Asp.net MVC4:授权两个控制器和行动 [英] Asp.net MVC4: Authorize on both controller and action
问题描述
如果我有授权控制器和行动上都属性,其中之一将有何影响?或都将生效?
If I have the Authorize attribute on both the controller and the action, which one will take the effect? Or will both take effect?
推荐答案
您问:
如果我已授权两个控制器和行动上的属性,其中之一将有何影响?两者都是?
If I have Authorize attribute on both controller and action, which one will take the effect? Both?
要简单地回答这个问题:两者。其效果是和这两个限制在一起。我会解释为什么下面...
To answer this simply: Both. The effect is to AND the two restrictions together. I'll explain why below ...
因此,有你可能会问这有几个原因。
So, there are a few reasons you could be asking this.
- 您想知道相比,法如何实施的一个操作一个附加的约束。例如
- 在控制器级别,强制用户用户
- 在行动层面,还强制用户中的角色管理员
在角色
您没有指定你的MVC的版本,所以我会承担起最新的截至今天(MVC 4.5)。不过,这不是问题的答案,如果你使用MVC 3改变还要多。
You didn't specify your MVC version, so I will assume the latest as of today (MVC 4.5). However, that won't change of the answer much even if you were using MVC 3.
3,案例我并不需要覆盖(使用的[使用AllowAnonymous] ),因为它已经回答的遍布SO 和<一个href=\"http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx\">all通过网络了。我只想说:如果指定 [使用AllowAnonymous] 上的操作就会使该操作公开,即使控制器具有 [授权] 就可以了。
Case 3. I don't need to cover (the use of [AllowAnonymous]) as it has been answered all over SO and all over the web already. Suffice to say: if you specify [AllowAnonymous] on an action it will make that action public even if the controller has [Authorize] on it.
您也可以使用全局过滤器使整个网站的须经批准由,并使用使用AllowAnonymous 您要公开的一些动作和控制器。
You can also make an entire website subject to authorisation by using a global filter, and use AllowAnonymous on the few actions or controllers you want to make public.
案例1是容易的。以下面的控制器为例:
Case 1 is easy. Take the following controller as an example:
[Authorize(Roles="user")]
public class HomeController : Controller {
public ActionResult AllUsersIndex() {
return View();
}
[Authorize(Roles = "admin")]
public ActionResult AdminUsersIndex() {
return View();
}
}
在默认情况下 [授权(角色=用户)] 使得仅在用户的角色提供给账户控制器的所有操作。因此,要获得 AllUsersIndex 你必须在用户的角色。但是访问 AdminUsersIndex ,你都需要在用户和管理员的角色。例如:
By default [Authorize(Roles="user")] makes all Actions in the Controller available to accounts in the "user" role only. Therefore to access AllUsersIndex you must be in the "user" role. However to access AdminUsersIndex you must be both in the "user" and the "admin" role. For example:
- 用户名:鲍勃,角色:用户的不能使用
AdminUsersIndex,但可以访问AllUsersIndex - 用户名:简角色:管理员,不能使用
AdminUsersIndex或AllUsersIndex - 用户名:蒂姆,角色:用户放大器;管理,能使用
AdminUsersIndex和AllUsersIndex
- UserName: Bob, Roles: user, cannot access
AdminUsersIndex, but can accessAllUsersIndex - UserName: Jane, Roles: admin, cannot access
AdminUsersIndexorAllUsersIndex - UserName: Tim, Roles: user & admin, can access
AdminUsersIndexandAllUsersIndex
这说明了 [授权] 属性是添加剂。这也是在<真正href=\"http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.users%28v=vs.108%29.aspx\"><$c$c>Users属性,它可以与角色相结合的特性来使其更加严格。
This illustrates that the [Authorize] attribute is additive. This is also true of the Users property of the attribute, which can be combined with Roles to make it even more restrictive.
此行为是由于控制器和动作属性的工作方式。属性链接在一起,并在订单控制器随后的动作应用。如果第一个拒绝授权,则控制返回和行动的属性不叫。如果第一个经过授权的话,第二个随后,检测为好。您可以通过指定<一个覆盖此订单href=\"http://msdn.microsoft.com/en-us/library/system.web.mvc.filterattribute.order%28v=vs.108%29.aspx\"><$c$c>Order (例如 [授权(角色=用户,令= 2)] )。
This behaviour is due to the way that controller and action attributes work. The attributes are chained together and applied in the order controller then action. If the first one refuses authorization, then control returns and the action's attribute is not called. If the first one passes authorization, then the second one is then checked as well. You can override this order by specifying Order (for example [Authorize(Roles = "user", Order = 2)]).
第2种情况是棘手。从以上召回 [授权] 属性顺序(全球再)控制器,然后行动检查。第一个来检测用户是没有资格被授权胜,别人不被调用。
Case 2 is trickier. Recall from above that the [Authorize] attributes are examined in the order (Global then) Controller then Action. The first one to detect that the user is ineligible to be authorized wins, the others don't get called.
围绕此的一个方法是如下定义两个新的属性。在 [OverrideAuthorize] 做无非推迟对方 [授权] ;其唯一目的是定义一个类型,我们可以检查。在 [DefaultAuthorize] 让我们来检查,看看是否行动被称为请求装饰有一个 [OverrideAuthorize] 。如果是那么我们推迟到行动的授权检查,否则我们与控制器级别进行检查
One way around this is to define two new attributes as below. The [OverrideAuthorize] does nothing other than defer to [Authorize]; its only purpose is to define a type that we can check for. The [DefaultAuthorize] allows us to check to see if the Action being called in the request is decorated with a [OverrideAuthorize]. If it is then we defer to the Action authorization check, otherwise we proceed with the Controller level check.
public class DefaultAuthorizeAttribute : AuthorizeAttribute {
public override void OnAuthorization(AuthorizationContext filterContext)
{
var action = filterContext.ActionDescriptor;
if (action.IsDefined(typeof(OverrideAuthorizeAttribute), true)) return;
base.OnAuthorization(filterContext);
}
}
public class OverrideAuthorizeAttribute : AuthorizeAttribute {
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
}
}
然后我们可以使用这样的:
We can then use it like this:
[DefaultAuthorize(Roles="user")]
public class HomeController : Controller {
// Available to accounts in the "user" role
public ActionResult AllUsersIndex() {
return View();
}
// Available only to accounts both in the "user" and "admin" role
[Authorize(Roles = "admin")]
public ActionResult AdminUsersIndex() {
return View();
}
// Available to accounts in the "superuser" role even if not in "user" role
[OverrideAuthorize(Roles = "superuser")]
public ActionResult SuperusersIndex() {
return View();
}
}
在上面的例子中 SuperusersIndex 是提供给具有超级用户角色的帐户,即使它不具有用户的角色。
In the above example SuperusersIndex is available to an account that has the "superuser" role, even if it does not have the "user" role.
这篇关于Asp.net MVC4:授权两个控制器和行动的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
