I'm trying to mix some MVC3 functionality into an existing WebForms application. I've followed a few guides, and got everything set up and working except for the authorization piece. The existing application has <deny users="*" /> sitting at the root web.config, and each subfolder has its own web.config that allows access to the pages within for specific roles.
我正在尝试将一些MVC3功能混合到现有的WebForms应用程序中。我已经遵循了一些指南,并使一切设置和工作,除了授权部分。现有应用程序在根web上有
My new understanding is that this style of can't/shouldn't be used on Controllers, and I should be using Authorize attributes instead. I've decorated my test "HomeController" class with [Authorize(Roles="AdminRole")], but I get an "Access Denied" page when I attempt to view the page.
我的新理解是,这种类型的不能/不应该在控制器上使用,我应该使用授权属性。我已经用[Authorize(Roles="AdminRole")修饰了我的测试“HomeController”类,但是当我试图查看页面时,会得到一个“Access Denied”页面。
If i change the root web.config to say <allow users="*" />, the page works. Does this mean that the attribute I added to the controller is working, but the root web.config setting is taking precedence over it? I don't want to mess with our existing authorization stuff since the site is well established and I'm just trying to add MVC in to play with. Am I missing something? Thanks for any insight you can provide.
如果我改变根网络。设置为
1 个解决方案
#1
1
Ah this is a bit tricky as you are trying to use MVC security in an app already using Web Forms. If this was pure mvc the choice is simple. If you can't pull the mvc features out into a separate app then this leaves you in a bit of a pickle.
啊,这有点棘手,因为您正在尝试在已经使用Web表单的应用程序中使用MVC安全性。如果这是纯mvc,那么选择很简单。如果你不能将mvc特性放到一个单独的应用程序中,那么这会给你带来一些麻烦。
My first recommendation would be to try to extract the code. If you are using MVC to only provide restful features maybe also check out MVC4 web api to provide an api for your app and share the components used between them which would require pulling them out of your web app into a Domain library or some other appropriately named library.
我的第一个建议是尝试提取代码。如果你只使用MVC提供restful特性也可能看看MVC4 web api提供一个api应用程序和它们之间共享组件的使用,需要把它们从你的web应用程序到一个域库或其他适当命名的图书馆。
With that said, not 100% sure if the allow users="*" is working as expected, but I believe it is. Its easy enough to test, simply change Roles="AdminRole" to Roles="placeholder" and try again.
话虽如此,并不是100%确定允许用户="*"是否如预期的那样工作,但我相信确实如此。它很容易测试,只需将role ="AdminRole"更改为Roles="placeholder"并再次尝试。
Setting this though kills the rest of your auth so one idea could be to put all mvc routes under a particular url, such as "/api/" and allow * in the web.config to that path and then use mvc's security on all of your controller methods. This would have low impact to your main web app.
设置这个参数会破坏其他的auth,所以一个想法是将所有的mvc路由放在一个特定的url下,比如“/api/”,并允许*在web中使用。配置到该路径,然后在所有的控制器方法上使用mvc的安全性。这对您的主web应用程序的影响很小。
#1
1
Ah this is a bit tricky as you are trying to use MVC security in an app already using Web Forms. If this was pure mvc the choice is simple. If you can't pull the mvc features out into a separate app then this leaves you in a bit of a pickle.
啊,这有点棘手,因为您正在尝试在已经使用Web表单的应用程序中使用MVC安全性。如果这是纯mvc,那么选择很简单。如果你不能将mvc特性放到一个单独的应用程序中,那么这会给你带来一些麻烦。
My first recommendation would be to try to extract the code. If you are using MVC to only provide restful features maybe also check out MVC4 web api to provide an api for your app and share the components used between them which would require pulling them out of your web app into a Domain library or some other appropriately named library.
我的第一个建议是尝试提取代码。如果你只使用MVC提供restful特性也可能看看MVC4 web api提供一个api应用程序和它们之间共享组件的使用,需要把它们从你的web应用程序到一个域库或其他适当命名的图书馆。
With that said, not 100% sure if the allow users="*" is working as expected, but I believe it is. Its easy enough to test, simply change Roles="AdminRole" to Roles="placeholder" and try again.
话虽如此,并不是100%确定允许用户="*"是否如预期的那样工作,但我相信确实如此。它很容易测试,只需将role ="AdminRole"更改为Roles="placeholder"并再次尝试。
Setting this though kills the rest of your auth so one idea could be to put all mvc routes under a particular url, such as "/api/" and allow * in the web.config to that path and then use mvc's security on all of your controller methods. This would have low impact to your main web app.
设置这个参数会破坏其他的auth,所以一个想法是将所有的mvc路由放在一个特定的url下,比如“/api/”,并允许*在web中使用。配置到该路径,然后在所有的控制器方法上使用mvc的安全性。这对您的主web应用程序的影响很小。