1. 首頁
  2. 問答
  3. 允許匿名訪問MVC4操作

允許匿名訪問MVC4操作

2013-02-06 146 views
2

我想允許匿名訪問我的網站的根。如果我向site.com/home發出請求,它允許匿名訪問。但是,如果我請求site.com/,我會看到一個登錄頁面。到目前爲止,我已經做了以下內容:允許匿名訪問MVC4操作

在web.config我授權爲所有用戶 「家」:

<location path="Home"> 
    <system.web> 
     <authorization> 
     <allow users="*" /> 
     </authorization> 
    </system.web> 
    </location>

在FilterConfig.cs添加以下AuthorizeAttribute:

public static void RegisterGlobalFilters(GlobalFilterCollection filters) 
    { 
     filters.Add(new HandleErrorAttribute()); 
     filters.Add(new System.Web.Mvc.AuthorizeAttribute()); 
    }

My Home Index控制器動作如下所示:

[AllowAnonymous] 
    public ActionResult Index() 
    { 
     return View(); 
    }

我的路線如下所示:

 routes.IgnoreRoute("{resource}.axd/{*pathInfo}"); 

     routes.MapRoute(
      name: "Zoom", 
      url: "zoom/{id}", 
      defaults: new { controller = "Zoom", action = "Index" } 
     ); 

     routes.MapRoute(
      name: "Default", 
      url: "{controller}/{action}/{id}", 
      defaults: new { controller = "Home", action = "Index", id = UrlParameter.Optional } 
     );

這是否完成了路線?我完全錯過了什麼嗎?

來源

2013-02-06 Alex

回答

1

你必須在屬性代碼中實現邏輯來過濾它。換句話說,您必須檢查並查看方法/類是否使用該屬性進行了註釋,如果是(或根據您的方案進行相應處理),則跳過授權。

下面是一個例子:

/// <summary> 
    /// This class is used to ensure that a user has been authenticated before allowing a given method 
    /// to be called. 
    /// </summary> 
    /// <remarks> 
    /// This class extends the <see cref="AuthorizeAttribute"/> class. 
    /// </remarks> 
    public sealed class LoginAuthorize : AuthorizeAttribute 
    { 
     /// <summary> 
     /// The logger used for logging. 
     /// </summary> 
     private static readonly ILog Logger = LogManager.GetLogger(typeof(LoginAuthorize)); 

     /// <summary> 
     /// Handles the authentication check to ensure user has been authenticated before allowing a method 
     /// to be called. 
     /// </summary> 
     /// <param name="filterContext">The authorization context object.</param> 
     public override void OnAuthorization(AuthorizationContext filterContext) 
     { 
      DateTime methodEntryTime = DateTime.Now; 
      Helper.LogMethodEntry(Logger, MethodBase.GetCurrentMethod(), filterContext); 

      try 
      { 
       // determine if the called method has the AllowAnonymousAttribute, which means we can skip 
       // authorization 
       bool skipAuthorization = filterContext.ActionDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true) 
       || filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true); 

       if (!skipAuthorization) 
       { 
        base.OnAuthorization(filterContext); 

        // make sure required session data is still present 
        if (string.IsNullOrWhiteSpace(filterContext.HttpContext.Session[Helper.ROLE_NAME] as string)) 
        { 
         HandleUnauthorizedRequest(filterContext); 
        } 
       } 

       Helper.LogMethodExit(Logger, MethodBase.GetCurrentMethod(), methodEntryTime); 
      } 
      catch (Exception e) 
      { 
       Helper.LogException(Logger, MethodBase.GetCurrentMethod(), e); 
       throw; 
      } 
     } 

     /// <summary> 
     /// Handles unauthorized requests. Redirects user to login page. 
     /// </summary> 
     /// <param name="filterContext">The authorization context object.</param> 
     protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) 
     { 
      DateTime methodEntryTime = DateTime.Now; 
      Helper.LogMethodEntry(Logger, MethodBase.GetCurrentMethod(), filterContext); 

      try 
      { 
       base.HandleUnauthorizedRequest(filterContext); 

       // redirect user to login page 
       filterContext.Result = new RedirectResult("~/Login"); 

       Helper.LogMethodExit(Logger, MethodBase.GetCurrentMethod(), methodEntryTime); 
      } 
      catch (Exception e) 
      { 
       Helper.LogException(Logger, MethodBase.GetCurrentMethod(), e); 
       throw; 
      } 
     } 
    } 
}

然後,在Global.asax你想補充一點LoginAuthorize類,像這樣:

public static void RegisterGlobalFilters(GlobalFilterCollection filters) 
{ 
    filters.Add(new LoginAuthorize()); 
    filters.Add(new HandleErrorAttribute()); 
}

來源

2013-02-06 18:07:24 dcp

+0

嘗試了您的建議,但它沒有工作,除非我實施它不正確。如果它在我請求時發揮作用/ Home不是讓根請求發送到適當的控制器/操作的問題?當我去/家時,它顯示訪問是正確的,因爲它提供了正確的回報。 – Alex

+0

您是否在OnAuthorization方法中設置了休息以確保其正常工作?我知道這種方法可行,因爲我在我的一個生產應用程序中使用它。 – dcp

1

首先,你不應該使用授權與Web表單的方式web.config。先去掉那個。 其次,通過將Authorize屬性添加爲全局過濾器,您基本上將Authorize屬性應用於所有控制器和操作,這真的是您想要的嗎? 裝飾動作方法或完整的控制器更爲常見。如果控制器具有授權屬性,那麼您仍然可以通過添加AllowAnonymous屬性來允許操作方法的匿名訪問,就像您已經做過的一樣。

使用這種方法應該工作得很好,路線看起來不錯。

來源

2013-02-06 21:17:13 Hanno

相關問題

 相關問題