我们如何在ASP.NET MVC整个区域设置授权? [英] How can we set authorization for a whole area in ASP.NET MVC?
问题描述
我有一个管理区,我想只有管理员进入该地区。我认为添加授权属性,在管理区的每个控制器。是不是有一种优雅的解决方案,或者是这个功能不存在在框架本身?
I've an Admin area and I want only Admins to enter the area. I considered adding the Authorized attribute to every controller in the Admin area. Isn't there an elegant solution or is this feature not there in the framework itself?
编辑:
我很抱歉,我之前已经提到了这一点。我使用的是从AuthorizeAttribute派生的自定义AuthorizedAttribute。
I'm sorry, I should to have mentioned this before. I'm using a custom AuthorizedAttribute derived from AuthorizeAttribute.
推荐答案
根据Web.config文件的安全性应该差不多的从不的将在MVC应用程序中使用。这样做的原因是,多个URL有可能打一个控制器,并把这些检查在Web.config中总是错过一些东西。请记住 - 控制器与区域相关,路线与区域相关。在MVC控制器工厂会很乐意为来自非区域请求区域/文件夹控制器如果没有冲突。
Web.config-based security should almost never be used in an MVC application. The reason for this is that multiple URLs can potentially hit a controller, and putting these checks in Web.config invariably misses something. Remember - controllers are not associated with areas, routes are associated with areas. The MVC controller factory will happily serve controllers from the Areas/ folder for non-area requests if there's no conflict.
例如,使用默认的项目结构,添加一个管理区与AdminDefaultController,你可以打这个控制器通过/行政/ AdminDefault /索引的和的/ AdminDefault /索引。
For example, using the default project structure, adding an Admin area with an AdminDefaultController, you can hit this controller via /Admin/AdminDefault/Index and /AdminDefault/Index.
唯一支持的解决方案是把你的属性上的控制器基类,并确保基类的子类区域内的每个控制器。
The only supported solution is to put your attribute on a controller base class and to ensure that each controller within the area subclasses that base class.
这篇关于我们如何在ASP.NET MVC整个区域设置授权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!