IIS 和 MVC 的授权问题 [英] Problem with Authorization with IIS and MVC
问题描述
在设置授权时遇到了一些问题.首先我得到了:
Got some problem with settings up the Authorization. First i got :
<authorization>
<deny users="?" />
</authorization>
所以我拒绝所有未知用户,然后允许他们查看这些页面:
So i deny all unknown users and then allow them to view those pages:
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Public">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
现在问题.. 他们可以访问公共页面和 Default.aspx .. 但不能访问 www.mydomain.com 或 www.mydomain.com/.. 所以 www.mydmain.com/Default.aspx 工作正常.那么如何使这些工作呢?
Now to the problem .. they can access the Public pages and Default.aspx .. but not www.mydomain.com or www.mydomain.com/ .. so www.mydmain.com/Default.aspx works fine. So how to make those work ?
推荐答案
请记住,WebForms 和 MVC 之间的受保护资源存在根本区别.在 WebForms 中,您尝试保护的资源是页面本身,并且由于页面存在于磁盘上的众所周知的路径中,您可以使用 Web.config 来保护它们.但是,在 MVC 中,您尝试保护的资源实际上是控制器和操作,而不是单独的路径和页面.如果您尝试保护路径而不是控制器,则您的应用程序可能存在安全漏洞.
Keep in mind that there's a fundamental difference in protected resources between WebForms and MVC. In WebForms, the resources you're trying to protect are the pages themselves, and since the pages exist on disk at a well-known path you can use Web.config to secure them. However, in MVC, the resources you're trying to protect are actually controllers and actions, not individual paths and pages. If you try protecting the path rather than the controller, your application likely has a security vulnerability.
在 MVC 中,默认情况下所有控制器 + 操作都可供所有用户访问,包括经过身份验证的用户和访客.为了保护控制器或操作,提供了 [Authorize] 属性.请参阅 http://www.asp.net/learn/mvc/#MVC_Security 了解更多信息.
In MVC, by default all controllers + actions are accessible to all users, both authenticated and guest. To secure controllers or actions, the [Authorize] attribute has been provided. See http://www.asp.net/learn/mvc/#MVC_Security for more information.
简而言之,对于您的应用程序来说,您希望将每个控制器 除了 赋予默认控制器和具有 [Authorize] 属性的公共控制器.
In short, it sounds like for your application you'd want to attribute every controller except the default controller and the Public controller with the [Authorize] attribute.
这篇关于IIS 和 MVC 的授权问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
