混合ASP.NET WebForms和MVC授权 [英] Mixing ASP.NET WebForms and MVC Authorization

问题描述

我试图把一些MVC3功能集成到现有的WebForms应用程序。我跟着几个导游，并得到了一切设置和除授权一块工作。现有的应用程序有＆LT;拒绝用户=*/＆GT; 坐在根web.config，每个子文件夹都有自己的web.config，允许访问内特定角色的页面。

I'm trying to mix some MVC3 functionality into an existing WebForms application. I've followed a few guides, and got everything set up and working except for the authorization piece. The existing application has <deny users="*" /> sitting at the root web.config, and each subfolder has its own web.config that allows access to the pages within for specific roles.

我的新的理解是不能的这种风格/不应在控制器使用，我应该使用授权，而不是属性。我饰我的测试的HomeController 类 [授权（角色=AdminRole）] ，但我得到一个拒绝访问页面，当我试图查看该页面。

My new understanding is that this style of can't/shouldn't be used on Controllers, and I should be using Authorize attributes instead. I've decorated my test "HomeController" class with [Authorize(Roles="AdminRole")], but I get an "Access Denied" page when I attempt to view the page.

如果我改变根web.config说＆LT;让用户=*/＆GT; ，页面的作品。这是否意味着我添加到控制器的属性是工作，但根web.config设置正在precedence过来的吗？我不想与我们现有授权的东西乱七八糟，因为该网站是公认的，我只是想添加MVC中一起玩。我缺少的东西吗？感谢您的任何见解，您可以提供。

If i change the root web.config to say <allow users="*" />, the page works. Does this mean that the attribute I added to the controller is working, but the root web.config setting is taking precedence over it? I don't want to mess with our existing authorization stuff since the site is well established and I'm just trying to add MVC in to play with. Am I missing something? Thanks for any insight you can provide.

推荐答案

啊，这是一个有点棘手，因为你要使用MVC安全的应用程序已经在使用Web窗体。如果是纯粹的MVC的选择很简单。如果你不能拉的MVC功能到一个单独的应用程序，然后这让你在有点咸菜。

Ah this is a bit tricky as you are trying to use MVC security in an app already using Web Forms. If this was pure mvc the choice is simple. If you can't pull the mvc features out into a separate app then this leaves you in a bit of a pickle.

我的第一个建议是尝试提取code。如果您正在使用MVC只提供宁静的特点，也许还检查了MVC4网页API，为您的应用程序的API，并分享他们之间使用的组件这需要拉出来你的web应用程序到域库或其他适当命名库。

My first recommendation would be to try to extract the code. If you are using MVC to only provide restful features maybe also check out MVC4 web api to provide an api for your app and share the components used between them which would require pulling them out of your web app into a Domain library or some other appropriately named library.

随着中说，不是100％肯定，如果让用户=*按预期工作，但我相信它是。它很容易测试，简单地改变角色=AdminRole，以角色=占位符，然后重试。

With that said, not 100% sure if the allow users="*" is working as expected, but I believe it is. Its easy enough to test, simply change Roles="AdminRole" to Roles="placeholder" and try again.

设置这虽然杀死你的身份验证的其余部分，以便一个想法可能是把一个特定的URL下的所有MVC的路线，如/ API /，让*在web.config该路径，然后使用MVC的安全在所有的控制器方法。这将有低影响到您的主Web应用程序。

Setting this though kills the rest of your auth so one idea could be to put all mvc routes under a particular url, such as "/api/" and allow * in the web.config to that path and then use mvc's security on all of your controller methods. This would have low impact to your main web app.

这篇关于混合ASP.NET WebForms和MVC授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！