可以在用户授权的情况下对每个控制器根据在web.config中设置？ （不能用AuthorizeAttribute） [英] Can user authorization be set on a per-controller basis in web.config? (cannot use AuthorizeAttribute)

问题描述

我在使用Windows验证一个Web API 2应用程序。我有多个控制器，这在我的web.config授权：

I have a Web API 2 app using windows auth. I have multiple controllers and this in my web.config for authorization:

<system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" />
    <authentication mode="Windows" />
    <authorization>
      <allow users="AllowedUsersAndGroups" />
      <deny users="?" />
    </authorization>
    <sessionState mode="Off" />
  </system.web>

这一刀切授权的伟大工程，但是我有我需要以不同的锁定2特定的控制器：我想指定被授权打到这两个控制器不同用户

This "blanket" authorization works great, but I have 2 specific controllers that I need to lock down differently: I want to specify different users that are authorized to hit these 2 controllers.

明显的答案是使用在控制器类 [授权（）] 属性，但是我不能，因为我每环境中使用（开发人员使用此属性-UAT - 督促）的XML转换到web.config并需要能够改变哪些用户被授权在每个环境这些控制器。

The obvious answer would be to use the [Authorize()] attribute on the controller classes, however I cannot use this attribute because I am using per-environment (Dev-UAT-Prod) XML transforms to the web.config and need to be able to change which users are authorized on these controllers in each environment.

那么，是不是可以在我的web.config文件中指定单个控制器授权？

So, is it possible to specify authorization for individual controllers in my web.config file?

我打开其他的解决方案，只要它们允许当应用程序部署在每个环境（DEV-UAT-PROD）授权不同的用户。

I am open to other solutions as long as they allow for Authorizing different users when the app is deployed in each environment (dev-uat-prod).

谢谢！

推荐答案

在我们的环境中，我们用这种方式：

In our environment we use this approach:

Active Directory组的名称都存储在应用程序的设置。这些名字每环境不同。

The names of Active Directory groups are stored in the app-settings. These names are different per environment.

接下来，我们创建 AuthorizeAttribute 的子类型叫做 AuthorizeWritersAttribute 是这样的：

Next we created a subtype of AuthorizeAttribute called AuthorizeWritersAttribute like this:

public class AuthorizeWritersAttribute : AuthorizeAttribute 
{
    public 
    {
        Roles = ConfigurationManager.AppSettings["SolutionName:AuthorizedWriters"];
        // Actually we removed the dependency on ConfigurationManager but for brevity this suffices.
    }
}

最后，我们这个属性应用到我们的控制器：

Finally we apply this attribute to our controllers:

[AuthorizeWriters]
public class BlogController : Controller
{
    ....
}

我们使用AD-组，但AD-帐户应正常工作。

We use AD-groups but AD-accounts should work as well.

这篇关于可以在用户授权的情况下对每个控制器根据在web.config中设置？ （不能用AuthorizeAttribute）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！