ASP.NET MVC窗体身份验证和未经验证控制器动作 [英] ASP.NET MVC Forms authentication and unauthenticated controller actions

问题描述

我有一个锁定使用窗体身份验证一个ASP.NET MVC的网站。 web.config中有

I have a ASP.NET MVC site that is locked down using Forms Authentication. The web.config has

<authentication mode="Forms">
<forms defaultUrl="~/Account/LogOn" loginUrl="~/Account/LogOn" timeout="2880"/>
</authentication>
<authorization>
	<deny users="?"/>
</authorization>

比帐户/ LogOn支持其他我的网页均无法查看，除非用户进行身份验证。

None of my pages other than Account/LogOn can be viewed unless the user is authenticated.

现在我想贝宝IPN添加到我的网站，为了做到这一点，我需要有一个处理PayPal的支付确认，并感谢您页两页。这两个页面需要提供匿名用户。

Now I am trying to add PayPal IPN to my site and in order to do that I need to have two pages that handle PayPal's payment confirmation and thank you page. These two pages need to be available for anonymous users.

我想这些网页是从我的账户控制器控制器动作。有没有什么办法可以适用于具体的操作方法，使他们对匿名用户可用的属性？我发现几个职位在这里，试图这样做，但有很多人想要的相反的情况。

I would like these pages to be controller actions off my Account controller. Is there any way I can apply an attribute to specific action methods that make them available to anonymous users? I found a several posts here that attempt to do that but there was most people wanted the opposite scenario.

基本上我想可能AccountController类有大多数的方法没有授权除少数。现在它看起来像只登录方法可用于匿名用户。

Basically I want may AccountController class to have no authorization for most of the methods except for a few. Right now it looks like only the LogOn method is available to anonymous users.

在此先感谢您的帮助。

推荐答案

当然可以。在你的AccountController有一个[授权]对类级-attribute是（使整个控制器的限制）或在特定的方法。

Yes you can. In your AccountController there's an [Authorize]-attribute either on class-level (to make the whole controller restricted) or on specific methods.

为了限制你只需使用授权属性上处理这些动作方法的具体行动，并留下控制器级不受限制。

To make specific actions restricted you simply use the Authorize-attribute on the methods that handle these actions, and leave the controller-class unrestricted.

下面是几个例子...希望它能帮助

Here are a few examples... hope it helps

要要求用户登录，使用：

To require users to login, use:

[Authorize]
public class SomeController : Controller

// Or
[Authorize]
public ActionResult SomeAction()

要限制特定角色的访问，使用：

To restrict access for specific roles, use:

[Authorize(Roles = "Admin, User")]
public class SomeController : Controller

// Or
[Authorize(Roles = "Admin, User")]
public ActionResult SomeAction()

和限制特定用户的访问，使用：

And to restrict access for specific users, use:

[Authorize(Users = "Charles, Linus")]
public class SomeController : Controller

// Or
[Authorize(Users = "Charles, Linus")]
public ActionResult SomeAction()

正如你所看到的，您可以使用该属性在类级别或方法级别。您的选择！

As you can see, you can either use the attribute at class-level or at method-level. Your choice!

这篇关于ASP.NET MVC窗体身份验证和未经验证控制器动作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！