对于asp.net的MVC区级安全 [英] Area level security for asp.net mvc
问题描述
我知道这是可能的装饰与授权控制器属性来控制访问,我不知道是执行所有控制器/视图的安全在一个地区的接受或适当的方式。
I know it is possible to decorate a controller with the Authorize attribute to control access, what I don't know is the accepted or proper way to enforce security across all the controllers/views in an Area.
有什么在web.config中,地区注册或其他地方申请授权安全?
Is there something in web.config, area registration or some other place to apply authorization security?
推荐答案
一个简便的方法是创建一个新的基类
A convenient way is to create a new base class
[Authorize]
public abstract class AuthorizeBaseController : Controller
{
}
,并确保所有的控制器,而您需要授权的(在你的情况下,一切都在你担心的面积)从下降 AuthorizeBaseController
。
public class HomeController : AuthorizeBaseController
{
public ActionResult Index()
{
return View();
}
}
的 [授权]
属性应该影响所有的新基类的后代。
The [Authorize]
attribute should affect all of the descendents of the new base class.
修改我有使用问题的<位置路径=>
办法是,既然路由引擎品牌有可能为任何途径来调用任何控制器,根据网址(因此一个特定的路径)设置的授权,而不是控制器动作使得可以调用应保护控制器,并跳过授权。这不是在web表单的问题,因为一个页面一个页面(而不是一个方法调用),但在MVC页/路径和code之间的分离使这是一个巨大的安全漏洞。
Edit The issue that I have with using the <location path="" >
approach is that, since the routing engine makes it's possible for any route to call any controller, setting authorization based on the url (and thus a specific route) instead of the controller actions makes it possible to call a controller that should be protected and skip the authorization. That wasn't an issue in webforms since a page was a page (and not a method call), but the separation between page/path and code in MVC makes this a huge security hole.
这篇关于对于asp.net的MVC区级安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!