如何限制对 ASP.net MVC 控制器中某些操作的访问 [英] How to restrict access to certain actions in controller in ASP.net MVC
问题描述
我是 ASP.net MVC 的新手,并使用它创建了我的第一个 Web 应用程序.在我的应用程序中,我使用数据库身份验证.我在控制器中创建了登录操作,它检查输入的用户名和密码是否存在于数据库中,如果存在,则将所需的值放入 Session 并根据他的权限将用户重定向到页面,否则将用户重定向到登录页面.像这样
I am new to ASP.net MVC and created my first web application using it. In my application I am using database authentication. I have created Login action in controller which checks entered username and password exist in DB or not, If it exist then put required values in Session and redirect user to pages as per his rights else redirect user to login page. Like this
public ActionResult Login()
{
if(uservalid)
{
//set session values and redirect to dashboard
}
else
{
//redirect to login
}
}
在我的应用程序中,有些功能只能在用户登录时访问.我想在用户尝试访问这些功能之前检查用户是否已登录,如果他未登录或没有权限,则重定向到登录页面或显示一些错误消息.
In my application there are some functionality that can only be accessed when user is logged-in. I want to check whether user is logged-in or not before user try to access these functionality and if he is not logged-in or not have rights then redirect to login page or show some error message.
public ActionResult SomeAction()
{
//Available only when user is logged-in
}
那么我如何检查用户是否已登录并授予操作权限.我阅读了 Authorize 属性,但不知道如何使用它,因为我正在使用数据库身份验证.
So how do I check whether user is logged-in or not and give access to action. I read about Authorize attribute but don't know how to use it as I am using database authentication.
推荐答案
如果您使用的是 FormsAuthentication 您不需要使用 ASP.NET 会话来跟踪当前经过身份验证的用户.
If you are using FormsAuthentication you don't need to use ASP.NET session to track the currently authenticated user.
我阅读了 Authorize 属性,但不知道如何使用它使用数据库身份验证.
I read about Authorize attribute but don't know how to use it as I am using database authentication.
假设您使用 FormsAuthentication,一旦您验证了用户的凭据,您应该设置表单身份验证 cookie:
Assuming you went with FormsAuthentication, once you have validated the credentials of the user you should set a forms authentication cookie:
public ActionResult Login()
{
if(uservalid)
{
FormsAuthentication.SetAuthCookie("username", false);
return RedirectToAction("SomeProtectedAction");
}
else
{
//redirect to login
}
}
然后:
[Authorize]
public ActionResult SomeAction()
{
string currentlyLoggedInUser = User.Identity.Name;
}
顺便说一下,如果您使用 Visual Studio 中的 Internet 模板创建一个新的 ASP.NET MVC 应用程序,您可以查看 AccountController,它负责对用户进行身份验证并设置表单身份验证 cookie.当然,您可以将所有实体框架的废话都扔掉,并针对您自己的数据库表实施您自己的凭据验证.
By the way if you create a new ASP.NET MVC application using the internet template in Visual Studio you might take a look at the AccountController which is responsible for authenticating users and setting forms authentication cookies. Of course you could throw all the Entity Framework crap out of it and implement your own credentials validation against your own database tables.
这篇关于如何限制对 ASP.net MVC 控制器中某些操作的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
