问题的授权与IIS和MVC [英] Problem with Authorization with IIS and MVC
问题描述
有一些问题,设置了授权。
首先,我得到了:
Got some problem with settings up the Authorization. First i got :
<authorization>
<deny users="?" />
</authorization>
所以,我拒绝所有未知的用户,然后让他们查看这些网页:
So i deny all unknown users and then allow them to view those pages:
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Public">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
现在的问题..他们可以访问公共页面和Default.aspx的..但没有www.mydomain.com或www.mydomain.com/ ..所以www.mydmain.com/Default.aspx工作正常。
因此,如何使这些工作的?
Now to the problem .. they can access the Public pages and Default.aspx .. but not www.mydomain.com or www.mydomain.com/ .. so www.mydmain.com/Default.aspx works fine. So how to make those work ?
推荐答案
记住,有一个在WebForms和MVC之间的受保护资源的一个根本区别。在WebForms的,你要保护资源是自己的网页,并因为在一个众所周知的路径存在于磁盘上的页面,您可以使用Web.config文件来保护他们。然而,在MVC中,你要保护的资源实际上是控制器和动作,而不是单个的路径和页面。如果你试图保护的路径,而不是控制器,应用程序可能有安全漏洞。
Keep in mind that there's a fundamental difference in protected resources between WebForms and MVC. In WebForms, the resources you're trying to protect are the pages themselves, and since the pages exist on disk at a well-known path you can use Web.config to secure them. However, in MVC, the resources you're trying to protect are actually controllers and actions, not individual paths and pages. If you try protecting the path rather than the controller, your application likely has a security vulnerability.
在MVC中,默认情况下,所有的控制器+行动是给所有用户,注册和非注册访问。为了确保控制器或动作时,[授权]属性已提供。请参见 http://www.asp.net/learn/mvc/#MVC_Security 了解更多信息。
In MVC, by default all controllers + actions are accessible to all users, both authenticated and guest. To secure controllers or actions, the [Authorize] attribute has been provided. See http://www.asp.net/learn/mvc/#MVC_Security for more information.
总之,这听起来像你的应用程序,你会希望每个控制器的属性除了的默认的控制器和使用[授权]属性的公共控制器。
In short, it sounds like for your application you'd want to attribute every controller except the default controller and the Public controller with the [Authorize] attribute.
这篇关于问题的授权与IIS和MVC的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
