我们如何在ASP.NET MVC整个区域设置授权？ [英] How can we set authorization for a whole area in ASP.NET MVC?

问题描述

我有一个管理区，我想只有管理员进入该地区。我认为添加授权属性，在管理区的每个控制器。是不是有一种优雅的解决方案，或者是这个功能不存在在框架本身？

I've an Admin area and I want only Admins to enter the area. I considered adding the Authorized attribute to every controller in the Admin area. Isn't there an elegant solution or is this feature not there in the framework itself?

编辑：
我很抱歉，我之前已经提到了这一点。我使用的是从AuthorizeAttribute派生的自定义AuthorizedAttribute。

I'm sorry, I should to have mentioned this before. I'm using a custom AuthorizedAttribute derived from AuthorizeAttribute.

推荐答案

根据Web.config文件的安全性应该差不多的从不的将在MVC应用程序中使用。这样做的原因是，多个URL有可能打一个控制器，并把这些检查在Web.config中总是错过一些东西。请记住 - 控制器与区域相关，路线与区域相关。在MVC控制器工厂会很乐意为来自非区域请求区域/文件夹控制器如果没有冲突。

Web.config-based security should almost never be used in an MVC application. The reason for this is that multiple URLs can potentially hit a controller, and putting these checks in Web.config invariably misses something. Remember - controllers are not associated with areas, routes are associated with areas. The MVC controller factory will happily serve controllers from the Areas/ folder for non-area requests if there's no conflict.

例如，使用默认的项目结构，添加一个管理区与AdminDefaultController，你可以打这个控制器通过/行政/ AdminDefault /索引的和的/ AdminDefault /索引。

For example, using the default project structure, adding an Admin area with an AdminDefaultController, you can hit this controller via /Admin/AdminDefault/Index and /AdminDefault/Index.

唯一支持的解决方案是把你的属性上的控制器基类，并确保基类的子类区域内的每个控制器。

The only supported solution is to put your attribute on a controller base class and to ensure that each controller within the area subclasses that base class.

这篇关于我们如何在ASP.NET MVC整个区域设置授权？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！