Windows身份验证和MVC:排除单个文件/路由的正确方法 [英] Windows Authentication & MVC: proper way to exclude individual file/route

问题描述

我有一个MVC 3站点，该站点通过Windows身份验证进行保护.但是，在站点的根部有一个物理文件，以及一个控制器操作方法(通过自定义路由)，需要在不进行身份验证的情况下可用.这样做的正确方法是什么?我希望整个站点都受到保护，而无需在控制器顶部(或在基本控制器类中)使用[Authorize].在IIS 7上，我在站点根目录同时启用了匿名身份验证和Windows身份验证.

I have an MVC 3 site which is protected via Windows Authentication. However, there is a physical file at the root of the site, along with a controller action method (via a custom route), which need to be available without authenticating. What is the proper way to do this? I want the entire site protected without needing [Authorize] at the top of my controllers (or in a base controller class). On IIS 7, I have both Anonymous and Windows Authentication enabled at the site root.

当前，我的Web.config中具有以下(适用的)部分:

Currently I have the following (applicable) sections in my Web.config:

<authentication mode="Windows" />
<location path="public.js"> <!-- physical file -->
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>
<location path="public.gif"> <!-- custom route to action method -->
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

如果我不将[Authorize]放在控制器的顶部，则不会提示我输入凭据.我只是在某个地方需要<deny users="?"/>还是从一开始就有更好的方法来解决这个问题?

If I don't put [Authorize] at the top of my controllers, I am never prompted for credentials. Do I just need a <deny users="?"/> somewhere, or is there a better way to approach this from the start?

谢谢！

推荐答案

控制器动作的身份验证必须由[Authorize]属性处理. web.config设置仅适用于物理文件.

Authentication for controller actions must be handled by the [Authorize] attribute. The web.config settings only apply to physical files.

如果不想在每个控制器上都放置[Authorize]属性，则可以创建一个包含[Authorize]属性的基本控制器类.从该基本控制器类继承的所有控制器将自动要求身份验证.

If you don't want to put the [Authorize] attribute on each controller, you could make a base controller class that includes the [Authorize] attribute. All controllers that inherit from this base controller class would automatically require authentication.

就个人而言，我发现手动将[Authorize]属性添加到每个控制器并不困难，并且更喜欢控制级别更高的

Personally, I don't find it that difficult to add the [Authorize] attribute manually to each controller and prefer the finer level of control.

这篇关于Windows身份验证和MVC:排除单个文件/路由的正确方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！