MVC 4形式与自己的工作身份验证[授权] [英] MVC 4 Forms Authentication not working with [Authorize]
问题描述
我学习MVC4,现在,我下面临ASP NET MVC4第4版书创建一个体育用品店项目。
我一直在Web表单开发的,我想弄清楚的窗体身份验证如何在MVC4工作。
下面是我所取得的成就:
Web.Config中
块引用><身份验证模式=表格>
<形式loginUrl =〜/帐号/登录超时=2880/> < /认证>
的AccountController登录操作:
块引用>[HttpPost]
公众的ActionResult登录(LoginViewModel型号,串RETURNURL)
{
如果(ModelState.IsValid)
{
如果(authProvider.Authenticate(model.UserName,model.Password))
{
返回重定向(RETURNURL ?? Url.Action(指数,管理));
}
其他
{
ModelState.AddModelError(,不正确的用户名或密码);
返回查看();
}
}
其他
{
返回查看();
}
}
验证提供者:
块引用>公共BOOL身份验证(用户名字符串,字符串密码){
布尔结果= FormsAuthentication.Authenticate(用户名,密码);
如果(结果)
{
FormsAuthentication.SetAuthCookie(用户名,虚假);
} 返回结果; }我设置AuthCookie,现在我想知道,如何保护其他控制器
和行动出的AccountController的应用程序有一个名为AdminController,在这里你可以编辑的产品和结果控制
在产品列表如下{控制器/动作}在
管理员/指数
块引用>所以,如果我不missunderstanding理论,如果用户没有在登录的AccountController他们不应该能够调用与[授权]标记操作
上声明:公共类AdminController:控制器
{
私人IProductRepository库;
公共AdminController(IProductRepository回购)
{
库=回购;
} [授权]
公众的ActionResult指数()
{ 返回查看(repository.Products);
}
}事情是我可以调用管理控制器的索引行为没有任何问题,并没有引入登录。
我需要一些指导,以了解如何工作的。我做了一些调查,但没有找到任何东西,这本书没有涉及这个话题。
先谢谢了。
编辑:我关闭Chrome浏览器等在不改变任何工作。我和标签工作,我猜的cookie是活跃的,甚至停止和启动调试。
解决方案如果一个控制器动作与
[授权]
属性装饰(这是你的行政/指数
动作),如果你没有在请求一个有效的窗体身份验证cookie,你不能调用这个动作。另外,在你的
登录
动作,在验证成功后,你不应该返回一个视图,但你应该重定向了,所以该Cookie设置正确,并可以在随后的请求。下面是当一个非认证用户试图访问受保护的
管理员/指数
行动应该发生什么。在[授权]
属性将抛出一个401例外,因为你知道它从经典的WebForms将通过窗体身份验证模块被截获,你会被重定向到loginUrl
在你的web.config传递最初要求保护资源的RETURNURL查询字符串参数配置。所以你必须有没有装饰的
[HttpPost]
属性中帐户控制器上的登录
行动而本应所服务包含登录视图的视图。请求将是这样的:/帐号/登录?RETURNURL =%2Fadmin%2Findex
I'm learning MVC4 right now, and I am following the Pro ASP NET MVC4 4th edition book to create a Sports Store project.
I have always developed in webforms, and I am trying to figure out how the forms authentication is working in MVC4.
Here is what I have achieved:
Web.Config
<authentication mode="Forms"> <forms loginUrl="~/Account/Login" timeout="2880"/> </authentication>
AccountController login Action:
[HttpPost] public ActionResult Login(LoginViewModel model, string returnUrl) { if (ModelState.IsValid) { if (authProvider.Authenticate(model.UserName, model.Password)) { return Redirect(returnUrl ?? Url.Action("Index", "Admin")); } else { ModelState.AddModelError("", "Incorrect username or password"); return View(); } } else { return View(); } }
Auth Provider:
public bool Authenticate(string username, string password) { bool result = FormsAuthentication.Authenticate(username, password); if (result) { FormsAuthentication.SetAuthCookie(username, false); } return result; }
I am setting the AuthCookie and now I would like to know, how to protect other controllers and actions out of the AccountController
The application has a controller called AdminController, where you can edit products and the
product list in under the following {controller/action}Admin/Index
So, If I am not missunderstanding the theory, if the user is not logging in the AccountController they should not be able to call actions with [Authorize] tag on declaration:
public class AdminController : Controller { private IProductRepository repository; public AdminController(IProductRepository repo) { repository = repo; } [Authorize] public ActionResult Index() { return View(repository.Products); } }
The thing is I can call the Index action of the Admin Controller without any problem and without introducing the login.
I need some guidance to understand how this works. I have done some research and could not find anything, and the book is not covering this topic.
Thanks in advance.
EDIT: I closed Chrome Browser and worked without changing anything. I was working with tabs and I guess the cookie was active even stopping and starting debugging.
解决方案If a controller action is decorated with the
[Authorize]
attribute (as is yourAdmin/Index
action) you cannot invoke this action if you do not have a valid forms authentication cookie in the request.Also in your
Login
action, upon successful authentication you should not return a view but you should redirect away, so that the cookie is properly set and available on subsequent requests.Here's what should happen when a non-authenticated user attempts to access the protected
Admin/Index
action. The[Authorize]
attribute will throw a 401 exception, which as you know from the classic WebForms will be intercepted by the Forms Authentication module and you will be redirected to theloginUrl
configured in your web.config passing a ReturnUrl query string parameter the initially requested protected resource.So you must have a
Login
action on the account controller that is not decorated with the[HttpPost]
attribute and which should serve the view containing the sign-in view. The request will look like this:/Account/Login?ReturnUrl=%2Fadmin%2Findex
这篇关于MVC 4形式与自己的工作身份验证[授权]的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!