MVC 4形式与自己的工作身份验证[授权] [英] MVC 4 Forms Authentication not working with [Authorize]

问题描述

我学习MVC4，现在，我下面临ASP NET MVC4第4版书创建一个体育用品店项目。

我一直在Web表单开发的，我想弄清楚的窗体身份验证如何在MVC4工作。

下面是我所取得的成就：

  

Web.Config中

 ＆LT;身份验证模式=表格＆GT;
＆LT;形式loginUrl =〜/帐号/登录超时=2880/＆GT; ＆LT; /认证＆GT;
 

  

的AccountController登录操作：

  [HttpPost]
        公众的ActionResult登录（LoginViewModel型号，串RETURNURL）
        {
            如果（ModelState.IsValid）
            {
                如果（authProvider.Authenticate（model.UserName，model.Password））
                {
                    返回重定向（RETURNURL ?? Url.Action（指数，管理））;
                }
                其他
                {
                    ModelState.AddModelError（，不正确的用户名或密码）;
                    返回查看（）;
                }
            }
            其他
            {
                返回查看（）;
            }
        }
 

  

验证提供者：

 公共BOOL身份验证（用户名字符串，字符串密码）{
            布尔结果= FormsAuthentication.Authenticate（用户名，密码）;
            如果（结果）
            {
                FormsAuthentication.SetAuthCookie（用户名，虚假）;
            }            返回结果;        }
 

我设置AuthCookie，现在我想知道，如何保护其他控制器
和行动出的AccountController的

应用程序有一个名为AdminController，在这里你可以编辑的产品和结果控制
在产品列表如下{控制器/动作}在

  

管理员/指数

所以，如果我不missunderstanding理论，如果用户没有在登录的AccountController他们不应该能够调用与[授权]标记操作
上声明：

 公共类AdminController：控制器
    {
        私人IProductRepository库;
        公共AdminController（IProductRepository回购）
        {
            库=回购;
        }       [授权]
        公众的ActionResult指数（）
        {            返回查看（repository.Products）;
        }
   }
 

事情是我可以调用管理控制器的索引行为没有任何问题，并没有引入登录。

我需要一些指导，以了解如何工作的。我做了一些调查，但没有找到任何东西，这本书没有涉及这个话题。

先谢谢了。

编辑：我关闭Chrome浏览器等在不改变任何工作。我和标签工作，我猜的cookie是活跃的，甚至停止和启动调试。

解决方案

如果一个控制器动作与 [授权] 属性装饰（这是你的行政/指数动作），如果你没有在请求一个有效的窗体身份验证cookie，你不能调用这个动作。

另外，在你的登录动作，在验证成功后，你不应该返回一个视图，但你应该重定向了，所以该Cookie设置正确，并可以在随后的请求。

下面是当一个非认证用户试图访问受保护的管理​​员/指数行动应该发生什么。在 [授权] 属性将抛出一个401例外，因为你知道它从经典的WebForms将通过窗体身份验证模块被截获，你会被重定向到 loginUrl 在你的web.config传递最初要求保护资源的RETURNURL查询字符串参数配置。

所以你必须有没有装饰的 [HttpPost] 属性中帐户控制器上的登录行动而本应所服务包含登录视图的视图。请求将是这样的：

  /帐号/登录？RETURNURL =％2Fadmin％2Findex
 

I'm learning MVC4 right now, and I am following the Pro ASP NET MVC4 4th edition book to create a Sports Store project.

I have always developed in webforms, and I am trying to figure out how the forms authentication is working in MVC4.

Here is what I have achieved:

Web.Config

<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880"/>  </authentication>

AccountController login Action:

[HttpPost]
        public ActionResult Login(LoginViewModel model, string returnUrl)
        {
            if (ModelState.IsValid)
            {
                if (authProvider.Authenticate(model.UserName, model.Password))
                {
                    return Redirect(returnUrl ?? Url.Action("Index", "Admin"));
                }
                else
                {
                    ModelState.AddModelError("", "Incorrect username or password");
                    return View();
                }
            }
            else
            {
                return View();
            }
        }

Auth Provider:

public bool Authenticate(string username, string password) {
            bool result = FormsAuthentication.Authenticate(username, password);
            if (result)
            {
                FormsAuthentication.SetAuthCookie(username, false);
            }

            return result;

        }

I am setting the AuthCookie and now I would like to know, how to protect other controllers and actions out of the AccountController

The application has a controller called AdminController, where you can edit products and the
product list in under the following {controller/action}

Admin/Index

So, If I am not missunderstanding the theory, if the user is not logging in the AccountController they should not be able to call actions with [Authorize] tag on declaration:

 public class AdminController : Controller
    {
        private IProductRepository repository;


        public AdminController(IProductRepository repo)
        {
            repository = repo;
        }

       [Authorize]
        public ActionResult Index()
        {

            return View(repository.Products);
        }
   }

The thing is I can call the Index action of the Admin Controller without any problem and without introducing the login.

I need some guidance to understand how this works. I have done some research and could not find anything, and the book is not covering this topic.

Thanks in advance.

EDIT: I closed Chrome Browser and worked without changing anything. I was working with tabs and I guess the cookie was active even stopping and starting debugging.

解决方案

If a controller action is decorated with the [Authorize] attribute (as is your Admin/Index action) you cannot invoke this action if you do not have a valid forms authentication cookie in the request.

Also in your Login action, upon successful authentication you should not return a view but you should redirect away, so that the cookie is properly set and available on subsequent requests.

Here's what should happen when a non-authenticated user attempts to access the protected Admin/Index action. The [Authorize] attribute will throw a 401 exception, which as you know from the classic WebForms will be intercepted by the Forms Authentication module and you will be redirected to the loginUrl configured in your web.config passing a ReturnUrl query string parameter the initially requested protected resource.

So you must have a Login action on the account controller that is not decorated with the [HttpPost] attribute and which should serve the view containing the sign-in view. The request will look like this:

/Account/Login?ReturnUrl=%2Fadmin%2Findex

这篇关于MVC 4形式与自己的工作身份验证[授权]的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！