.
        // http://stackoverflow.com/questions/4616524/turning-off-asp-net-webforms-authentication-for-one-sub-directory

        // check local config
        var localAuthSection = ConfigurationManager.GetSection("system.web/authorization") as AuthorizationSection;

        // this assumes that the first rule will be <allow users="?" />
        var localRule = localAuthSection.Rules[0];
        if (localRule.Action == AuthorizationRuleAction.Allow && localRule.Users.Contains("?")) {
            // then skip the rest
            return;
        }

        // get the web.config and check locations
        var conf = WebConfigurationManager.OpenWebConfiguration("~");
        foreach (ConfigurationLocation loc in conf.Locations) {
            // find whether we're in a location with overridden config

            // get page name
            var currentPath = Path.GetFileName(this.Request.Path);
            if (currentPath.Equals(loc.Path, StringComparison.OrdinalIgnoreCase)) {
                // get the location's config
                var locConf = loc.OpenConfiguration();
                var authSection = locConf.GetSection("system.web/authorization") as AuthorizationSection;
                if (authSection != null) {
                    // this assumes that the first rule will be <allow users="?" />
                    var rule = authSection.Rules[0];
                    if (rule.Action == AuthorizationRuleAction.Allow && rule.Users.Contains("?")) {
                        // then skip the rest
                        return;
                    }
                }
            }
        }
    }

这意味着我可以指定登录是这样的：

Which means I can specify "Login" like this:

  <location path="Login">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>

但后来所有的相关的CSS / JS还是没有得到渲染，除非我去通过添加规则的文件类型。还有的获得的是一个更优雅的修复了这一点。

But then all of the associated CSS/JS do not get rendered, unless I go through and add rules for those filetypes. There's got to be a more elegant fix to this.

推荐答案

我找到了我认为是的正确的解决方案。在我的的web.config ，我设置了 loginUrl 来我的MVC页：

I found what I think is the proper solution. In my web.config, I set the loginUrl to my MVC page:

    <authentication mode="Forms">
      <forms name=".MyWebSite" enableCrossAppRedirects="true" loginUrl="Login" timeout="60" path="/" defaultUrl="~/Pages/Landing.aspx"></forms>
    </authentication>

然后我不得不从我authController内设置cookie，这样，当我重定向到一个aspx页面， HttpContext.CurrentUser 被定义为登录的用户：

FormsAuthentication.SetAuthCookie(model.Username, true);

我不知道这是不是真的去了解这个正确的方法，但到目前为止，这似乎是工作。当我离开的情况下，此人开了任何反馈。

I don't know if this is indeed the correct way to go about this, but so far it seems to be working. I'll leave this open in case anyone has any feedback.

这篇关于配置在混合MVC / WebForms的网络应用授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！