在 ASP.NET MVC 中授权属性 [英] Authorize attribute in ASP.NET MVC

问题描述

我很难理解 [Authorize] 属性在 ASP.NET MVC 中的实际使用.根据概念，如果我们使用 [Authorize] 属性装饰控制器方法，则只允许经过身份验证的用户访问控制器.

I am having a hard time to understand real use of [Authorize] attribute in ASP.NET MVC. As per the concept goes, if we decorate a controller method with [Authorize] attribute, only authenticated users are allowed to access the controllers.

我开发了一个 ASP.NET MVC 应用程序，没有用 [Authorize] 属性装饰控制器.我观察到的是，如果我使用 web.config 或其他方式在我的应用程序中正确实现身份验证机制，那么我就可以访问 URL {controller}/{action}/{id}特定的动作方法.

I have developed an ASP.NET MVC application without decorating controllers with [Authorize] attribute. What I have observed is, if I implement authentication mechanism properly in my application using web.config or some other way, noway I can access the URL {controller}/{action}/{id} of a particular action method.

系统总是要求登录.这意味着我的控制器是安全的.我的问题是，当我可以在不使用 [Authorize] 属性的情况下保护我的控制器时，它的真正需要是什么?

System always ask for login. That means my Controllers are secured. My question is this, when I can secure my controllers without using [Authorize] attribute, then what is the real need of it?

推荐答案

真正的力量来自于理解和实施成员资格提供者以及角色提供者.您可以将用户分配到角色，并根据该限制，您可以将不同用户的不同访问角色应用于控制器操作或控制器本身.

Real power comes with understanding and implementation membership provider together with role provider. You can assign users into roles and according to that restriction you can apply different access roles for different user to controller actions or controller itself.

 [Authorize(Users = "Betty, Johnny")]
 public ActionResult SpecificUserOnly()
 {
     return View();
 }

也可以按组限制

[Authorize(Roles = "Admin, Super User")]
public ActionResult AdministratorsOnly()
{
    return View();
}

这篇关于在 ASP.NET MVC 中授权属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！