ASP.NET MVC 表单身份验证和未经身份验证的控制器操作 [英] ASP.NET MVC Forms authentication and unauthenticated controller actions

问题描述

我有一个使用表单身份验证锁定的 ASP.NET MVC 站点.web.config 有

I have a ASP.NET MVC site that is locked down using Forms Authentication. The web.config has

<authentication mode="Forms">
    <forms defaultUrl="~/Account/LogOn" loginUrl="~/Account/LogOn" timeout="2880"/>
</authentication>
<authorization>
    <deny users="?"/>
</authorization>

除非用户通过身份验证，否则除帐户/登录外，我的任何页面都无法查看.

None of my pages other than Account/LogOn can be viewed unless the user is authenticated.

现在我正在尝试将 PayPal IPN 添加到我的网站，为此我需要有两个页面来处理 PayPal 的付款确认和感谢页面.这两个页面需要可供匿名用户使用.

Now I am trying to add PayPal IPN to my site and in order to do that I need to have two pages that handle PayPal's payment confirmation and thank you page. These two pages need to be available for anonymous users.

我希望这些页面成为我的帐户控制器之外的控制器操作.有什么方法可以将属性应用于特定的操作方法，使匿名用户可以使用它们?我在这里找到了几篇尝试这样做的帖子，但大多数人想要相反的情况.

I would like these pages to be controller actions off my Account controller. Is there any way I can apply an attribute to specific action methods that make them available to anonymous users? I found a several posts here that attempt to do that but there was most people wanted the opposite scenario.

基本上我希望 AccountController 类对除少数方法之外的大多数方法没有授权.目前，匿名用户似乎只能使用 LogOn 方法.

Basically I want may AccountController class to have no authorization for most of the methods except for a few. Right now it looks like only the LogOn method is available to anonymous users.

推荐答案

是的，你可以.在您的 AccountController 中有一个 [Authorize] 属性，要么是在类级别(以限制整个控制器)，要么是在特定方法上.

Yes you can. In your AccountController there's an [Authorize]-attribute either on class-level (to make the whole controller restricted) or on specific methods.

要限制特定的操作，您只需在处理这些操作的方法上使用 Authorize-attribute，并且不限制控制器类.

To make specific actions restricted you simply use the Authorize-attribute on the methods that handle these actions, and leave the controller-class unrestricted.

这里有几个例子...希望能帮到你

Here are a few examples... hope it helps

要要求用户登录，请使用:

To require users to login, use:

[Authorize]
public class SomeController : Controller

// Or
[Authorize]
public ActionResult SomeAction()

要限制特定角色的访问，请使用:

To restrict access for specific roles, use:

[Authorize(Roles = "Admin, User")]
public class SomeController : Controller

// Or
[Authorize(Roles = "Admin, User")]
public ActionResult SomeAction()

要限制特定用户的访问，请使用:

And to restrict access for specific users, use:

[Authorize(Users = "Charles, Linus")]
public class SomeController : Controller

// Or
[Authorize(Users = "Charles, Linus")]
public ActionResult SomeAction()

如您所见，您可以在类级别或方法级别使用该属性.您的选择！

As you can see, you can either use the attribute at class-level or at method-level. Your choice!

这篇关于ASP.NET MVC 表单身份验证和未经身份验证的控制器操作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！