我們正在嘗試做一些有登錄屏幕的網站。但是我們有一個問題。我們的域名是localhost/Login/User。但是，如果用戶進入localhost/Home/Index，他/她可以不登錄就可以訪問我們的主站點。所以我們寫了[授權]給我們的索引控制器。但我找不到我必須使用的東西。我必須在我們的項目中使用AuthorizeAttribute嗎？MVC身份驗證控制器

#Login Page 
public class LoginController : Controller 
{ 
    //GET: Login 
    [IntranetAction] 
    public ActionResult Users() 
    { 
     return View(); 
    } 

    public ActionResult Authentication(UserLoginInfo loginInfo) 
    { 
     bool isAuthenticated = new LdapServiceManager().isAuthenticated(loginInfo); 


     if (isAuthenticated) 
     { 
      //AUTHORIZED 
      Session["userName"] = loginInfo.username; 
      return Redirect("/Home/Index"); 
     } 
     //WORNG PASSWORD, BACK TO LOGIN PAGE 
     TempData["message"] = "Yanlış kullanıcı adı ya da şifre"; 
     return Redirect("/"); 
    } 
}

索引頁

[Authorize] 
public ActionResult Index() 
{ 
    Session["ip"] = Request.UserHostAddress; 
    if (IsDbExists()) 
    { 
     _contactList = new List<Contact>(); 
     UpdateOperations(); 
     return View(_contactList); 
    } 

    Response.Redirect("/Loading/LoadingScreen"); 
    return null; 
}

來源

2016-08-31 Berkin

如何我可以在我的LoginController /驗證功能訪問索引添加[使用AllowAnonymous]屬性。我會添加另一個名爲AuthController的控制器，它具有[AllowAnonymous]屬性，因此用戶無需實際登錄就可以登錄。

我通常會默認過濾所有控制器，並將[AllowAnonymous]屬性添加到那些將被任何人訪問的。

我用它來解決這個問題。

using System.Web.Mvc; 

namespace Test 
{ 
    public class FilterConfig 
    { 
     public static void RegisterGlobalFilters(GlobalFilterCollection filters) 
     { 
      filters.Add(new HandleErrorAttribute()); 
      filters.Add(new AuthorizeAttribute()); 
     } 
    } 
}

AuthController中[AllowAnonymous]屬性的示例。

using System.Security.Claims; 
using System.Web; 
using System.Web.Mvc; 
using BusinessLogic.Services; 
using Common.Models; 
using Microsoft.AspNet.Identity; 
using Microsoft.Owin.Security; 

namespace Test.Controllers 
{ 
    [AllowAnonymous] 
    public class AuthController : Controller 
    { 
     private readonly IUsersService _usersService; 

     public AuthController(IUsersService usersService) 
     { 
      _usersService = usersService; 
     } 

     [HttpGet] 
     public ActionResult LogIn() 
     { 
      return View(); 
     } 

     [HttpPost] 
     public ActionResult LogIn(LoginModel loginModel) 
     { 
      if (!ModelState.IsValid) 
      { 
       return View(); 
      } 

      var isValid = _usersService.AuthenticateUser(loginModel); 
      if (isValid) 
      { 
       var identity = new ClaimsIdentity(new[] 
       { 
        new Claim(ClaimTypes.NameIdentifier, loginModel.Username), 
        new Claim(ClaimTypes.Name, loginModel.Username), 
       }, DefaultAuthenticationTypes.ApplicationCookie); 

       Request.GetOwinContext().Authentication.SignIn(new AuthenticationProperties() { IsPersistent = false }, identity); 

       return Redirect(GetRedirectUrl(loginModel.ReturnUrl)); 
      } 

      ModelState.AddModelError("", "Invalid credentials"); 
      return View(); 
     } 

     public ActionResult LogOut() 
     { 
      var ctx = Request.GetOwinContext(); 
      var authManager = ctx.Authentication; 

      authManager.SignOut("ApplicationCookie"); 
      return RedirectToAction("index", "home"); 
     } 

     private string GetRedirectUrl(string returnUrl) 
     { 
      if (string.IsNullOrEmpty(returnUrl) || !Url.IsLocalUrl(returnUrl)) 
      { 
       return Url.Action("index", "home"); 
      } 
      return returnUrl; 
     } 
    } 



}

引用這可能會幫助您： http://benfoster.io/blog/aspnet-identity-stripped-bare-mvc-part-1

https://softwareengineering.stackexchange.com/questions/284380/is-formsauthentication-obsolete

Role-based access control (RBAC) vs. Claims-based access control (CBAC) in ASP.NET MVC

https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet

來源

2016-08-31 12:19:59 ShrtTth