授权在ASP.NET MVC属性 [英] Authorize attribute in ASP.NET MVC

问题描述

我有一个很难理解真正使用在ASP.NET MVC [授权] 属性。按照这个概念去，如果我们用装饰控制器方法[授权] 属性，只有通过认证的用户被允许访问控制器。

I am having a hard time to understand real use of [Authorize] attribute in ASP.NET MVC. As per the concept goes, if we decorate a controller method with [Authorize] attribute, only authenticated users are allowed to access the controllers.

我已经开发了一个ASP.NET MVC应用程序而不与装潢控制器[授权] 属性。我所观察到的是，如果我在正确的应用程序中使用的web.config或其他方式实现身份验证机制，noway我可以访问网址 {控制器} / {行动} / {ID} 特定操作的方法。

I have developed an ASP.NET MVC application without decorating controllers with [Authorize] attribute. What I have observed is, if I implement authentication mechanism properly in my application using web.config or some other way, noway I can access the URL {controller}/{action}/{id} of a particular action method.

系统总是要求登录。这意味着我的控制器固定。我的问题是，当我可以保证我的控制器，而无需使用 [授权] 属性，那么什么是它的真正需要？

System always ask for login. That means my Controllers are secured. My question is this, when I can secure my controllers without using [Authorize] attribute, then what is the real need of it?

推荐答案

实际功率自带理解和执行成员资格提供连同角色提供。您可以将用户分配到的角色，并根据该限制可以应用不同的访问角色不同的用户控制器操作或控制器本身。

Real power comes with understanding and implementation membership provider together with role provider. You can assign users into roles and according to that restriction you can apply different access roles for different user to controller actions or controller itself.

 [Authorize(Users = "Betty, Johnny")]
 public ActionResult SpecificUserOnly()
 {
     return View();
 }

或者你可以根据组限制

or you can restrict according to group

[Authorize(Roles = "Admin, Super User")]
public ActionResult AdministratorsOnly()
{
    return View();
}

这篇关于授权在ASP.NET MVC属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！