用于身份验证和授权的ASP .NET MVC的授权属性? [英] Is the Authorize attribute in ASP .NET MVC used for Authentication as well as Authorization?
问题描述
我读了基于ASP .NET MVC,我只是得到了一个章节谈论授权属性。它说,授权属性用于检查一个用户对一个控制器进行身份验证。这是真的?我知道属性被设计用于授权目的,但它也可用于认证这个属性的最佳做法?
I'm reading up on ASP .NET MVC, and I just got to a section talking about the Authorize attribute. It's saying that the Authorize attribute is used to check that a user is authenticated against a Controller. Is this true? I know that the attribute is designed to be used for authorization purposes, but is it also a best practice to use this attribute for authentication?
如果不是,那么是的验证的(不执行)认证的最佳实践?
If not, what is the best practice for verifying (not performing) authentication?
如果是这样,为什么会做这样?我缺少的东西吗?
If so, why is it done this way? Am I missing something?
推荐答案
授权属性可以用来检查在用户是否登录,也可以用于检查用户是否是特定的角色成员,并且具有特定的名称
Authorize attribute can be used to check to see whether the user is logged in. It can also be used to check if the user is a member of a specific role and has a specific name.
它在本质上确实通过&LT处理同样的事情;授权> 使用时的web.config 部分Web表单
It essentially does the same thing handled by <authorization> section in web.config when using Web forms.
它不指定认证方法。它是由处理&LT;身份验证方式&gt; 在第的web.config 就像Web表单
It doesn't specify the authentication method. It's handled by <authentication> section in web.config just like Web forms.
编辑(澄清身份验证和授权):
身份验证的身份核实的。也就是说,你检查,看看用户是谁。这可以通过检查用户名和密码进行,检查您的Windows身份验证令牌,视网膜扫描,语音识别或者其他。
Authentication is identity verification. That is, you check to see who the user is. This can be performed by checking a user name and password, checking your Windows authentication token, scanning retina, voice identification or whatever else.
授权是行为的限制对满足一定条件的用户访问的特定资源。为了能够授权用户的资源,你应该知道用户拥有的权利。要检查,你应该知道用户是摆在首位谁。因此用户必须进行认证。
Authorization is the act of limiting access to a specific resource to users that satisfy a certain criteria. To be able to authorize a user to a resource, you should know the rights the user have. To check that, you should know who the user is in the first place. So the user have to be authenticated.
基本上是一个空的 [授权] 属性不授权,不验证。它不检查你是谁。它只是检查,如果你确认是谁一确实有访问资源与否。然而,它的授权标准是任何成功验证。您可以指定不同的标准。所以,事实上它做的授权,而不是验证。
Essentially an empty [Authorize] attribute does authorization, not authentication. It doesn't check who you are. It just checks if the one who you verified to be does have access to the resource or not. However, its authorization criteria is "anyone successfully authenticated." You can specify a different criteria. So, indeed it's doing authorization, not authentication.
这篇关于用于身份验证和授权的ASP .NET MVC的授权属性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
