Windows身份验证和MVC:排除单个文件/路由的正确方法 [英] Windows Authentication & MVC: proper way to exclude individual file/route
问题描述
我有一个MVC 3站点,该站点通过Windows身份验证进行保护.但是,在站点的根部有一个物理文件,以及一个控制器操作方法(通过自定义路由),需要在不进行身份验证的情况下可用.这样做的正确方法是什么?我希望整个站点都受到保护,而无需在控制器顶部(或在基本控制器类中)使用[Authorize]
.在IIS 7上,我在站点根目录同时启用了匿名身份验证和Windows身份验证.
I have an MVC 3 site which is protected via Windows Authentication. However, there is a physical file at the root of the site, along with a controller action method (via a custom route), which need to be available without authenticating. What is the proper way to do this? I want the entire site protected without needing [Authorize]
at the top of my controllers (or in a base controller class). On IIS 7, I have both Anonymous and Windows Authentication enabled at the site root.
当前,我的Web.config中具有以下(适用的)部分:
Currently I have the following (applicable) sections in my Web.config:
<authentication mode="Windows" />
<location path="public.js"> <!-- physical file -->
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="public.gif"> <!-- custom route to action method -->
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
如果我不将[Authorize]
放在控制器的顶部,则不会提示我输入凭据.我只是在某个地方需要<deny users="?"/>
还是从一开始就有更好的方法来解决这个问题?
If I don't put [Authorize]
at the top of my controllers, I am never prompted for credentials. Do I just need a <deny users="?"/>
somewhere, or is there a better way to approach this from the start?
谢谢!
推荐答案
控制器动作的身份验证必须由[Authorize]属性处理. web.config设置仅适用于物理文件.
Authentication for controller actions must be handled by the [Authorize] attribute. The web.config settings only apply to physical files.
如果不想在每个控制器上都放置[Authorize]属性,则可以创建一个包含[Authorize]属性的基本控制器类.从该基本控制器类继承的所有控制器将自动要求身份验证.
If you don't want to put the [Authorize] attribute on each controller, you could make a base controller class that includes the [Authorize] attribute. All controllers that inherit from this base controller class would automatically require authentication.
就个人而言,我发现手动将[Authorize]属性添加到每个控制器并不困难,并且更喜欢控制级别更高的
Personally, I don't find it that difficult to add the [Authorize] attribute manually to each controller and prefer the finer level of control.
这篇关于Windows身份验证和MVC:排除单个文件/路由的正确方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!